Repository: qpid-proton Updated Branches: refs/heads/master 630471e32 -> f4b35515b
PROTON-1048: Windows SChannel test certificates for proton-c Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/f4b35515 Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/f4b35515 Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/f4b35515 Branch: refs/heads/master Commit: f4b35515bc423c448362311cb228c2ffc97ebaca Parents: 630471e Author: Clifford Jansen <cliffjan...@apache.org> Authored: Sun Nov 15 16:05:15 2015 -0800 Committer: Clifford Jansen <cliffjan...@apache.org> Committed: Sun Nov 15 16:05:15 2015 -0800 ---------------------------------------------------------------------- proton-c/src/messenger/messenger.c | 2 +- proton-c/src/windows/schannel.c | 4 +--- tests/python/proton_tests/messenger.py | 3 ++- tests/python/proton_tests/sasl.py | 12 +++++++++++- tests/python/proton_tests/soak.py | 2 ++ tests/python/proton_tests/ssl.py | 14 ++++++++++++++ tests/python/proton_tests/ssl_db/README.txt | 12 +++++++++++- .../proton_tests/ssl_db/bad-server-certificate.p12 | Bin 0 -> 1490 bytes tests/python/proton_tests/ssl_db/ca-certificate.p12 | Bin 0 -> 920 bytes .../proton_tests/ssl_db/client-certificate.p12 | Bin 0 -> 1554 bytes .../proton_tests/ssl_db/server-certificate.p12 | Bin 0 -> 1562 bytes .../proton_tests/ssl_db/server-wc-certificate.p12 | Bin 0 -> 1632 bytes 12 files changed, 42 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/proton-c/src/messenger/messenger.c ---------------------------------------------------------------------- diff --git a/proton-c/src/messenger/messenger.c b/proton-c/src/messenger/messenger.c index 6c4a885..277642f 100644 --- a/proton-c/src/messenger/messenger.c +++ b/proton-c/src/messenger/messenger.c @@ -931,7 +931,7 @@ static int pn_transport_config(pn_messenger_t *messenger, pn_transport_set_tracer(transport, messenger->tracer); if (ctx->scheme && !strcmp(ctx->scheme, "amqps")) { pn_ssl_domain_t *d = pn_ssl_domain(PN_SSL_MODE_CLIENT); - if (messenger->certificate && messenger->private_key) { + if (messenger->certificate) { int err = pn_ssl_domain_set_credentials( d, messenger->certificate, messenger->private_key, messenger->password); http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/proton-c/src/windows/schannel.c ---------------------------------------------------------------------- diff --git a/proton-c/src/windows/schannel.c b/proton-c/src/windows/schannel.c index 3e3b389..57345d7 100644 --- a/proton-c/src/windows/schannel.c +++ b/proton-c/src/windows/schannel.c @@ -410,11 +410,9 @@ static void ssl_session_free( pn_ssl_session_t *ssn) /** Public API - visible to application code */ -// TODO: This should really return true as SSL is fully implemented, -// but the tests currently fail because the fixed certificates aren't usable on windows bool pn_ssl_present(void) { - return false; + return true; } pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode ) http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/messenger.py ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/messenger.py b/tests/python/proton_tests/messenger.py index b6c3d1f..9656033 100644 --- a/tests/python/proton_tests/messenger.py +++ b/tests/python/proton_tests/messenger.py @@ -450,7 +450,8 @@ class MessengerTest(Test): self.client.start() def testRoute(self): - if not common.isSSLPresent(): + # anonymous cipher not supported on Windows + if os.name == "nt" or not common.isSSLPresent(): domain = "amqp" else: domain = "amqps" http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/sasl.py ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/sasl.py b/tests/python/proton_tests/sasl.py index 75b4828..6adb77d 100644 --- a/tests/python/proton_tests/sasl.py +++ b/tests/python/proton_tests/sasl.py @@ -29,6 +29,13 @@ from proton._compat import str2bin def _sslCertpath(file): """ Return the full path to the certificate,keyfile, etc. """ + if os.name=="nt": + if file.find("private-key")!=-1: + # The private key is not in a separate store + return None + # Substitute pkcs#12 equivalent for the CA/key store + if file.endswith(".pem"): + file = file[:-4] + ".p12" return os.path.join(os.path.dirname(__file__), "ssl_db/%s" % file) @@ -423,7 +430,10 @@ class SSLSASLTest(Test): if "java" in sys.platform: raise Skipped("Proton-J does not support SSL with SASL") - extUser = 'O=Client,CN=127.0.0.1' + if os.name=="nt": + extUser = 'O=Client, CN=127.0.0.1' + else: + extUser = 'O=Client,CN=127.0.0.1' mech = 'EXTERNAL' self.server_domain.set_credentials(_sslCertpath("server-certificate.pem"), http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/soak.py ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/soak.py b/tests/python/proton_tests/soak.py index c9ec68e..52382ba 100644 --- a/tests/python/proton_tests/soak.py +++ b/tests/python/proton_tests/soak.py @@ -124,6 +124,8 @@ class MessengerTests(AppTests): def _ssl_check(self): if not isSSLPresent(): raise Skipped("No SSL libraries found.") + if os.name=="nt": + raise Skipped("Windows SChannel lacks anonymous cipher support.") def __init__(self, *args): AppTests.