diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 8919de304..753e1776d 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -109,6 +109,11 @@ add_boost_test(base base_timer/invoke base_timer/scope base_tlsutility/sha1 + base_tlsutility/iscauptodate_ok + base_tlsutility/iscauptodate_expiring + base_tlsutility/iscertuptodate_ok + base_tlsutility/iscertuptodate_expiring + base_tlsutility/iscertuptodate_old base_type/gettype base_type/assign base_type/byname diff --git a/test/base-tlsutility.cpp b/test/base-tlsutility.cpp index c66cef474..2e611e49a 100644 --- a/test/base-tlsutility.cpp +++ b/test/base-tlsutility.cpp @@ -2,11 +2,61 @@ #include "base/tlsutility.hpp" #include +#include +#include +#include +#include +#include +#include +#include +#include #include #include using namespace icinga; +static EVP_PKEY* GenKeypair() +{ + InitializeOpenSSL(); + + auto e (BN_new()); + BOOST_REQUIRE(e); + + auto rsa (RSA_new()); + BOOST_REQUIRE(rsa); + + auto key (EVP_PKEY_new()); + BOOST_REQUIRE(key); + + BOOST_REQUIRE(BN_set_word(e, RSA_F4)); + BOOST_REQUIRE(RSA_generate_key_ex(rsa, 4096, e, nullptr)); + BOOST_REQUIRE(EVP_PKEY_assign_RSA(key, rsa)); + + return key; +} + +static std::shared_ptr MakeCert(const char* issuer, EVP_PKEY* signer, const char* subject, EVP_PKEY* pubkey, std::function setTimes) +{ + auto cert (X509_new()); + BOOST_REQUIRE(cert); + + auto serial (BN_new()); + BOOST_REQUIRE(serial); + + BOOST_REQUIRE(X509_set_version(cert, 0x2)); + BOOST_REQUIRE(BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(cert))); + BOOST_REQUIRE(X509_NAME_add_entry_by_NID(X509_get_issuer_name(cert), NID_commonName, MBSTRING_ASC, (unsigned char*)issuer, -1, -1, 0)); + setTimes(X509_get_notBefore(cert), X509_get_notAfter(cert)); + BOOST_REQUIRE(X509_NAME_add_entry_by_NID(X509_get_subject_name(cert), NID_commonName, MBSTRING_ASC, (unsigned char*)subject, -1, -1, 0)); + BOOST_REQUIRE(X509_set_pubkey(cert, pubkey)); + BOOST_REQUIRE(X509_sign(cert, signer, EVP_sha256())); + + return std::shared_ptr(cert, X509_free); +} + +static const long l_2016 = 1480000000; // Thu Nov 24 15:06:40 UTC 2016 +static const long l_2017 = 1490000000; // Mon Mar 20 08:53:20 UTC 2017 + BOOST_AUTO_TEST_SUITE(base_tlsutility) BOOST_AUTO_TEST_CASE(sha1) @@ -35,4 +85,51 @@ BOOST_AUTO_TEST_CASE(sha1) } } +BOOST_AUTO_TEST_CASE(iscauptodate_ok) +{ + auto key (GenKeypair()); + + BOOST_CHECK(IsCaUptodate(MakeCert("Icinga CA", key, "Icinga CA", key, [](ASN1_TIME* notBefore, ASN1_TIME* notAfter) { + BOOST_REQUIRE(X509_gmtime_adj(notBefore, 0)); + BOOST_REQUIRE(X509_gmtime_adj(notAfter, LEAF_VALID_FOR + 60 * 60)); + }).get())); +} + +BOOST_AUTO_TEST_CASE(iscauptodate_expiring) +{ + auto key (GenKeypair()); + + BOOST_CHECK(!IsCaUptodate(MakeCert("Icinga CA", key, "Icinga CA", key, [](ASN1_TIME* notBefore, ASN1_TIME* notAfter) { + BOOST_REQUIRE(X509_gmtime_adj(notBefore, 0)); + BOOST_REQUIRE(X509_gmtime_adj(notAfter, LEAF_VALID_FOR - 60 * 60)); + }).get())); +} + +BOOST_AUTO_TEST_CASE(iscertuptodate_ok) +{ + BOOST_CHECK(IsCertUptodate(MakeCert("Icinga CA", GenKeypair(), "example.com", GenKeypair(), [](ASN1_TIME* notBefore, ASN1_TIME* notAfter) { + time_t epoch = 0; + BOOST_REQUIRE(X509_time_adj(notBefore, l_2017, &epoch)); + BOOST_REQUIRE(X509_gmtime_adj(notAfter, RENEW_THRESHOLD + 60 * 60)); + }))); +} + +BOOST_AUTO_TEST_CASE(iscertuptodate_expiring) +{ + BOOST_CHECK(!IsCertUptodate(MakeCert("Icinga CA", GenKeypair(), "example.com", GenKeypair(), [](ASN1_TIME* notBefore, ASN1_TIME* notAfter) { + time_t epoch = 0; + BOOST_REQUIRE(X509_time_adj(notBefore, l_2017, &epoch)); + BOOST_REQUIRE(X509_gmtime_adj(notAfter, RENEW_THRESHOLD - 60 * 60)); + }))); +} + +BOOST_AUTO_TEST_CASE(iscertuptodate_old) +{ + BOOST_CHECK(!IsCertUptodate(MakeCert("Icinga CA", GenKeypair(), "example.com", GenKeypair(), [](ASN1_TIME* notBefore, ASN1_TIME* notAfter) { + time_t epoch = 0; + BOOST_REQUIRE(X509_time_adj(notBefore, l_2016, &epoch)); + BOOST_REQUIRE(X509_gmtime_adj(notAfter, RENEW_THRESHOLD + 60 * 60)); + }))); +} + BOOST_AUTO_TEST_SUITE_END()