[rs-commit] r429 - in /mod_cms_verify/trunk: Makefile.in README aclocal.m4 test.sh
rs-commit at redwax.eu
rs-commit at redwax.eu
Tue Aug 17 23:13:29 CEST 2021
Author: dirkx at redwax.eu
Date: Tue Aug 17 23:13:28 2021
New Revision: 429
Log:
Add rudimentary test - work in progress.
Added:
mod_cms_verify/trunk/test.sh (with props)
Modified:
mod_cms_verify/trunk/Makefile.in
mod_cms_verify/trunk/README
mod_cms_verify/trunk/aclocal.m4
Modified: mod_cms_verify/trunk/Makefile.in
==============================================================================
--- mod_cms_verify/trunk/Makefile.in (original)
+++ mod_cms_verify/trunk/Makefile.in Tue Aug 17 23:13:28 2021
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.3 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -117,9 +117,9 @@
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/mod_cms_verify.spec.in \
- AUTHORS COPYING ChangeLog INSTALL NEWS README compile \
- install-sh missing
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+ $(srcdir)/mod_cms_verify.spec.in AUTHORS COPYING ChangeLog \
+ INSTALL NEWS README compile install-sh missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
@@ -133,6 +133,8 @@
DIST_ARCHIVES = $(distdir).tar.gz $(distdir).tar.bz2
GZIP_ENV = --best
DIST_TARGETS = dist-bzip2 dist-gzip
+# Exists only to be overridden by the user if desired.
+AM_DISTCHECK_DVI_TARGET = dvi
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
@@ -337,6 +339,10 @@
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
+dist-zstd: distdir
+ tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
+ $(am__post_remove_distdir)
+
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@@ -379,6 +385,8 @@
eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
+ *.tar.zst*) \
+ zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
@@ -394,7 +402,7 @@
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
- && $(MAKE) $(AM_MAKEFLAGS) dvi \
+ && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
@@ -553,16 +561,16 @@
.PHONY: all all-am all-local am--refresh check check-am clean \
clean-generic cscopelist-am ctags-am dist dist-all dist-bzip2 \
dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \
- distcheck distclean distclean-generic distcleancheck distdir \
- distuninstallcheck dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am install-dvi \
- install-dvi-am install-exec install-exec-am install-exec-local \
- install-html install-html-am install-info install-info-am \
- install-man install-pdf install-pdf-am install-ps \
- install-ps-am install-strip installcheck installcheck-am \
- installdirs maintainer-clean maintainer-clean-generic \
- mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags-am \
- uninstall uninstall-am
+ dist-zstd distcheck distclean distclean-generic distcleancheck \
+ distdir distuninstallcheck dvi dvi-am html html-am info \
+ info-am install install-am install-data install-data-am \
+ install-dvi install-dvi-am install-exec install-exec-am \
+ install-exec-local install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
+ pdf-am ps ps-am tags-am uninstall uninstall-am
.PRECIOUS: Makefile
Modified: mod_cms_verify/trunk/README
==============================================================================
--- mod_cms_verify/trunk/README (original)
+++ mod_cms_verify/trunk/README Tue Aug 17 23:13:28 2021
@@ -15,7 +15,9 @@
And call it with:
- echo "field1=foo&field2=bar" | openssl cms -sign -signer cert.pem -outform DER | curl --data-binary - https://127.0.0.1/post-cgi/show.cgi
+ echo "field1=foo&field2=bar" |\
+ openssl cms -sign -signer cert.pem -outform DER -nodetach -binary |\
+ curl -vvv --silent --data-binary - https://127.0.0.1/post-cgi/show.cgi
Where 'show.cgi' is a script such as:
Modified: mod_cms_verify/trunk/aclocal.m4
==============================================================================
--- mod_cms_verify/trunk/aclocal.m4 (original)
+++ mod_cms_verify/trunk/aclocal.m4 Tue Aug 17 23:13:28 2021
@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
-
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# generated automatically by aclocal 1.16.3 -*- Autoconf -*-
+
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -296,7 +296,7 @@
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
-# Copyright (C) 2002-2018 Free Software Foundation, Inc.
+# Copyright (C) 2002-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -311,7 +311,7 @@
[am__api_version='1.16'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
-m4_if([$1], [1.16.1], [],
+m4_if([$1], [1.16.3], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@@ -327,14 +327,14 @@
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.16.1])dnl
+[AM_AUTOMAKE_VERSION([1.16.3])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# AM_AUX_DIR_EXPAND -*- Autoconf -*-
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -386,7 +386,7 @@
# AM_CONDITIONAL -*- Autoconf -*-
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -417,7 +417,7 @@
Usually this means the macro was only invoked conditionally.]])
fi])])
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -608,7 +608,7 @@
# Generate code to set up dependency tracking. -*- Autoconf -*-
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -647,7 +647,9 @@
done
if test $am_rc -ne 0; then
AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments
- for automatic dependency tracking. Try re-running configure with the
+ for automatic dependency tracking. If GNU make was not used, consider
+ re-running the configure script with MAKE="gmake" (or whatever is
+ necessary). You can also try re-running configure with the
'--disable-dependency-tracking' option to at least be able to build
the package (albeit without support for automatic dependency tracking).])
fi
@@ -674,7 +676,7 @@
# Do all the work for Automake. -*- Autoconf -*-
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -871,7 +873,7 @@
done
echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -892,7 +894,7 @@
fi
AC_SUBST([install_sh])])
-# Copyright (C) 2003-2018 Free Software Foundation, Inc.
