Fixing #2028 - Better failures when a cert is found with no key

The problem was that the server had a certificate for the client. Initially the client just didn't have a key, because it assumed that if it had a certificate then it had a key. Upon fixing it to create the key, the key then did not match the found certificate. This commit fixes both of those: The key is always found before the certificate, and when the certificate is found it's verified against the private key and an exception is thrown if they don't match. It's always a failure, so this just makes the failure more informative. Signed-off-by: Luke Kanies <luke@madstop.com>
author: Luke Kanies <luke@madstop.com> 2009-02-27 17:52:01 -0600
committer: James Turnbull <james@lovedthanlost.net> 2009-02-28 11:09:11 +1100
commit: 09bee9137d7a6415609a8abfdf727ee0361139e0 (patch)
tree: b3adb6eec8c8cca1c1a3085193855dacc361bd00 /spec/unit/ssl
parent: cf1cb1474f13ae2fc4ec27142fd34d494826c929 (diff)
download: puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.gz
puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.xz
puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.zip
1 files changed, 77 insertions, 1 deletions
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb
index 646f7b55b..e4140f44c 100755
--- a/spec/unit/ssl/host.rb
+++ b/spec/unit/ssl/host.rb
@@ -90,6 +90,55 @@ describe Puppet::SSL::Host do
         Puppet::SSL::Host.localhost.should equal(two)
     end
 
+    it "should be able to verify its certificate matches its key" do
+        Puppet::SSL::Host.new("foo").should respond_to(:certificate_matches_key?)
+    end
+
+    it "should consider the certificate invalid if it cannot find a key" do
+        host = Puppet::SSL::Host.new("foo")
+        host.expects(:key).returns nil
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate invalid if it cannot find a certificate" do
+        host = Puppet::SSL::Host.new("foo")
+        host.expects(:key).returns mock("key")
+        host.expects(:certificate).returns nil
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate invalid if the SSL certificate's key verification fails" do
+        host = Puppet::SSL::Host.new("foo")
+
+        key = mock 'key', :content => "private_key"
+        sslcert = mock 'sslcert'
+        certificate = mock 'cert', :content => sslcert
+
+        host.stubs(:key).returns key
+        host.stubs(:certificate).returns certificate
+
+        sslcert.expects(:check_private_key).with("private_key").returns false
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate valid if the SSL certificate's key verification succeeds" do
+        host = Puppet::SSL::Host.new("foo")
+
+        key = mock 'key', :content => "private_key"
+        sslcert = mock 'sslcert'
+        certificate = mock 'cert', :content => sslcert
+
+        host.stubs(:key).returns key
+        host.stubs(:certificate).returns certificate
+
+        sslcert.expects(:check_private_key).with("private_key").returns true
+
+        host.should be_certificate_matches_key
+    end
+
     describe "when specifying the CA location" do
         before do
             [Puppet::SSL::Key, Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList].each do |klass|
@@ -360,6 +409,9 @@ describe Puppet::SSL::Host do
         before do
             @realcert = mock 'certificate'
             @cert = stub 'cert', :content => @realcert
+
+            @host.stubs(:key).returns mock("key")
+            @host.stubs(:certificate_matches_key?).returns true
         end
 
         it "should find the CA certificate if it does not have a certificate" do
@@ -384,6 +436,22 @@ describe Puppet::SSL::Host do
             @host.certificate.should be_nil
         end
 
+        it "should find the key if it does not have one" do
+            Puppet::SSL::Certificate.stubs(:find)
+            @host.expects(:key).returns mock("key")
+
+            @host.certificate
+        end
+
+        it "should generate the key if one cannot be found" do
+            Puppet::SSL::Certificate.stubs(:find)
+
+            @host.expects(:key).returns nil
+            @host.expects(:generate_key)
+
+            @host.certificate
+        end
+
         it "should find the certificate in the Certificate class and return the Puppet certificate instance" do
             Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert")
             Puppet::SSL::Certificate.expects(:find).with("myname").returns @cert
@@ -391,6 +459,14 @@ describe Puppet::SSL::Host do
             @host.certificate.should equal(@cert)
         end
 
+        it "should fail if the found certificate does not match the private key" do
+            @host.expects(:certificate_matches_key?).returns false
+
+            Puppet::SSL::Certificate.stubs(:find).returns @cert
+
+            lambda { @host.certificate }.should raise_error(Puppet::Error)
+        end
+
         it "should return any previously found certificate" do
             Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert")
             Puppet::SSL::Certificate.expects(:find).with("myname").returns(@cert).once
@@ -468,7 +544,7 @@ describe Puppet::SSL::Host do
         end
 
         it "should generate a key if one is not present" do
-            @host.expects(:key).returns nil
+            @host.stubs(:key).returns nil
             @host.expects(:generate_key)
 
             @host.generate
author	Luke Kanies <luke@madstop.com>	2009-02-27 17:52:01 -0600
committer	James Turnbull <james@lovedthanlost.net>	2009-02-28 11:09:11 +1100
commit	09bee9137d7a6415609a8abfdf727ee0361139e0 (patch)
tree	b3adb6eec8c8cca1c1a3085193855dacc361bd00 /spec/unit/ssl
parent	cf1cb1474f13ae2fc4ec27142fd34d494826c929 (diff)
download	puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.gz puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.xz puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.zip