Thank you Tim.
Attached is the last set of patches from me for SSL testing.
I will apply these to wget2 and start working on wget2 from now.
Best,
Vijo.
On Wed, Apr 19, 2017 at 4:12 AM, Tim Rühsen <tim.rueh...@gmx.de> wrote:
> Hi Vijo,
>
> On 04/18/2017 06:56 PM, Vijo Cherian wrote:
> > Added a framework for perl based SSL tests, and some tests to start with.
> > In case this is of interest, I will add more tests for SSL: client
> > certificates, CRLs, negative tests etc.
> > Also not included : making these tests a part of "make check".
> >
> > TESTING : only on ubuntu 16
>
> thank you for this contribution !
>
> Your commit has been slightly amended (trailing white space removed,
> commit message changed to GNU style) and pushed to master.
>
> Maybe you are interested to inspect Wget2 testing to see if your tests
> are already covered there. If not we would be pleased if you could add
> them there as well.
>
> Just 'git clone https://github.com/rockdaboot/wget2' and jump in !
>
> Regards, Tim
>
>
From 34ad8c8ce4e4c90b1eb8c57c2d8d112be8d1f427 Mon Sep 17 00:00:00 2001
From: Vijo Cherian <coderv...@gmail.com>
Date: Fri, 21 Apr 2017 12:34:16 -0700
Subject: [PATCH] Added new tests for SSL
* tests/Test-https-badcerts.px : New file
* tests/Test-https-clientcert.px : New file
* tests/Test-https-crl.px : New file
* tests/Test-https-weboftrust.px : New file
* tests/certs/interca.conf : New file
* tests/certs/rootca.conf : New file
* tests/certs/test-ca-key.pem : New file
Added all new SSL / HTTPS tests to make check
Added Test for SSL Web of Trust, accept only if CA chain of trust is intact.
Added a test script for client certificate
Added Test for crlfile option of wget
Added test to make sure that wget doesn't accept expired or invalid certs
Some clean up : Removed cause of warnings from perl & other cosmetic changes
---
tests/Makefile.am | 10 ++-
tests/SSLServer.pm | 15 ++--
tests/Test-https-badcerts.px | 147 ++++++++++++++++++++++++++++++++++++++
tests/Test-https-clientcert.px | 142 +++++++++++++++++++++++++++++++++++++
tests/Test-https-crl.px | 142 +++++++++++++++++++++++++++++++++++++
tests/Test-https-pfs.px | 2 +-
tests/Test-https-selfsigned.px | 10 ++-
tests/Test-https-tlsv1.px | 2 +-
tests/Test-https-tlsv1x.px | 2 +-
tests/Test-https-weboftrust.px | 155 +++++++++++++++++++++++++++++++++++++++++
tests/certs/interca.conf | 64 +++++++++++++++++
tests/certs/rootca.conf | 64 +++++++++++++++++
tests/certs/test-ca-key.pem | 58 +++++++++++++++
13 files changed, 799 insertions(+), 14 deletions(-)
create mode 100755 tests/Test-https-badcerts.px
create mode 100755 tests/Test-https-clientcert.px
create mode 100755 tests/Test-https-crl.px
create mode 100755 tests/Test-https-weboftrust.px
create mode 100644 tests/certs/interca.conf
create mode 100644 tests/certs/rootca.conf
create mode 100644 tests/certs/test-ca-key.pem
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c27c4ce..367a8c0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -128,7 +128,15 @@ PX_TESTS = \
Test--start-pos--continue.px \
Test--httpsonly-r.px \
Test-204.px \
- Test-ftp-pasv-not-supported.px
+ Test-ftp-pasv-not-supported.px \
+ Test-https-pfs.px \
+ Test-https-tlsv1.px \
+ Test-https-tlsv1x.px \
+ Test-https-selfsigned.px \
+ Test-https-weboftrust.px \
+ Test-https-clientcert.px \
+ Test-https-crl.px \
+ Test-https-badcerts.px
EXTRA_DIST = FTPServer.pm FTPTest.pm HTTPServer.pm HTTPTest.pm \
WgetTests.pm WgetFeature.pm WgetFeature.cfg $(PX_TESTS) \
diff --git a/tests/SSLServer.pm b/tests/SSLServer.pm
index ed121b1..c0fabfd 100644
--- a/tests/SSLServer.pm
+++ b/tests/SSLServer.pm
@@ -30,12 +30,12 @@ my $sslsock;
