From: Charles-Henri Bruyand <charles-henri.bruyand@open-xchange.com>
Date: Wed, 24 Nov 2021 10:29:51 +0000 (+0100)
Subject: dnsdist: add pkcs12 file regression tests
X-Git-Tag: auth-4.7.0-alpha1~115^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ac115051f85abdf4afc387d7950eaa045175956;p=thirdparty%2Fpdns.git

dnsdist: add pkcs12 file regression tests
---

diff --git a/regression-tests.dnsdist/dnsdisttests.py b/regression-tests.dnsdist/dnsdisttests.py
index 011bae3bbf..99b1cecf78 100644
--- a/regression-tests.dnsdist/dnsdisttests.py
+++ b/regression-tests.dnsdist/dnsdisttests.py
@@ -801,6 +801,14 @@ class DNSDistTest(AssertEqualDNSMessageMixin, unittest.TestCase):
                 with open(inFileName) as inFile:
                     outFile.write(inFile.read())
 
+        cmd = ['openssl', 'pkcs12', '-export', '-passout', 'pass:passw0rd', '-clcerts', '-in', 'server.pem', '-CAfile', 'ca.pem', '-inkey', 'server.key', '-out', 'server.p12']
+        output = None
+        try:
+            process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
+            output = process.communicate(input='')
+        except subprocess.CalledProcessError as exc:
+            raise AssertionError('openssl pkcs12 failed (%d): %s' % (exc.returncode, exc.output))
+
     def checkMessageProxyProtocol(self, receivedProxyPayload, source, destination, isTCP, values=[], v6=False, sourcePort=None, destinationPort=None):
         proxy = ProxyProtocol()
         self.assertTrue(proxy.parseHeader(receivedProxyPayload))
diff --git a/regression-tests.dnsdist/runtests b/regression-tests.dnsdist/runtests
index a1d63945e5..2a6799b282 100755
--- a/regression-tests.dnsdist/runtests
+++ b/regression-tests.dnsdist/runtests
@@ -48,6 +48,8 @@ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -con
 openssl x509 -req -days 1 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extfile configServer.conf -extensions v3_req
 # Generate a chain
 cat server.pem ca.pem > server.chain
+# Generate a password-protected PKCS12 file
+openssl pkcs12 -export -passout pass:passw0rd -clcerts -in server.pem -CAfile ca.pem -inkey server.key -out server.p12
 
 out=$(mktemp)
 set -o pipefail
diff --git a/regression-tests.dnsdist/test_DOH.py b/regression-tests.dnsdist/test_DOH.py
index 1685065fc2..ee99e21d56 100644
--- a/regression-tests.dnsdist/test_DOH.py
+++ b/regression-tests.dnsdist/test_DOH.py
@@ -1384,3 +1384,40 @@ class TestProtocols(DNSDistDOHTest):
         self.assertEqual(expectedQuery, receivedQuery)
         self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery)
         self.assertEqual(response, receivedResponse)
+
+class TestDOHWithPCKS12Cert(DNSDistDOHTest):
+    _serverCert = 'server.p12'
+    _pkcs12Password = 'passw0rd'
+    _serverName = 'tls.tests.dnsdist.org'
+    _caCert = 'ca.pem'
+    _dohServerPort = 8443
+    _dohBaseURL = ("https://%s:%d/" % (_serverName, _dohServerPort))
+    _config_template = """
+    newServer{address="127.0.0.1:%s"}
+    cert=newTLSCertificate("%s", {password="%s"})
+    addDOHLocal("127.0.0.1:%s", cert, "", { "/" })
+    """
+    _config_params = ['_testServerPort', '_serverCert', '_pkcs12Password', '_dohServerPort']
+
+    def testProtocolDOH(self):
+        """
+        DoH: Test Simple DOH Query with a password protected PCKS12 file configured
+        """
+        name = 'simple.doh.tests.powerdns.com.'
+        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+        query.id = 0
+        expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
+        expectedQuery.id = 0
+        response = dns.message.make_response(query)
+        rrset = dns.rrset.from_text(name,
+                                    3600,
+                                    dns.rdataclass.IN,
+                                    dns.rdatatype.A,
+                                    '127.0.0.1')
+        response.answer.append(rrset)
+
+        (receivedQuery, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, response=response, caFile=self._caCert)
+        self.assertTrue(receivedQuery)
+        self.assertTrue(receivedResponse)
+        receivedQuery.id = expectedQuery.id
+        self.assertEqual(expectedQuery, receivedQuery)
diff --git a/regression-tests.dnsdist/test_TLS.py b/regression-tests.dnsdist/test_TLS.py
index 4b850bac8e..5f893d1a97 100644
--- a/regression-tests.dnsdist/test_TLS.py
+++ b/regression-tests.dnsdist/test_TLS.py
@@ -461,3 +461,21 @@ class TestProtocols(DNSDistTest):
         receivedQuery.id = query.id
         self.assertEqual(query, receivedQuery)
         self.assertEqual(response, receivedResponse)
+
+class TestPKCSTLSCertificate(DNSDistTest, TLSTests):
+    _consoleKey = DNSDistTest.generateConsoleKey()
+    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+    _serverCert = 'server.p12'
+    _pkcsPassphrase = 'passw0rd'
+    _serverName = 'tls.tests.dnsdist.org'
+    _caCert = 'ca.pem'
+    _tlsServerPort = 8453
+    _config_template = """
+    setKey("%s")
+    controlSocket("127.0.0.1:%s")
+    newServer{address="127.0.0.1:%s"}
+    cert=newTLSCertificate("%s", {password="%s"})
+    addTLSLocal("127.0.0.1:%s", cert, "", { provider="openssl" })
+    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
+    """
+    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_serverCert', '_pkcsPassphrase', '_tlsServerPort']