From 0a48d7a4c4ba115260afc1329dca7358ef64bb79 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Tue, 16 Jan 2024 22:55:02 +0100 Subject: [PATCH] Change how Pi-hole generates from self-signing our certificate to first creating a self-signed root certificate authority (CA) and then using this CA to ordinarily sign the server's certificate. This has the advantage of being able to import the CA in places where importing a self-signed certificate is discouraged or not possible (e.g. Firefox browser) Signed-off-by: DL6ER --- src/webserver/x509.c | 235 +++++++++++++++++++++++++------------------ test/test.crt | 22 ++-- test/test.pem | 31 +++--- test/test_ca.crt | 13 +++ test/test_suite.bats | 87 ++++++++-------- 5 files changed, 222 insertions(+), 166 deletions(-) create mode 100644 test/test_ca.crt diff --git a/src/webserver/x509.c b/src/webserver/x509.c index 432c17b5a..7c2a3d82d 100644 --- a/src/webserver/x509.c +++ b/src/webserver/x509.c @@ -78,21 +78,81 @@ static int generate_private_key_ec(mbedtls_pk_context *key, return 0; } +// Write a key and/or certificate to a file +static bool write_to_file(const char *filename, const char *type, const char *suffix, const char *cert, const char *key) +{ + // Create file with CA certificate only + char *targetname = calloc(strlen(filename) + (suffix != NULL ? strlen(suffix) : 0) + 1, sizeof(char)); + strcpy(targetname, filename); + + if(suffix != NULL) + { + // If the certificate file name ends with ".pem", replace it + // with the specified suffix. Otherwise, append the specified + // suffix to the certificate file name + if (strlen(targetname) > 4 && strcmp(targetname + strlen(targetname) - 4, ".pem") == 0) + targetname[strlen(filename) - 4] = '\0'; + + strcat(targetname, suffix); + } + + printf("Storing %s in %s ...\n", type, targetname); + FILE *f = NULL; + if ((f = fopen(targetname, "wb")) == NULL) + { + printf("ERROR: Could not open %s for writing\n", targetname); + return false; + } + + // Write key (if provided) + if(key != NULL) + { + const size_t olen = strlen((char *) key); + if (fwrite(key, 1, olen, f) != olen) + { + printf("ERROR: Could not write key to %s\n", targetname); + fclose(f); + return false; + } + } + + // Write certificate (if provided) + if(cert != NULL) + { + const size_t olen = strlen((char *) cert); + if (fwrite(cert, 1, olen, f) != olen) + { + printf("ERROR: Could not write certificate to %s\n", targetname); + fclose(f); + return false; + } + } + + // Close cert file + fclose(f); + free(targetname); + + return true; +} + bool generate_certificate(const char* certfile, bool rsa, const char *domain) { int ret; - mbedtls_x509write_cert crt; - mbedtls_pk_context key; + mbedtls_x509write_cert ca_cert, server_cert; + mbedtls_pk_context