my $plaincon;
my %args;
-$HTTP::Daemon::DEBUG=5;
+#$HTTP::Daemon::DEBUG=5;
#*DEBUG = \$HTTP::Daemon::DEBUG;
$args{SSL_error_trap} ||= \&ssl_error;
-my $class = shift;
+my $class = 'SSLServer';
my $self = {};
$self = bless $self, $class;
@@ -86,7 +86,7 @@ sub accept
if ($sock) {
${*$sock}{'httpd_daemon'} = $self;
${*$self}{'httpd_daemon'} = $sock;
- my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self);
+ my $fileno = ${*$self}{'_SSL_fileno'} = &fileno($self);
my $f = $sock->fileno;
return wantarray ? ($sock, $peer) : $sock;
}
@@ -157,19 +157,21 @@ sub run
{
my ($self, $urls, $synch_callback) = @_;
my $initialized = 0;
+ my $sslsock;
while (1)
{
if (!$initialized)
{
+ $sslsock = $self->ssl_setup_conn();
+ $sslsock || warn "Failed to get ssl sock";
+
$initialized = 1;
open (LOGFILE, '>', "/tmp/wgetserver.log");
LOGFILE->autoflush(1);
print LOGFILE "Starting logging";
+ $synch_callback->() if $synch_callback;
}
- my $sslsock = $self->ssl_setup_conn();
- $sslsock || warn "Failed to get ssl sock";
- $synch_callback->() if $synch_callback;
my $con = $self->accept();
${*$self}{'sslcon'} = $con;
@@ -216,7 +218,6 @@ sub run
print LOGFILE "Closing connection\n" if $log;
close(LOGFILE);
$con->close();
- last;
}
}
diff --git a/tests/Test-https-badcerts.px b/tests/Test-https-badcerts.px
new file mode 100755
index 0000000..97f11f5
--- /dev/null
+++ b/tests/Test-https-badcerts.px
@@ -0,0 +1,147 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use POSIX;
+
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "wgettesterr";
+my $testhostfile = "$cdir/wgethosts";
+open(my $fh, '>', $testhostfile);
+print $fh "$testhostname 127.0.0.1\n";
+close $fh;
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+print CRLN "1122";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare expired server certificate
+my $servercrt = "certs/tmpserver.crt";
+my $serverkey = "certs/tmpserver.key";
+my $servercsr = "$cdir/certs/tmpserver.csr";
+my $enddate = strftime "%y%m%d%H%M%S%z", localtime(time-86400);
+my $startdate = strftime "%y%m%d%H%M%S%z", localtime(time+86400);
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext ".
+ "-enddate $enddate -in $servercsr".
+ " -out $servercrt";
+system($servercmd);
+
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL with expired cert. Expect Failure.
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+if ($sslsock->run() == 0)
+{
+ exit -1;
+}
+print "Test successful.\n";
+
+system("/bin/rm $servercrt $serverkey $servercsr");
+$servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext ".
+ " -startdate $startdate -in $servercsr".
+ " -out $servercrt";
+system($servercmd);
+
+$servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+
+# Retry the test with --no-check-certificate. expect success
+$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+
+$expected_error_code = 5;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+if ($retryssl->run() == 0)
+{
+ exit 0;
+}
+else
+{
+ exit -1;
+}
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-clientcert.px b/tests/Test-https-clientcert.px
new file mode 100755
index 0000000..e069f8b
--- /dev/null
+++ b/tests/Test-https-clientcert.px
@@ -0,0 +1,142 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "wgettesterr";
+my $testhostfile = "$cdir/wgethosts";
+open(my $fh, '>', $testhostfile);
+print $fh "$testhostname 127.0.0.1\n";
+close $fh;
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare server certificate
+my $servercrt = "certs/tmpserver.crt";
+my $serverkey = "certs/tmpserver.key";
+my $servercsr = "$cdir/certs/tmpserver.csr";
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $servercsr".