+# Copyright (C) 2003-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -913,7 +915,7 @@
# Check to see how 'make' treats includes. -*- Autoconf -*-
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -956,7 +958,7 @@
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -977,12 +979,7 @@
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
AC_REQUIRE_AUX_FILE([missing])dnl
if test x"${MISSING+set}" != xset; then
- case $am_aux_dir in
- *\ * | *\ *)
- MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
- *)
- MISSING="\${SHELL} $am_aux_dir/missing" ;;
- esac
+ MISSING="\${SHELL} '$am_aux_dir/missing'"
fi
# Use eval to expand $SHELL
if eval "$MISSING --is-lightweight"; then
@@ -995,7 +992,7 @@
# Helper functions for option handling. -*- Autoconf -*-
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1024,7 +1021,7 @@
AC_DEFUN([_AM_IF_OPTION],
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1071,7 +1068,7 @@
# For backward compatibility.
AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1090,7 +1087,7 @@
# Check to make sure that the build environment is sane. -*- Autoconf -*-
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1171,7 +1168,7 @@
rm -f conftest.file
])
-# Copyright (C) 2009-2018 Free Software Foundation, Inc.
+# Copyright (C) 2009-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1231,7 +1228,7 @@
_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
])
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1259,7 +1256,7 @@
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
AC_SUBST([INSTALL_STRIP_PROGRAM])])
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
+# Copyright (C) 2006-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -1278,7 +1275,7 @@
# Check how to create a tarball. -*- Autoconf -*-
-# Copyright (C) 2004-2018 Free Software Foundation, Inc.
+# Copyright (C) 2004-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
Added: mod_cms_verify/trunk/test.sh
==============================================================================
--- mod_cms_verify/trunk/test.sh (added)
+++ mod_cms_verify/trunk/test.sh Tue Aug 17 23:13:28 2021
@@ -0,0 +1,163 @@
+#!/bin/sh
+#
+# Create a signing certificate issued by a subordinate CA; and the 2 levels of CA bove that.
+# Start up a webserver with a trival config.
+# Test a signed response from both a proxy and a local file.
+#
+set -e
+
+TMPDIR=${TMPDIR:-/tmp}
+CA_PREFIX=${CA_PREFIX:-${TMPDIR}/ca}
+CERT_PREFIX=${CERT_PREFIX:-${TMPDIR}/cert}
+CHAIN_PREFIX=${CHAIN_PREFIX:-${TMPDIR}/chain}
+EXTFILE=${EXTFILE:-${TMPDIR}/ext.cnf}
+OPENSSL=${OPENSSL:-openssl}
+HTTPD_EXTRA_CONF=${HTTPD_EXTRA_CONF:-${TMPDIR}/httpd-extra.conf}
+HTTPD=${HTTPD:-httpd}
+
+test -f "${EXTFILE}" || \
+cat > ${EXTFILE} <<EOM
+[ subca ]
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:TRUE
+
+[ leaf ]
+nsComment = For testing only and no this is not the real thing. Duh.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:FALSE
+EOM
+
+test -f "${CA_PREFIX}.key" || \
+ $OPENSSL req -x509 -new -nodes -extensions v3_ca \
+ -subj "/CN=CA $$" \
+ -out "${CA_PREFIX}.pem" \
+ -keyout "${CA_PREFIX}.key"
+
+test -f "${CA_PREFIX}-sub.key" || \
+ $OPENSSL req -new -nodes \
+ -keyout "${CA_PREFIX}-sub.key" \
+ -subj '/CN=Sub under CA' |\
+ $OPENSSL x509 -req \
+ -extfile "${EXTFILE}" -extensions subca \
+ -set_serial 1000 -out "${CA_PREFIX}-sub.pem" \
+ -CAkey "${CA_PREFIX}.key" -CA "${CA_PREFIX}.pem"
+
+test -f "${CA_PREFIX}-sub-sub.key" || \
+ $OPENSSL req -new -nodes \
+ -keyout "${CA_PREFIX}-sub-sub.key" \
+ -subj '/CN=Sub under CA Sub' |\
+ $OPENSSL x509 -req \
+ -extfile "${EXTFILE}" -extensions subca \
+ -set_serial 2000 \
+ -CAkey "${CA_PREFIX}-sub.key" -CA "${CA_PREFIX}-sub.pem" \
+ -out "${CA_PREFIX}-sub-sub.pem"
+
+test -f "${CERT_PREFIX}.key" || \
+ $OPENSSL req -new -nodes \
+ -keyout "${CERT_PREFIX}.key" \
+ -subj "/CN=Signing Party" | \
+ $OPENSSL x509 -req \
+ -extfile "${EXTFILE}" -extensions leaf \
+ -set_serial 3001 \
+ -CAkey "${CA_PREFIX}-sub-sub.key" -CA "${CA_PREFIX}-sub-sub.pem" \
+ -out "${CERT_PREFIX}.pem"
+
+# Remove the keys we do not need for this test.