ca_key, server_key; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "pihole-FTL"; + unsigned char ca_buffer[BUFFER_SIZE]; unsigned char cert_buffer[BUFFER_SIZE]; unsigned char key_buffer[BUFFER_SIZE]; - size_t olen = 0; + unsigned char ca_key_buffer[BUFFER_SIZE]; // Initialize structures - mbedtls_x509write_crt_init(&crt); - mbedtls_pk_init(&key); + mbedtls_x509write_crt_init(&ca_cert); + mbedtls_x509write_crt_init(&server_cert); + mbedtls_pk_init(&ca_key); + mbedtls_pk_init(&server_key); mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); @@ -110,7 +170,12 @@ bool generate_certificate(const char* certfile, bool rsa, const char *domain) { // Generate RSA key printf("Generating RSA key...\n"); - if((ret = generate_private_key_rsa(&key, &ctr_drbg, key_buffer)) != 0) + if((ret = generate_private_key_rsa(&ca_key, &ctr_drbg, ca_key_buffer)) != 0) + { + printf("ERROR: generate_private_key returned %d\n", ret); + return false; + } + if((ret = generate_private_key_rsa(&server_key, &ctr_drbg, key_buffer)) != 0) { printf("ERROR: generate_private_key returned %d\n", ret); return false; @@ -120,7 +185,12 @@ bool generate_certificate(const char* certfile, bool rsa, const char *domain) { // Generate EC key printf("Generating EC key...\n"); - if((ret = generate_private_key_ec(&key, &ctr_drbg, key_buffer)) != 0) + if((ret = generate_private_key_ec(&ca_key, &ctr_drbg, ca_key_buffer)) != 0) + { + printf("ERROR: generate_private_key_ec returned %d\n", ret); + return false; + } + if((ret = generate_private_key_ec(&server_key, &ctr_drbg, key_buffer)) != 0) { printf("ERROR: generate_private_key_ec returned %d\n", ret); return false; @@ -139,48 +209,73 @@ bool generate_certificate(const char* certfile, bool rsa, const char *domain) // only one certificate being issued with a given browser. Any new generated // certificate would be rejected by the browser as it would have the same // serial number as the previous one and uniques is violated. - unsigned char serial[16] = { 0 }; - mbedtls_ctr_drbg_random(&ctr_drbg, serial, sizeof(serial)); - for(unsigned int i = 0; i < sizeof(serial) - 1; i++) - serial[i] = '0' + (serial[i] % 10); - serial[sizeof(serial) - 1] = '\0'; + unsigned char serial1[16] = { 0 }, serial2[16] = { 0 }; + mbedtls_ctr_drbg_random(&ctr_drbg, serial1, sizeof(serial1)); + for(unsigned int i = 0; i < sizeof(serial1) - 1; i++) + serial1[i] = '0' + (serial1[i] % 10); + serial1[sizeof(serial1) - 1] = '\0'; + mbedtls_ctr_drbg_random(&ctr_drbg, serial2, sizeof(serial2)); + for(unsigned int i = 0; i < sizeof(serial2) - 1; i++) + serial2[i] = '0' + (serial2[i] % 10); + serial2[sizeof(serial2) - 1] = '\0'; // Create validity period - // Use YYYYMMDDHHMMSS as required by RFC 5280 + // Use YYYYMMDDHHMMSS as required by RFC 5280 (UTCTime) const time_t now = time(NULL); struct tm tms = { 0 }; - struct tm *tm = localtime_r(&now, &tms); + struct tm *tm = gmtime_r(&now, &tms); char not_before[16] = { 0 }; char not_after[16] = { 0 }; strftime(not_before, sizeof(not_before), "%Y%m%d%H%M%S", tm); tm->tm_year += 30; // 30 years from now strftime(not_after, sizeof(not_after), "%Y%m%d%H%M%S", tm); - // Generate certificate - printf("Generating new certificate with serial number %s...\n", serial); - mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3); + // 1. Create CA certificate + printf("Generating new CA with serial number %s...\n", serial1); + mbedtls_x509write_crt_set_version(&ca_cert, MBEDTLS_X509_CRT_VERSION_3); + + mbedtls_x509write_crt_set_serial_raw(&ca_cert, serial1, sizeof(serial1)-1); + mbedtls_x509write_crt_set_md_alg(&ca_cert, MBEDTLS_MD_SHA256); + mbedtls_x509write_crt_set_subject_key(&ca_cert, &ca_key); + mbedtls_x509write_crt_set_subject_key_identifier(&ca_cert); + mbedtls_x509write_crt_set_issuer_key(&ca_cert, &ca_key); + mbedtls_x509write_crt_set_authority_key_identifier(&ca_cert); + mbedtls_x509write_crt_set_issuer_name(&ca_cert, "CN=pi.hole,O=Pi-hole,C=DE"); + mbedtls_x509write_crt_set_subject_name(&ca_cert, "CN=pi.hole,O=Pi-hole,C=DE"); + mbedtls_x509write_crt_set_validity(&ca_cert, not_before, not_after); + mbedtls_x509write_crt_set_basic_constraints(&ca_cert, 1, -1); + + // Export CA in PEM format + if((ret = mbedtls_x509write_crt_pem(&ca_cert, ca_buffer, sizeof(ca_buffer), + mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) + { + printf("ERROR: mbedtls_x509write_crt_pem (CA) returned %d\n", ret); + return false; + } - mbedtls_x509write_crt_set_serial_raw(&crt, serial, sizeof(serial)-1); - mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA256); - mbedtls_x509write_crt_set_subject_key(&crt, &key); - mbedtls_x509write_crt_set_issuer_key(&crt, &key); - mbedtls_x509write_crt_set_issuer_name(&crt, "CN=pi.hole"); - mbedtls_x509write_crt_set_validity(&crt, not_before, not_after); - mbedtls_x509write_crt_set_basic_constraints(&crt, 0, -1); - mbedtls_x509write_crt_set_subject_key_identifier(&crt); - mbedtls_x509write_crt_set_authority_key_identifier(&crt); + printf("Generating new server certificate with serial number %s...\n", serial2); + mbedtls_x509write_crt_set_version(&server_cert, MBEDTLS_X509_CRT_VERSION_3); + mbedtls_x509write_crt_set_serial_raw(&server_cert, serial2, sizeof(serial2)-1); + mbedtls_x509write_crt_set_md_alg(&server_cert, MBEDTLS_MD_SHA256); + mbedtls_x509write_crt_set_subject_key(&server_cert, &server_key); + mbedtls_x509write_crt_set_subject_key_identifier(&server_cert); + mbedtls_x509write_crt_set_issuer_key(&server_cert, &ca_key); + mbedtls_x509write_crt_set_authority_key_identifier(&server_cert); + // subject