+ " -out $servercrt";
+
+system($servercmd);
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Prepare client certifcate
+my $clientcert = "$cdir/certs/client.crt";
+my $clientkey = "$cdir/certs/client.key";
+my $clientcsr = "$cdir/certs/client.csr";
+my $clientsubj = "/C=US/ST=CA/L=Client Mystery Spot/O=Client/CN=".
+ "Client Tester/emailAddress=clienttester";
+my $clientcertcmd = "openssl genrsa -out $clientkey 4096 &&".
+ " openssl req -new -key $clientkey -out $clientcsr".
+ " -subj \"$clientsubj\" &&".
+ " openssl ca -config $caconf -in $clientcsr ".
+ " -out $clientcert -batch";
+
+system($clientcertcmd);
+my $clientcheck=`(openssl x509 -noout -modulus -in $clientcert | openssl md5 ;
+ openssl rsa -noout -modulus -in $clientkey | openssl md5) |
+ uniq | wc -l`;
+
+# Check if signed certificate and key are made correctly.
+unless(-e $clientcert && -e $clientkey && $clientcheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL with mismatched client cert & key . Expect error
+my $cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert ".
+ " --private-key=$serverkey ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
+
+# Retry wget using SSL with client certificate. Expect success
+$cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert".
+ " --private-key=$clientkey ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+
+$expected_error_code = 0;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+exit $retryssl->run();
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-crl.px b/tests/Test-https-crl.px
new file mode 100755
index 0000000..a63dc45
--- /dev/null
+++ b/tests/Test-https-crl.px
@@ -0,0 +1,142 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "wgettesterr";
+my $testhostfile = "$cdir/wgethosts";
+open(my $fh, '>', $testhostfile);
+print $fh "$testhostname 127.0.0.1\n";
+close $fh;
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+print CRLN "1122";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare server certificate
+my $servercrt = "certs/tmpserver.crt";
+my $serverkey = "certs/tmpserver.key";
+my $servercsr = "$cdir/certs/tmpserver.csr";
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $servercsr".
+ " -out $servercrt";
+
+system($servercmd);
+
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL first without --no-check-certificate. Expect Success.
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+my $expected_error_code = 0;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+if ($sslsock->run() != 0)
+{
+ exit -1;
+}
+
+# Revoke the certificate
+my $crlfile = "$cdir/certs/servercrl.pem";
+my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
+ openssl ca -config $caconf -gencrl -keyfile $cakey ".
+ "-cert $cacrt -out $crlfile";
+
+system($revokecmd);
+# Check if CRL file is generated.
+unless(-e $crlfile)
+{
+ exit 77; # skip
+}
+
+# To read a CRL file use the following command:
+# openssl crl -text -in certs/root.crl.pem
+
+# Retry the test with CRL. Expect Failure.
+$cmdline = $WgetTest::WGETPATH . " --crl-file=$crlfile ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:55443/somefile.txt";;
+
+$expected_error_code = 5;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname);
+if ($retryssl->run() == 0)
+{
+ exit -1;
+}
+else
+{
+ print "Test successful.\n";
+ exit 0;
+}
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-pfs.px b/tests/Test-https-pfs.px
index f23dd37..6b43ccf 100755
--- a/tests/Test-https-pfs.px
+++ b/tests/Test-https-pfs.px
@@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
-$sslsock->run();
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-selfsigned.px b/tests/Test-https-selfsigned.px
index 30a6caa..79c9180 100755
--- a/tests/Test-https-selfsigned.px
+++ b/tests/Test-https-selfsigned.px
@@ -39,7 +39,8 @@ system($sscertcmd);
my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ; openssl rsa -noout -modulus -in $keyfile | openssl md5) | uniq|wc -l`;