+#
+rm "${CA_PREFIX}.key" "${CA_PREFIX}-sub.key" "${CA_PREFIX}-sub-sub.key"
+
+# Combine the key/cert as is common in the webserver world.
+#
+cat "${CERT_PREFIX}.key" "${CERT_PREFIX}.pem" > "${CERT_PREFIX}.crt"
+rm "${CERT_PREFIX}.key" "${CERT_PREFIX}.pem"
+
+# Create the _sub_ chain to include with teh signed payload.
+cat "${CA_PREFIX}-sub.pem" "${CA_PREFIX}-sub-sub.pem" > "${CA_PREFIX}-chain.pem"
+
+cat > "${HTTPD_EXTRA_CONF}" <<EOM
+
+LoadModule cms_verify_module "${PWD}/.libs/mod_cms_verify.so"
+
+<IfModule !cgi_module>
+LoadModule cgi_module lib/apache2/modules/mod_cgi.so
+</IfModule>
+
+<IfModule !rewrite_module>
+LoadModule rewrite_module lib/apache2/modules/mod_rewrite.so
+</IfModule>
+
+LogLevel Debug
+ErrorLog "${TMPDIR}/error_log"
+
+AddHandler cgi-script .cgi
+ScriptAlias /post-api /opt/local/www/apache2/cgi-bin/printenv
+
+<Location /post-api>
+ SetInputFilter cmsverify
+ CMSVerifyCertificate "${CA_PREFIX}.pem"
+
+ # ProxyPass https://127.0.0.1/cgi-bin/printenv
+
+ # Alias ... etc.
+</Location>
+EOM
+
+# Check config
+#
+"$HTTPD" -t -c "Include \"${HTTPD_EXTRA_CONF}\""
+
+# Start minimal server based on defaults.
+#
+"$HTTPD" -X -c "Include \"${HTTPD_EXTRA_CONF}\"" &
+HTTP_PID=$!
+echo Waiting for webserver to start.
+sleep 1
+
+tail -F "$TMPDIR/error_log" &
+TAIL_PID=$!
+
+echo
+echo
+echo Starting tests:
+
+echo 'field1=foo&field2=bar' > "$TMPDIR/payload.raw"
+
+# check that it works when we post plainly.
+#
+curl --silent -d "$TMPDIR/payload.raw" http://127.0.0.1:8080/cgi-bin/printenv > /dev/null
+
+# Now sign and post as PKCS#7
+#
+cat "$TMPDIR/payload.raw" |\
+ $OPENSSL cms -sign -signer "${CERT_PREFIX}.crt" -certfile "${CA_PREFIX}-chain.pem" -outform DER -nodetach -binary |\
+ curl --silent --data-binary @- http://127.0.0.1:8080/post-api
+
+# Prepare a JSON variation of the PKCS#7 file
+#
+$OPENSSL cms -sign -signer "${CERT_PREFIX}.crt" -certfile "${CA_PREFIX}-chain.pem" -outform DER -in "$TMPDIR/payload.raw" > "$TMPDIR/payload.sig"
+echo "{\"signature\":\"$(base64 "$TMPDIR/payload.sig")\",\"payload\":\"$(base64 "$TMPDIR/payload.raw")\"}" > "$TMPDIR/post.json"
+
+# Check generated JSON validity
+#
+cat "$TMPDIR/post.json" | jq > /dev/null
+
+# Try posting twice; once pretty printed and sorted/order changed.
+#
+curl -vvv --silent --data-binary "$TMPDIR/post.json" http://127.0.0.1:8080/post-api
+cat "$TMPDIR/post.json" | jq --sort-keys | curl -vvv --silent --data-binary @- http://127.0.0.1:8080/post-api
+
+echo
+echo
+echo Clenaup.
+kill ${HTTP_PID}
+sleep 1
+
+kill ${TAIL_PID}
+
+rm "${CA_PREFIX}-chain.pem" "${HTTPD_EXTRA_CONF}" "${CA_PREFIX}.pem" "${CA_PREFIX}-sub.pem" "${CA_PREFIX}-sub-sub.pem" "${EXTFILE}" "${CERT_PREFIX}.crt" "$TMPDIR/payload.sig" "$TMPDIR/payload.raw" "${TMPDIR}/error_log" "$TMPDIR/post.json"
+
+echo All was well.
Propchange: mod_cms_verify/trunk/test.sh
------------------------------------------------------------------------------
svn:executable = *
More information about the rs-commit
mailing list