Merge pull request os-autoinst#20463 from ilmanzo/poo161039_gnutls_cr…

…yptopolicies Introduce test for gnutls crypto_policies
alvarocarvajald · Oct 23, 2024 · 7732689 · 7732689
2 parents 610825d + 869540c
commit 7732689
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/tests/security/crypto_policies/crypto_policies_tests.pm b/tests/security/crypto_policies/crypto_policies_tests.pm
@@ -19,6 +19,7 @@ sub run {
     my @services = qw{sshd named};
     select_serial_terminal;
     setup_bind();
+    setup_gnutls();
     foreach my $s (@services) {
         systemctl "enable --now $s.service";
     }
@@ -29,6 +30,7 @@ sub run {
             validate_script_output "systemctl status $s.service", sub { m/active \(running\)/ };
         }
         ensure_bind_is_working();
+        ensure_gnutls_is_working();
     }
 }
 
@@ -49,6 +51,47 @@ sub ensure_bind_is_working {
     validate_script_output 'host foobar.example.com localhost', sub { m /foobar.example.com has address 1.2.3.4/ };
 }
 
+sub setup_gnutls {
+    zypper_call 'in gnutls';
+}
+
+sub ensure_gnutls_is_working {
+    # generate a CA, and a server certificate
+    my $ca_key_file = 'x509-ca-key.pem';
+    my $ca_cert_file = 'x509-ca.pem';
+    my $srv_key_file = 'x509-server-key.pem';
+    my $srv_cert_file = 'x509-server.pem';
+    my $ca_template_file = 'ca.tmpl';
+    my $srv_template_file = 'server.tmpl';
+    my $srv_log_file = 'gnutls-serv.log';
+    assert_script_run $_ for (
+        "certtool --generate-privkey > $ca_key_file",
+        "echo 'cn = GnuTLS test CA' > $ca_template_file",
+        "echo 'ca' >> $ca_template_file",
+        "echo 'cert_signing_key' >> $ca_template_file",
+        "certtool --generate-self-signed --load-privkey $ca_key_file --template $ca_template_file --outfile $ca_cert_file",
+        "certtool --generate-privkey > $srv_key_file",
+        "echo 'organization = GnuTLS test server' > $srv_template_file",
+        "echo 'cn = localhost' >> $srv_template_file",
+        "echo 'tls_www_server' >> $srv_template_file",
+        "echo 'encryption_key' >> $srv_template_file",
+        "echo 'signing_key' >> $srv_template_file",
+        "certtool --generate-certificate --load-privkey $srv_key_file \\
+        --load-ca-certificate $ca_cert_file --load-ca-privkey $ca_key_file \\
+        --template $srv_template_file --outfile $srv_cert_file"
+    );
+    # spin up a server on localhost (5556 = default port) and wait for the server to be active
+    my $pid = background_script_run "gnutls-serv -p 5556 --echo --x509cafile $ca_cert_file \\
+      --x509keyfile $srv_key_file --x509certfile $srv_cert_file > $srv_log_file 2>&1";
+    script_retry "grep 'Echo Server listening' $srv_log_file";
+    # use the client to test the TLS connection
+    validate_script_output_retry "echo helloSUSE | gnutls-cli -p 5556 localhost --x509cafile=$ca_cert_file",
+      sub { m/Status: The certificate is trusted.*Handshake was completed.*helloSUSE/s };
+    # stop the server and cleanup
+    assert_script_run "kill $pid";
+    assert_script_run "rm $ca_key_file $ca_cert_file $ca_template_file $srv_key_file $srv_cert_file $srv_template_file";
+}
+
 sub set_policy {
     my ($self, $policy) = @_;
     assert_script_run "update-crypto-policies --set $policy";