# Check if Self signed certificate and key are made correctly.
-unless(-e $certfile && -e $keyfile && $sscheck == 1) {
+unless(-e $certfile && -e $keyfile && $sscheck == 1)
+{
exit 77; # skip
}
@@ -63,7 +64,10 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
certfile => $certfile,
keyfile => $keyfile,
lhostname => $testhostname);
-$sslsock->run();
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
# Retry the test with --no-check-certificate. expect success
$cmdline = $WgetTest::WGETPATH . " --no-check-certificate --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
@@ -78,5 +82,5 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
certfile => $certfile,
keyfile => $keyfile,
lhostname => $testhostname);
-$retryssl->run();
+exit $retryssl->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-tlsv1.px b/tests/Test-https-tlsv1.px
index 22665f5..3496513 100755
--- a/tests/Test-https-tlsv1.px
+++ b/tests/Test-https-tlsv1.px
@@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
-$sslsock->run();
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-tlsv1x.px b/tests/Test-https-tlsv1x.px
index 8dd57dc..7a25f47 100755
--- a/tests/Test-https-tlsv1x.px
+++ b/tests/Test-https-tlsv1x.px
@@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
-$sslsock->run();
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-weboftrust.px b/tests/Test-https-weboftrust.px
new file mode 100755
index 0000000..d3ff85a
--- /dev/null
+++ b/tests/Test-https-weboftrust.px
@@ -0,0 +1,155 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "wgettesterr";
+my $testhostfile = "$cdir/wgethosts";
+open(my $fh, '>', $testhostfile);
+print $fh "$testhostname 127.0.0.1\n";
+close $fh;
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+close CRLN;
+
+# Create Intermediate CA
+my $caconf = "certs/rootca.conf";
+my $icrtfile = "certs/interca.crt";
+my $ikeyfile = "certs/interca.key";
+my $icsrfile = "certs/interca.csr";
+my $icasubj = "/C=US/ST=CA/L=Intermediate Mystery Spot/O=Int/CN=".
+ "ica-$testhostname/emailAddress=icatester";
+my $icacmd = "openssl genrsa -out $ikeyfile 4096 && openssl req -new".
+ " -sha256 -key $ikeyfile -out $icsrfile -days 365 ".
+ " -subj \"$icasubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $icsrfile".
+ " -out $icrtfile";
+
+system($icacmd);
+my $icacheck=`(openssl x509 -noout -modulus -in $icrtfile | openssl md5 ;
+ openssl rsa -noout -modulus -in $ikeyfile | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $icrtfile && -e $ikeyfile && $icacheck == 1)
+{
+ exit 77; # skip
+}
+
+# Now create web of trust - Root CA + Intermediate CA
+open WOT, ">", "$cdir/certs/wotca.pem" or
+ die "Cannot overwrite file $cdir/certs/wotca";
+open ICA, "<", $icrtfile or die "Cannot read file $icrtfile";
+while (<ICA>)
+{
+ print WOT $_;
+}
+print WOT "\n";
+close ICA;
+open RCA, "<", "$cdir/certs/test-ca-cert.pem" or
+ die "Cannot read file $cdir/certs/test-ca-cert.pem";
+while (<RCA>)
+{
+ print WOT $_;
+}
+print WOT "\n";
+close RCA;
+close WOT;
+
+# Create Test certificate using intermediate CA
+my $icaconf = "certs/interca.conf";
+my $usrcrt = "certs/user.crt";
+my $usrkey = "certs/user.key";
+my $usrcsr = "certs/user.csr";
+my $usrsubj = "/C=US/ST=CA/L=User Mystery Spot/O=Int/CN=$testhostname/".
+ "emailAddress=usertester";
+my $usrcmd = "openssl genrsa -out $usrkey 4096 && ".
+ "openssl req -new -sha256 -key $usrkey -out $usrcsr -days".
+ " 365 -subj \"$usrsubj\" && ".
+ "openssl ca -batch -config $icaconf -notext -in $usrcsr ".
