From 2d07334c9b4e8bf06af5c4fc046984f26b4167ac Mon Sep 17 00:00:00 2001 From: luke Date: Mon, 18 Jun 2007 19:51:17 +0000 Subject: Modifying the CA server so that it will not send back a cert whose public key does not match the csr. We have been getting a lot of instances of this, so this should cut down that problem. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2612 980ebf18-57e1-0310-9a29-db15c13687c0 --- test/network/handler/ca.rb | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'test/network/handler') diff --git a/test/network/handler/ca.rb b/test/network/handler/ca.rb index fe2fdbd2e..3c89f597b 100755 --- a/test/network/handler/ca.rb +++ b/test/network/handler/ca.rb @@ -229,6 +229,40 @@ class TestCA < Test::Unit::TestCase # And try a different host assert(! caserv.autosign?("other.yay.com"), "Host was autosigned") end + + # Make sure that a CSR created with keys that don't match the existing + # cert throws an exception on the server. + def test_mismatched_public_keys_throws_exception + ca = Puppet::Network::Handler.ca.new() + + # First initialize the server + client = Puppet::Network::Client.ca.new :CA => ca + client.request_cert + File.unlink(Puppet[:hostcsr]) + + # Now use a different cert name + Puppet[:certname] = "my.host.com" + client = Puppet::Network::Client.ca.new :CA => ca + firstcsr = client.csr + File.unlink(Puppet[:hostcsr]) if FileTest.exists?(Puppet[:hostcsr]) + + assert_nothing_raised("Could not get cert") do + ca.getcert(firstcsr.to_s) + end + + # Now get rid of the public key, forcing a new csr + File.unlink(Puppet[:hostprivkey]) + + client = Puppet::Network::Client.ca.new :CA => ca + + second_csr = client.csr + + assert(firstcsr.to_s != second_csr.to_s, "CSR did not change") + + assert_raise(Puppet::Error, "CA allowed mismatched keys") do + ca.getcert(second_csr.to_s) + end + end end # $Id$ -- cgit