1# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import os 6import subprocess 7 8from autotest_lib.client.bin import test, utils 9from autotest_lib.client.common_lib import error 10 11OPENSSL = '/usr/bin/openssl' 12VERIFY = OPENSSL + ' verify' 13 14class security_OpenSSLBlacklist(test.test): 15 version = 1 16 17 def verify(self, blacklist='/dev/null'): 18 r = os.system('OPENSSL_BLACKLIST_PATH=%s %s -CAfile %s %s' % 19 (blacklist, VERIFY, self.ca, self.cert)) 20 return r == 0 21 22 def fetch(self, blacklist='/dev/null'): 23 r = os.system('OPENSSL_BLACKLIST_PATH=%s curl --cacert %s -o /dev/null ' 24 'https://127.0.0.1:4433/' % (blacklist, self.ca)) 25 return r == 0 26 27 def run_once(self, opts=None): 28 self.blacklists = [ 29 '%s/sha256_blacklist' % self.srcdir, 30 '%s/sha1_blacklist' % self.srcdir, 31 '%s/serial_blacklist' % self.srcdir, 32 ] 33 self.bogus_blacklist = '%s/bogus_blacklist' % self.srcdir 34 self.ca = '%s/ca.pem' % self.srcdir 35 self.cert = '%s/cert.pem' % self.srcdir 36 self.key = '%s/cert.key' % self.srcdir 37 38 if not self.verify(): 39 raise error.TestFail('Certificate does not verify normally.') 40 for b in self.blacklists: 41 if self.verify(b): 42 raise error.TestFail('Certificate verified with %s' % b) 43 if not self.verify(self.bogus_blacklist): 44 raise error.TestFail('Certificate does not verify with nonempty blacklist.') 45 46 # Fire up an openssl s_server and have curl fetch from it 47 server = subprocess.Popen([OPENSSL, 's_server', '-www', 48 '-CAfile', self.ca, '-cert', self.cert, 49 '-key', self.key, '-port', '4433']) 50 try: 51 # Need to wait for openssl to be ready to talk to us 52 utils.poll_for_condition( 53 self.fetch, 54 error.TestFail('Fetch without blacklist fails.')) 55 for b in self.blacklists: 56 if self.fetch(b): 57 raise error.TestFail('Fetched with %s' % b) 58 finally: 59 server.terminate() 60