+ "-out $usrcrt";
+
+system($usrcmd);
+my $usrcheck=`(openssl x509 -noout -modulus -in $usrcrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $usrkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $usrcrt && -e $ikeyfile && $usrcheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL using certificate signed by intermediate CA. Expect error.
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/".
+ "test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $usrcrt,
+ keyfile => $usrkey,
+ lhostname => $testhostname);
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
+
+# Retry the test with --no-check-certificate. expect success
+$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/wotca.pem".
+ " https://$testhostname:55443/somefile.txt";;
+
+$expected_error_code = 0;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $usrcrt,
+ keyfile => $usrkey,
+ lhostname => $testhostname);
+exit $retryssl->run();
+# vim: et ts=4 sw=4
diff --git a/tests/certs/interca.conf b/tests/certs/interca.conf
new file mode 100644
index 0000000..125565e
--- /dev/null
+++ b/tests/certs/interca.conf
@@ -0,0 +1,64 @@
+[ ca ]
+default_ca = myca
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+ [ myca ]
+ dir = ./certs/
+ new_certs_dir = $dir
+ unique_subject = no
+ certificate = $dir/interca.crt
+ database = $dir/certindex
+ private_key = $dir/interca.key
+ serial = $dir/certserial
+ default_days = 730
+ default_md = sha1
+ policy = myca_policy
+ x509_extensions = myca_extensions
+ crlnumber = $dir/crlnumber
+ default_crl_days = 730
+
+ [ myca_policy ]
+ commonName = supplied
+ stateOrProvinceName = supplied
+ countryName = optional
+ emailAddress = optional
+ organizationName = supplied
+ organizationalUnitName = optional
+
+ [ myca_extensions ]
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [alt_names]
+ DNS.0 = wgettesterr
+
+ [crl_section]
+ URI.0 = http://intertest.wgettest.org/Bogus.crl
+ URI.1 = http://intertest.wgettest.org/Bogus.crl
+
+ [ocsp_section]
+ caIssuers;URI.0 = http://intertest.wgettest.com/Bogus.crt
+ caIssuers;URI.1 = http://intertest.wgettest.com/Bogus.crt
+ OCSP;URI.0 = http://intertest.wgettest.com/ocsp/
+ OCSP;URI.1 = http://intertest.wgettest.com/ocsp/
diff --git a/tests/certs/rootca.conf b/tests/certs/rootca.conf
new file mode 100644
index 0000000..0dd0b4f
--- /dev/null
+++ b/tests/certs/rootca.conf
@@ -0,0 +1,64 @@
+[ ca ]
+default_ca = myca
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+ [ myca ]
+ dir = ./certs/
+ new_certs_dir = $dir
+ unique_subject = no
+ certificate = $dir/test-ca-cert.pem
+ database = $dir/certindex
+ private_key = $dir/test-ca-key.pem
+ serial = $dir/certserial
+ default_days = 730
+ default_md = sha1
+ policy = myca_policy
+ x509_extensions = myca_extensions
+ crlnumber = $dir/crlnumber
+ default_crl_days = 730
+
+ [ myca_policy ]
+ commonName = supplied
+ stateOrProvinceName = supplied
+ countryName = optional
+ emailAddress = optional
+ organizationName = supplied
+ organizationalUnitName = optional
+
+ [ myca_extensions ]
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [alt_names]
+ DNS.0 = wgettesterr
+
+ [crl_section]
+ URI.0 = http://test.wgettest.org/Bogus.crl
+ URI.1 = http://test.wgettest.org/Bogus.crl
+
+ [ocsp_section]
+ caIssuers;URI.0 = http://test.wgettest.com/Bogus.crt
+ caIssuers;URI.1 = http://test.wgettest.com/Bogus.crt
+ OCSP;URI.0 = http://test.wgettest.com/ocsp/
+ OCSP;URI.1 = http://test.wgettest.com/ocsp/
diff --git a/tests/certs/test-ca-key.pem b/tests/certs/test-ca-key.pem
new file mode 100644
index 0000000..0bef904
--- /dev/null
+++ b/tests/certs/test-ca-key.pem
@@ -0,0 +1,58 @@
+!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!!