__init__(self, *args) http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl.py ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl.py b/tests/python/proton_tests/ssl.py index 961a783..e59c90b 100644 --- a/tests/python/proton_tests/ssl.py +++ b/tests/python/proton_tests/ssl.py @@ -31,6 +31,13 @@ from .common import Skipped, pump def _testpath(file): """ Set the full path to the certificate,keyfile, etc. for the test. """ + if os.name=="nt": + if file.find("private-key")!=-1: + # The private key is not in a separate store + return None + # Substitute pkcs#12 equivalent for the CA/key store + if file.endswith(".pem"): + file = file[:-4] + ".p12" return os.path.join(os.path.dirname(__file__), "ssl_db/%s" % file) @@ -90,6 +97,8 @@ class SslTest(common.Test): self._pump(client, server) def test_defaults(self): + if os.name=="nt": + raise Skipped("Windows SChannel lacks anonymous cipher support.") """ By default, both the server and the client support anonymous ciphers - they should connect without need for a certificate. """ @@ -429,6 +438,9 @@ class SslTest(common.Test): def test_session_resume(self): """ Test resume of client session. """ + if os.name=="nt": + raise Skipped("Windows SChannel session resume not yet implemented.") + self.server_domain.set_credentials(self._testpath("server-certificate.pem"), self._testpath("server-private-key.pem"), "server-password") @@ -736,6 +748,8 @@ class SslTest(common.Test): def test_defaults_messenger_app(self): """ Test an SSL connection using the Messenger apps (no certificates) """ + if os.name=="nt": + raise Skipped("Windows SChannel lacks anonymous cipher support.") port = common.free_tcp_ports()[0] receiver = common.MessengerReceiverC() http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/README.txt ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/README.txt b/tests/python/proton_tests/ssl_db/README.txt index 6967e84..5b35421 100644 --- a/tests/python/proton_tests/ssl_db/README.txt +++ b/tests/python/proton_tests/ssl_db/README.txt @@ -59,4 +59,14 @@ keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-wc-request.pem -outfile server-wc-certificate.pem openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-wc-private-key.pem - +# Create pkcs12 versions of the above certificates (for Windows SChannel) +# The CA certificate store/DB is created without public keys. +# Give the "p12" files the same base name so the tests can just change the extension to switch between platforms. +# These certificates might work for OpenSSL <-> SChannel interop tests, but note that the DH cypher suite +# overlap is poor between platforms especially for older Windows versions. RSA certificates are better for +# interop (or PFS-friendly certificates on newer platforms). +openssl pkcs12 -export -out ca-certificate.p12 -in ca-certificate.pem -name ca-certificate -nokeys -passout pass: +openssl pkcs12 -export -out server-certificate.p12 -passin pass:server-password -passout pass:server-password -inkey server-private-key.pem -in server-certificate.pem -name server-certificate +openssl pkcs12 -export -out client-certificate.p12 -passin pass:client-password -passout pass:client-password -inkey client-private-key.pem -in client-certificate.pem -name client-certificate +openssl pkcs12 -export -out bad-server-certificate.p12 -passin pass:server-password -passout pass:server-password -inkey bad-server-private-key.pem -in bad-server-certificate.pem -name bad-server +openssl pkcs12 -export -out server-wc-certificate.p12 -passin pass:server-password -passout pass:server-password -inkey server-wc-private-key.pem -in server-wc-certificate.pem -name server-wc-certificate http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/bad-server-certificate.p12 ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/bad-server-certificate.p12 b/tests/python/proton_tests/ssl_db/bad-server-certificate.p12 new file mode 100644 index 0000000..6044350 Binary files /dev/null and b/tests/python/proton_tests/ssl_db/bad-server-certificate.p12 differ http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/ca-certificate.p12 ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/ca-certificate.p12 b/tests/python/proton_tests/ssl_db/ca-certificate.p12 new file mode 100644 index 0000000..539b278 Binary files /dev/null and b/tests/python/proton_tests/ssl_db/ca-certificate.p12 differ http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/client-certificate.p12 ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/client-certificate.p12 b/tests/python/proton_tests/ssl_db/client-certificate.p12 new file mode 100644 index 0000000..be820ed Binary files /dev/null and b/tests/python/proton_tests/ssl_db/client-certificate.p12 differ http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/server-certificate.p12 ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/server-certificate.p12 b/tests/python/proton_tests/ssl_db/server-certificate.p12 new file mode 100644 index 0000000..d470366 Binary files /dev/null and b/tests/python/proton_tests/ssl_db/server-certificate.p12 differ http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f4b35515/tests/python/proton_tests/ssl_db/server-wc-certificate.p12 ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/ssl_db/server-wc-certificate.p12 b/tests/python/proton_tests/ssl_db/server-wc-certificate.p12 new file mode 100644 index 0000000..d512f52 Binary files /dev/null and b/tests/python/proton_tests/ssl_db/server-wc-certificate.p12 differ --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org