name set below + mbedtls_x509write_crt_set_issuer_name(&server_cert, "CN=pi.hole,O=Pi-hole,C=DE"); + mbedtls_x509write_crt_set_validity(&server_cert, not_before, not_after); + mbedtls_x509write_crt_set_basic_constraints(&server_cert, 0, -1); // Set subject name depending on the (optionally) specified domain { char *subject_name = calloc(strlen(domain) + 4, sizeof(char)); strcpy(subject_name, "CN="); strcat(subject_name, domain); - mbedtls_x509write_crt_set_subject_name(&crt, subject_name); + mbedtls_x509write_crt_set_subject_name(&server_cert, subject_name); free(subject_name); } - // Add "DNS:pi.hole" as subject alternative name (SAN) // // Since RFC 2818 (May 2000), the Common Name (CN) field is ignored @@ -209,85 +304,32 @@ bool generate_certificate(const char* certfile, bool rsa, const char *domain) san_dns_pihole.next = &san_dns_domain; // Link this domain } - ret = mbedtls_x509write_crt_set_subject_alternative_name(&crt, &san_dns_pihole); + ret = mbedtls_x509write_crt_set_subject_alternative_name(&server_cert, &san_dns_pihole); if (ret != 0) printf("mbedtls_x509write_crt_set_subject_alternative_name returned %d\n", ret); - // Export certificate in PEM format - if((ret = mbedtls_x509write_crt_pem(&crt, cert_buffer, sizeof(cert_buffer), + if((ret = mbedtls_x509write_crt_pem(&server_cert, cert_buffer, sizeof(cert_buffer), mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { printf("ERROR: mbedtls_x509write_crt_pem returned %d\n", ret); return false; } - // Write private key and certificate to file - FILE *f = NULL; - printf("Storing key + certificate in %s ...\n", certfile); - if ((f = fopen(certfile, "wb")) == NULL) - { - printf("ERROR: Could not open %s for writing\n", certfile); - return false; - } - - // Write private key - olen = strlen((char *) key_buffer); - if (fwrite(key_buffer, 1, olen, f) != olen) - { - printf("ERROR: Could not write key to %s\n", certfile); - fclose(f); - return false; - } - - // Write certificate - olen = strlen((char *) cert_buffer); - if (fwrite(cert_buffer, 1, olen, f) != olen) - { - printf("ERROR: Could not write certificate to %s\n", certfile); - fclose(f); - return false; - } - - // Close key+cert file - fclose(f); - - // Create second file with certificate only - char *certfile2 = calloc(strlen(certfile) + 5, sizeof(char)); - strcpy(certfile2, certfile); - - // If the certificate file name ends with ".pem" or ".key", replace it with ".crt" - // Otherwise, append ".crt" to the certificate file name - if (strlen(certfile2) > 4 && - (strcmp(certfile2 + strlen(certfile2) - 4, ".pem") == 0 || - strcmp(certfile2 + strlen(certfile2) - 4, ".key") == 0)) - certfile2[strlen(certfile) - 4] = '\0'; - - strcat(certfile2, ".crt"); - - printf("Storing certificate in %s ...