diff options
| author | Peter Eisentraut | 2018-02-26 18:28:38 +0000 |
|---|---|---|
| committer | Peter Eisentraut | 2018-03-17 12:28:51 +0000 |
| commit | 8a3d9425290ff5f6434990349886afae9e1c6008 (patch) | |
| tree | 47dd8b09381f019eba35cd060d8af8f93af44c01 /src/test | |
| parent | 7a50bb690b4837d29e715293c156cff2fc72885c (diff) | |
Add ssl_passphrase_command setting
This allows specifying an external command for prompting for or
otherwise obtaining passphrases for SSL key files. This is useful
because in many cases there is no TTY easily available during service
startup.
Also add a setting ssl_passphrase_command_supports_reload, which allows
supporting SSL configuration reload even if SSL files need passphrases.
Reviewed-by: Daniel Gustafsson <[email protected]>
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/ssl/Makefile | 5 | ||||
| -rw-r--r-- | src/test/ssl/README | 3 | ||||
| -rw-r--r-- | src/test/ssl/ssl/server-password.key | 18 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 35 |
4 files changed, 56 insertions, 5 deletions
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 5cd2c5a404e..df477f1d401 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -22,6 +22,7 @@ CERTIFICATES := server_ca server-cn-and-alt-names \ root_ca SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ + ssl/server-password.key \ ssl/client.crl ssl/server.crl ssl/root.crl \ ssl/both-cas-1.crt ssl/both-cas-2.crt \ ssl/root+server_ca.crt ssl/root+server.crl \ @@ -71,6 +72,10 @@ ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only. openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config rm ssl/server-ss.csr +# Password-protected version of server-cn-only.key +ssl/server-password.key: ssl/server-cn-only.key + openssl rsa -des -in $< -out $@ -passout 'pass:secret1' + # Client certificate, signed by the client CA: ssl/client.crt: ssl/client.key ssl/client_ca.crt openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config diff --git a/src/test/ssl/README b/src/test/ssl/README index 0be06e755cf..5e8bf641ba4 100644 --- a/src/test/ssl/README +++ b/src/test/ssl/README @@ -48,6 +48,9 @@ server-no-names server-ss same as server-cn-only, but self-signed. +server-password + same as server-cn-only, but password-protected. + client a client certificate, for user "ssltestuser". Signed by client_ca. diff --git a/src/test/ssl/ssl/server-password.key b/src/test/ssl/ssl/server-password.key new file mode 100644 index 00000000000..adcd38ab882 --- /dev/null +++ b/src/test/ssl/ssl/server-password.key @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-CBC,2FAEFD1C1B2C881C + +PGi9r3pm05iUwz5QbZik+ZNu0fHNaX8LJFZqpOhg0TV38csLtQ2PRjZ0Q/diBlVT +SD8JJnIvwPoIWXyMMTax/krFL0CpbFqgAzD4CEgfWxGNhwnMD1DkNaYp/UF/NfuF +7TqXomUlcH/pVaZlu7G0wrIo5rnjef70I7GEY2vwT5adSLsUBAgrs/u3MAAx/Wh4 +PkVxZELmyiH/8MdIevodjRcJrgIzRheEph39eHrWKgWeSbO0DEQK91vv3prICwo2 +w2iU0Zohf92QuquA2MKZWruCHb4A4HusUZf3Zc14Yueu/HyztSrHmFeBp0amlWep +/o6mx274XVj7IpanOPPM4qEhrF97LHdaSEPn9HwxvvV4GFJDNCVEBl4zuaHo0N8C +85GPazIxUWB3CB9PrtXduxeI22lwrIiUdmzA68EXHD7Wg8R90397MNMOomLgfNcu +rXarrTXmTNgOa20hc1Ue5AXg9fVS9V/5GP4Dn9SX/CdaE1rz0b73N/ViQzVrS9Ne +n04qYPbnf+MQmFWnzMXctZbYG6jDCbuGFIGP4i/LG+wOE8Rntu8Re9re+HANu5VJ +Ht20wYOGZIpNwo4YenxvPeTTlbB0Qcma2lnw2bt19owpNQVIeTnRQXxZs3/Y3a+A ++/B8VvIkQ0u0EpnSVLBetEmJqtOQvBz7c4Z+0Cl+DL1bTqrDn54MxUBap6dgU+/1 +R6pxx1F0ZTtQauVmO8n3rWKwOGG5NeMhf4iId2JWpw39VtRk8LNtnGUbUAbL5znY +rkUVyJstQg6U6kNTgDWQ1nBxCzlRz2xpHyghnyxLkMpW5ECpmwwLDQ== +-----END RSA PRIVATE KEY----- diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 34df5e9dbb7..91feac613eb 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -8,7 +8,7 @@ use File::Copy; if ($ENV{with_openssl} eq 'yes') { - plan tests => 62; + plan tests => 64; } else { @@ -38,7 +38,7 @@ chmod 0600, "ssl/client-revoked_tmp.key"; copy("ssl/client.key", "ssl/client_wrongperms_tmp.key"); chmod 0644, "ssl/client_wrongperms_tmp.key"; -#### Part 0. Set up the server. +#### Set up the server. note "setting up data directory"; my $node = get_new_node('master'); @@ -50,9 +50,32 @@ $ENV{PGHOST} = $node->host; $ENV{PGPORT} = $node->port; $node->start; configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust'); -switch_server_cert($node, 'server-cn-only'); -### Part 1. Run client-side tests. +note "testing password-protected keys"; + +open my $sslconf, '>', $node->data_dir."/sslconfig.conf"; +print $sslconf "ssl=on\n"; +print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; +print $sslconf "ssl_key_file='server-password.key'\n"; +print $sslconf "ssl_passphrase_command='echo wrongpassword'\n"; +close $sslconf; + +command_fails(['pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart'], + 'restart fails with password-protected key file with wrong password'); +$node->_update_pid(0); + +open $sslconf, '>', $node->data_dir."/sslconfig.conf"; +print $sslconf "ssl=on\n"; +print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; +print $sslconf "ssl_key_file='server-password.key'\n"; +print $sslconf "ssl_passphrase_command='echo secret1'\n"; +close $sslconf; + +command_ok(['pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart'], + 'restart succeeds with password-protected key file'); +$node->_update_pid(1); + +### Run client-side tests. ### ### Test that libpq accepts/rejects the connection correctly, depending ### on sslmode and whether the server's certificate looks correct. No @@ -60,6 +83,8 @@ switch_server_cert($node, 'server-cn-only'); note "running client tests"; +switch_server_cert($node, 'server-cn-only'); + $common_connstr = "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; @@ -235,7 +260,7 @@ test_connect_fails($common_connstr, qr/SSL error/, "does not connect with client-side CRL"); -### Part 2. Server-side tests. +### Server-side tests. ### ### Test certificate authorization. |