+!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!!
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEArx5p0JWOfE/z3GXkd57QaemGBC8ZmE463Yhy6WtR7ww5MGMl
+QmlsYYvEeZj/3FLe2mdAazTAlU8uf3BM5f8PUVahESgwevGVNJLtgOGJgxXp5csl
+LlWYZ+a3qL1FJYVqPKfiK/tb8BsgzzPyECmlCerXw1lQ+34Fc36bw5vFw6igegb8
+yz5N59yvZp3b9iooU1J5yRTGTpEmGhUrUNdUc2MEe2bwLiEgffVmX9oc2mIqLwfR
+tFjJMvNb6Zr42yllWC5aVeSJ86tkIhuLRQRD/nmy3NR/Txne764BhNnJ+/INV16U
+fJz1A2BeFBhbPdH7T6jQx3BxRDQew66Qe8ESGuWa6SsjWwhiCl/lJ1UeUWt9pjDN
+qT4kfeWQzZKnbMoC7hwLMmmo9fsL65jPNR9iclf5FXBap39/gtWl9vobuTi+6yLJ
+BGBvB4FsFsRNDVu0PM06wUew/d9oTP+3/GKI8UnqiT+76RlC3lcyRdAk5LKFofg9
+bPkNm/dw6aDFtfFTE4oNjRXrUK9w3SZsknne2oOveKoGOYg79T/wlgUo++Uwwa8N
+yYujycVhEvqMdvX68awlrQIxMFSOcyeaiGVuZ/gWIq/7VZaDJGEpnm8vXkpkyxhD
+Wa3qQcLqHKbydckEaLHc2BuNjI3yNiYZUxVr8MHRgrBarEXLHz0yarvNNUECAwEA
+AQKCAgEApUnNkoU3QfqtMCA0bvvFt9IlHpneTLW6NhNucwdLBJjC+fr61h5vn/qu
+bh+NkMXfdsHyOb5G8CcWuk6jJouCR8G+sVT/vWt862yrI/S9OK9cX/tIkt1Txu4r
+9+b99xZgWfQUNHNCKfVRGIHtPngwQJYbJVWObHJcbtDX8N984Nqu7b7eqG+cVPcl
+z3O8hDLycQLt1G/5ZXr3PbMxeVJlcavKNTfKB6BY7MrN4Dcc+LujGVUGCHWtIpw0
+6t/Nd/8wmvTVazEVTJs/HjplT7VhADaaLnmb2GuQ0yWoZV6zmUy0bvzkpmH3mUJC
+SjFbHZSu4ldzCGwHXNrdFtITqdtoW81Tj+b3EsqNlB2u1I8DpOMR8vMGy5f0rYhs
+Lf4Vmpvggw4bzLeu9A6XStxiB/wExn1QlQd54X1zfhssoF/pbu2RtCujn+y3zYCd
+2c9gqdN5MaGsr1NSYUPilj39E4S4FwtGnZGIYhClglToy0sMB/8lQvGIz0WRRfSG
+g+LUuiWuqn95ZrnSJvTSYCvsH0OB64IWpd9sHtu/P8Cjms3B/nIYjbG5gj68m319
+AsK1uFAqVmlGYVJVzgND9B9Egd4cODlTSsncEUQlS8PUZaym50FoBuO4vN+IYrZO
+H/yL6+hq3l/va/xlr4ZMEiBdEAiSj7g6XqQGzTgOz47RJn1FAGECggEBAOi8Moix
+SGHhxpJZgeHuL2FgBuNT9GVDoTNbUtEoZ7NsJd4BG3MjbZFluFoSfFiawAqJ3e6c
+ptUSiZ1KXN1gvMwVkget3MyenEzohYczwYOQeREAeRVr25Wq8cegvLaDFejMclCs
+ILC80BaGbVcAmJMdOBzLVqtY/7lps0LWpGd/6KYXTm41erhWJkvx+Vt0uPKVzGqx