\n", certfile2); - if ((f = fopen(certfile2, "wb")) == NULL) - { - printf("ERROR: Could not open %s for writing\n", certfile2); - return false; - } + // Create file with CA certificate only + write_to_file(certfile, "CA certificate", "_ca.crt", (char*)ca_buffer, NULL); - // Write certificate - olen = strlen((char *) cert_buffer); - if (fwrite(cert_buffer, 1, olen, f) != olen) - { - printf("ERROR: Could not write certificate to %s\n", certfile2); - fclose(f); - return false; - } + // Create file with server certificate only + write_to_file(certfile, "server certificate", ".crt", (char*)cert_buffer, NULL); - // Close cert file - fclose(f); - free(certfile2); + // Write server's private key and certificate to file + write_to_file(certfile, "server key + certificate", NULL, (char*)cert_buffer, (char*)key_buffer); // Free resources - mbedtls_x509write_crt_free(&crt); - mbedtls_pk_free(&key); + mbedtls_x509write_crt_free(&ca_cert); + mbedtls_x509write_crt_free(&server_cert); + mbedtls_pk_free(&ca_key); + mbedtls_pk_free(&server_key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); @@ -345,11 +387,12 @@ enum cert_check read_certificate(const char* certfile, const char *domain, const return CERT_FILE_NOT_FOUND; } + bool has_key = true; int rc = mbedtls_pk_parse_keyfile(&key, certfile, NULL, mbedtls_ctr_drbg_random, &ctr_drbg); if (rc != 0) { - log_err("Cannot parse key: Error code %d", rc); - return CERT_CANNOT_PARSE_KEY; + log_info("No key found"); + has_key = false; } rc = mbedtls_x509_crt_parse_file(&crt, certfile); @@ -444,7 +487,7 @@ enum cert_check read_certificate(const char* certfile, const char *domain, const puts("Certificate (X.509):\n"); puts(certinfo); - if(!private_key) + if(!private_key || !has_key) goto end; puts("Private key:"); diff --git a/test/test.crt b/test/test.crt index 89f89c6de..fa2bd4c17 100644 --- a/test/test.crt +++ b/test/test.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB+jCCAVmgAwIBAgIPMDY1NTgwNDA4Mjk5OTE2MAwGCCqGSM49BAMCBQAwEjEQ -MA4GA1UEAwwHcGkuaG9sZTAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTla -MBIxEDAOBgNVBAMMB3BpLmhvbGUwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFD -nUd44uNJqnVev6mcVAmq8Flz3ZNfIvgrAhl2mweX3k9zRdyfxfPKjHRxaEzLJxCB -wZsjDee558Jlpd9zcK5TfQE8N1v3WH6sOFXj5WQSQA08FuApDqQKIc20wB26DJp4 -fHMWmp6AYa+BDaXhWn3yXgzvMEIbor9FtkOUO81QKDASUaNNMEswCQYDVR0TBAIw -ADAdBgNVHQ4EFgQUwoMB6ZJW7JkdwmCy2Hp6sP0dkEAwHwYDVR0jBBgwFoAUwoMB -6ZJW7JkdwmCy2Hp6sP0dkEAwDAYIKoZIzj0EAwIFAAOBjAAwgYgCQgEj2ykySK/P -gbyT+J+vXVMBWbdHudfkncM7ItPhMN1PyM1J0Tp5emXm6ZLtlZpNGgqXxH1U94UO -5AFs5PeJuLI43AJCAZJAEiEHqEycXxCm3Ip+64a7lb5H6Y3gpbUKjHwsZW4svTdk -vn5eqsRcmuhW7t0pYJcpGGE52tV+Ayo8BQOLHJzd +MIIB4TCCAWagAwIBAgIPNjYyMjUxNzYwMDkxMDA3MAoGCCqGSM49BAMCMDExEDAO +BgNVBAMMB3BpLmhvbGUxEDAOBgNVBAoMB1BpLWhvbGUxCzAJBgNVBAYTAkRFMCAX +DTIzMDExNjIxMTUxMloYDzIwNTMwMTE2MjExNTEyWjASMRAwDgYDVQQDDAdwaS5o +b2xlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuH7sWfGRkvm5s5LVYTwbM6PjZmuK +4KPhA5qaWfVqJw4jeEMkvyT4CKtiruLEBcqzimkBhP6dlMOUM/K0caRC5Jm46fMC +9bV374ibYXxiX4bkiu8m/GDjM5RgiS1D1x+Uo2EwXzAdBgNVHQ4EFgQUh4lGwfX0 +GfdLVzkkHCuoxDkdiYkwHwYDVR0jBBgwFoAUUeMrZ6L+iRSicUSYbomqc/gPaikw +CQYDVR0TBAIwADASBgNVHREECzAJggdwaS5ob2xlMAoGCCqGSM49BAMCA2kAMGYC +MQDalH2DB1QTs5T3Vr4Ok+k+9E2xE2eHowMow5jHhYqmxW0jUqeNO1GWVyKQydmH +sbQCMQDlcnMv4G3at02j/E7RBU67mRYL+DE5k0ygX1ANFYMZKrTM0960uoo8/DUl +3cdeFrg= -----END CERTIFICATE----- diff --git a/test/test.pem b/test/test.pem index 88513544d..5add17553 100644 --- a/test/test.pem +++ b/test/test.pem @@ -1,20 +1,19 @@ -----BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIALL5s+KkTtEXyERZbBHO3A3tbBhh8hoWu9KWDVMcGHDiBc+CwA3Sl -XOrHu1iGFZydVLPAIFZDVaD6caVVWTBBVtigBwYFK4EEACOhgYkDgYYABAFDnUd4 -4uNJqnVev6mcVAmq8Flz3ZNfIvgrAhl2mweX3k9zRdyfxfPKjHRxaEzLJxCBwZsj -Dee558Jlpd9zcK5TfQE8N1v3WH6sOFXj5WQSQA08FuApDqQKIc20wB26DJp4fHMW -mp6AYa+BDaXhWn3yXgzvMEIbor9FtkOUO81QKDASUQ== +MIGkAgEBBDBGWIbQ11v8sQjrlj+KUS7OJoR0M9xyZyMLhkejtXlHGNXn2lK8ZzPW +UUA6+ZqgdA+gBwYFK4EEACKhZANiAAS4fuxZ8ZGS+bmzktVhPBszo+Nma4rgo+ED +mppZ9WonDiN4QyS/JPgIq2Ku4sQFyrOKaQGE/p2Uw5Qz8rRxpELkmbjp8wL1tXfv +iJthfGJfhuSK7yb8YOMzlGCJLUPXH5Q= -----END EC PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIB+jCCAVmgAwIBAgIPMDY1NTgwNDA4Mjk5OTE2MAwGCCqGSM49BAMCBQAwEjEQ -MA4GA1UEAwwHcGkuaG9sZTAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTla -MBIxEDAOBgNVBAMMB3BpLmhvbGUwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFD -nUd44uNJqnVev6mcVAmq8Flz3ZNfIvgrAhl2mweX3k9zRdyfxfPKjHRxaEzLJxCB -wZsjDee558Jlpd9zcK5TfQE8N1v3WH6sOFXj5WQSQA08FuApDqQKIc20wB26DJp4 -fHMWmp6AYa+BDaXhWn3yXgzvMEIbor9FtkOUO81QKDASUaNNMEswCQYDVR0TBAIw -ADAdBgNVHQ4EFgQUwoMB6ZJW7JkdwmCy2Hp6sP0dkEAwHwYDVR0jBBgwFoAUwoMB -6ZJW7JkdwmCy2Hp6sP0dkEAwDAYIKoZIzj0EAwIFAAOBjAAwgYgCQgEj2ykySK/P -gbyT+J+vXVMBWbdHudfkncM7ItPhMN1PyM1J0Tp5emXm6ZLtlZpNGgqXxH1U94UO -5AFs5PeJuLI43AJCAZJAEiEHqEycXxCm3Ip+64a7lb5H6Y3gpbUKjHwsZW4svTdk -vn5eqsRcmuhW7t0pYJcpGGE52tV+Ayo8BQOLHJzd +MIIB4TCCAWagAwIBAgIPNjYyMjUxNzYwMDkxMDA3MAoGCCqGSM49BAMCMDExEDAO +BgNVBAMMB3BpLmhvbGUxEDAOBgNVBAoMB1BpLWhvbGUxCzAJBgNVBAYTAkRFMCAX +DTIzMDExNjIxMTUxMloYDzIwNTMwMTE2MjExNTEyWjASMRAwDgYDVQQDDAdwaS5o +b2xlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuH7sWfGRkvm5s5LVYTwbM6PjZmuK +4KPhA5qaWfVqJw4jeEMkvyT4CKtiruLEBcqzimkBhP6dlMOUM/K0caRC5Jm46fMC +9bV374ibYXxiX4bkiu8m/GDjM5RgiS1D1x+Uo2EwXzAdBgNVHQ4EFgQUh4lGwfX0 +GfdLVzkkHCuoxDkdiYkwHwYDVR0jBBgwFoAUUeMrZ6L+iRSicUSYbomqc/gPaikw +CQYDVR0TBAIwADASBgNVHREECzAJggdwaS5ob2xlMAoGCCqGSM49BAMCA2kAMGYC +MQDalH2DB1QTs5T3Vr4Ok+k+9E2xE2eHowMow5jHhYqmxW0jUqeNO1GWVyKQydmH +sbQCMQDlcnMv4G3at02j/E7RBU67mRYL+DE5k0ygX1ANFYMZKrTM0960uoo8/DUl +3cdeFrg= -----END CERTIFICATE----- diff --git a/test/test_ca.crt b/test/test_ca.crt new file mode 100644 index 000000000..a7a37e3ad --- /dev/null +++ b/test/test_ca.