+Ijjh/DSc5eX5BIdn2bYHLRu/xqfnX2kSH37PSto55ROSu8D8YwjaOdyQ1Hha6+O1
+Q6E4d2HliYqv1WaDHjyAXjmlP/3ob5f3QdXbqpB1smGPimK3hiZB0sYgdUI3yW9c
+NkynqGBeoTSPjG0CggEBAMCfyVJnG1fCnFZFCtPawYKK/IoMNyYzgIKomlcBdF/8
+J8Gwr6jcFBbdefT+VypVO0DywPrIFppDzjGEmZarFRgXsspGBenQQrZTPG1eUldY
+U89ODTsYNk0AXdctkMvAFSfVbA/4pnXAiXzKeEDk2YOhDYP1Y/T9eZQ3AI+LNeGO
+1Oqd9hGgsW0rqVgW+rCbUTezFE5J+2zbzMu2XnJieueG33iaVMpHzqnLLe27SYcI
+7VmgttZL4eL6/klPHSKC8x3y1c2T88d+HAuW+mB+bQ2iQWYfM82SyxjTER/7jpTy
+Zpj/mibgt2cQxVowWFmMMOLXczhpu/GOgRxxCXVQn6UCggEBAOa30vzxiskGMn1Y
+4EpifnPw50MrMkfFEKRB70rL3GnhV3TK8jRlNbSC+4vHcZ/A4YpQ/EMU5sqp0uSs
+GH2Z7e//nkGgmRf8UQRpKh5LL5bGfU5egqq6vveTfJajARGJyAl9zAGvccTjmQIL
+h49NVvPYbo0VAzlgRDrBz2T+NgMoqTEmP6k/uQXO2a5GFiYVA1fxKrHGIh/z37sk
+o0Aladj2Gby7RnuQ1VYUJ+CYh8KFqzXFWRPbTefWDDN1axD+PrOFpv2Y749+09Kn
+438qKsqyRyJBO6e360VBzIcBJjHkzyTgmNLgopaUSxfX/yRMfxIDDd0os+ev+Vp3
+1SWu/M0CggEAWSvfZCFNPCRggWN27rpPaOJ0pGehRDMFY/cvc+W9fQ3bTcRAnXg8
+aJVg9vSjX3qTcq6ufaoRJJsNIklTXLeYjU2zPAaMiEAcEhGYYL0Qe1Ttf4OPhnLf
++GeaCZoTdO9YG9emLgKa9NoMC9QjNU98Dn6JJjR8cJbDKMUJomn8qI2ZrX8wwdpV
+KMfUnm4M4aMVRybE2LVRCoT6WrfzIxrJ8NK0Mz2m0PnLBzmC6pIQKM4OKrbGzY/V
+Y2F0RHW2dBqQ96VKKuA6M3kC/K6I/BCq5WvewKrjLWCuWrCjNd4blIJe0qdJMoRH
+AxR1eBn3XIUUwH6i3VO9aMbiqEr/6OpI7QKCAQEAslqWEcRSL8bxXTVs1Jqip4wW
+lbJoym+zXhMLiqxCbMukClkkCdaI+lxNVdxs4MpACHYRAhHwVvAujz5JcgiMjSRC
+IK/JGu9uVkSriA/YJxmmMPvTYI1bmT1lT99HUqhzM5COuSFJh9D8cfpHJSUC+6rF
+1U/YcdcrZAMl3UH30XdsJLc6l3L/0gyseohwWT76dSqqOOathvNM5PsE8jNzPEo7
+VUdfrrDpEw0dPjk4IF8cpC389H1j8lnwxkWQtHHhXZTXHJlC9xYPa3PRsRn18pJy
+vxz9r76vJ3YJiQTxv8MKw/AaQrNDZng0Ff5kqQAqc/q/CvHdb2pur8NTsS/09w==
+-----END RSA PRIVATE KEY-----
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!!
+!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!!
\ No newline at end of file
--
2.7.4