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB8TCCAXegAwIBAgIPMDQ4MzEwMzI5NDMzNTEyMAoGCCqGSM49BAMCMDExEDAO +BgNVBAMMB3BpLmhvbGUxEDAOBgNVBAoMB1BpLWhvbGUxCzAJBgNVBAYTAkRFMCAX +DTIzMDExNjIxMTUxMloYDzIwNTMwMTE2MjExNTEyWjAxMRAwDgYDVQQDDAdwaS5o +b2xlMRAwDgYDVQQKDAdQaS1ob2xlMQswCQYDVQQGEwJERTB2MBAGByqGSM49AgEG +BSuBBAAiA2IABJLGB8r6Fs40ARHd8OtOIfAjAyW07QMO7LRlS/M2lJhXWUoPMn3W +KsGhfOPB24aJZ/aFjZRSBnlgiBTten/SJIQ8ooSVLHLZXKHMDwAqjLA7woMb2kOC +QiqHRnKdY3xH2KNTMFEwHQYDVR0OBBYEFFHjK2ei/okUonFEmG6JqnP4D2opMB8G +A1UdIwQYMBaAFFHjK2ei/okUonFEmG6JqnP4D2opMA8GA1UdEwEB/wQFMAMBAf8w +CgYIKoZIzj0EAwIDaAAwZQIxAJAP3Hx3d6WWys1JiV68CeGL8+hngTmEkzcPivyC +YqkJR8Ni7TBvhtYViyccQ6g3LAIwIsbtRFStxJYuRDi9tTwHuOKZby/oYUwRXMff +7XmiEM85caDyY4rG6oN910Cm+v8c +-----END CERTIFICATE----- diff --git a/test/test_suite.bats b/test/test_suite.bats index 0ea50189c..bd1aecc6f 100644 --- a/test/test_suite.bats +++ b/test/test_suite.bats @@ -1455,22 +1455,23 @@ [[ "${lines[0]}" == "Reading certificate from /etc/pihole/test.pem ..." ]] [[ "${lines[1]}" == "Certificate (X.509):" ]] [[ "${lines[2]}" == " cert. version : 3" ]] - [[ "${lines[3]}" == " serial number : 30:36:35:35:38:30:34:30:38:32:39:39:39:31:36" ]] - [[ "${lines[4]}" == " issuer name : CN=pi.hole" ]] + [[ "${lines[3]}" == " serial number : 36:36:32:32:35:31:37:36:30:30:39:31:30:30:37" ]] + [[ "${lines[4]}" == " issuer name : CN=pi.hole, O=Pi-hole, C=DE" ]] [[ "${lines[5]}" == " subject name : CN=pi.hole" ]] - [[ "${lines[6]}" == " issued on : 2001-01-01 00:00:00" ]] - [[ "${lines[7]}" == " expires on : 2030-12-31 23:59:59" ]] + [[ "${lines[6]}" == " issued on : 2023-01-16 21:15:12" ]] + [[ "${lines[7]}" == " expires on : 2053-01-16 21:15:12" ]] [[ "${lines[8]}" == " signed using : ECDSA with SHA256" ]] - [[ "${lines[9]}" == " EC key size : 521 bits" ]] + [[ "${lines[9]}" == " EC key size : 384 bits" ]] [[ "${lines[10]}" == " basic constraints : CA=false" ]] - [[ "${lines[11]}" == "Public key (PEM):" ]] - [[ "${lines[12]}" == "-----BEGIN PUBLIC KEY-----" ]] - [[ "${lines[13]}" == "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQ51HeOLjSap1Xr+pnFQJqvBZc92T" ]] - [[ "${lines[14]}" == "XyL4KwIZdpsHl95Pc0Xcn8Xzyox0cWhMyycQgcGbIw3nuefCZaXfc3CuU30BPDdb" ]] - [[ "${lines[15]}" == "91h+rDhV4+VkEkANPBbgKQ6kCiHNtMAdugyaeHxzFpqegGGvgQ2l4Vp98l4M7zBC" ]] - [[ "${lines[16]}" == "G6K/RbZDlDvNUCgwElE=" ]] - [[ "${lines[17]}" == "-----END PUBLIC KEY-----" ]] - [[ "${lines[18]}" == "" ]] + [[ "${lines[11]}" == " subject alt name :" ]] + [[ "${lines[12]}" == " dNSName : pi.hole" ]] + [[ "${lines[13]}" == "Public key (PEM):" ]] + [[ "${lines[14]}" == "-----BEGIN PUBLIC KEY-----" ]] + [[ "${lines[15]}" == "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuH7sWfGRkvm5s5LVYTwbM6PjZmuK4KPh" ]] + [[ "${lines[16]}" == "A5qaWfVqJw4jeEMkvyT4CKtiruLEBcqzimkBhP6dlMOUM/K0caRC5Jm46fMC9bV3" ]] + [[ "${lines[17]}" == "74ibYXxiX4bkiu8m/GDjM5RgiS1D1x+U" ]] + [[ "${lines[18]}" == "-----END PUBLIC KEY-----" ]] + [[ "${lines[19]}" == "" ]] } @test "X.509 certificate parser returns expected result (with private key)" { @@ -1480,38 +1481,38 @@ [[ "${lines[0]}" == "Reading certificate from /etc/pihole/test.pem ..." ]] [[ "${lines[1]}" == "Certificate (X.509):" ]] [[ "${lines[2]}" == " cert. version : 3" ]] - [[ "${lines[3]}" == " serial number : 30:36:35:35:38:30:34:30:38:32:39:39:39:31:36" ]] - [[ "${lines[4]}" == " issuer name : CN=pi.hole" ]] + [[ "${lines[3]}" == " serial number : 36:36:32:32:35:31:37:36:30:30:39:31:30:30:37" ]] + [[ "${lines[4]}" == " issuer name : CN=pi.hole, O=Pi-hole, C=DE" ]] [[ "${lines[5]}" == " subject name : CN=pi.hole" ]] - [[ "${lines[6]}" == " issued on : 2001-01-01 00:00:00" ]] - [[ "${lines[7]}" == " expires on : 2030-12-31 23:59:59" ]] + [[ "${lines[6]}" == " issued on : 2023-01-16 21:15:12" ]] + [[ "${lines[7]}" == " expires on : 2053-01-16 21:15:12" ]] [[ "${lines[8]}" == " signed using : ECDSA with SHA256" ]] - [[ "${lines[9]}" == " EC key size : 521 bits" ]] + [[ "${lines[9]}" == " EC key size : 384 bits" ]] [[ "${lines[10]}" == " basic constraints : CA=false" ]] - [[ "${lines[11]}" == "Private key:" ]] - [[ "${lines[12]}" == " Type: EC" ]] - [[ "${lines[13]}" == " Curve type: Short Weierstrass (y^2 = x^3 + a x + b)" ]] - [[ "${lines[14]}" == " Bitlen: 518 bit" ]] - [[ "${lines[15]}" == " Private key:" ]] - [[ "${lines[16]}" == " D = 0x2CBE6CF8A913B445F211165B0473B7037B5B06187C8685AEF4A58354C7061C388173E0B00374A55CEAC7BB5886159C9D54B3C020564355A0FA71A55559304156D8"* ]] - [[ "${lines[17]}" == " Public key:" ]] - [[ "${lines[18]}" == " X = 0x01439D4778E2E349AA755EBFA99C5409AAF05973DD935F22F82B0219769B0797DE4F7345DC9FC5F3CA8C7471684CCB271081C19B230DE7B9E7C265A5DF7370AE537D"* ]] - [[ "${lines[19]}" == " Y = 0x013C375BF7587EAC3855E3E56412400D3C16E0290EA40A21CDB4C01DBA0C9A787C73169A9E8061AF810DA5E15A7DF25E0CEF30421BA2BF45B643943BCD5028301251"* ]] - [[ "${lines[20]}" == " Z = 0x01"* ]] - [[ "${lines[21]}" == "Private key (PEM):" ]] - [[ "${lines[22]}" == "-----BEGIN EC PRIVATE KEY-----" ]] - [[ "${lines[23]}" == "MIHcAgEBBEIALL5s+KkTtEXyERZbBHO3A3tbBhh8hoWu9KWDVMcGHDiBc+CwA3Sl" ]] - [[ "${lines[24]}" == "XOrHu1iGFZydVLPAIFZDVaD6caVVWTBBVtigBwYFK4EEACOhgYkDgYYABAFDnUd4" ]] - [[ "${lines[25]}" == "4uNJqnVev6mcVAmq8Flz3ZNfIvgrAhl2mweX3k9zRdyfxfPKjHRxaEzLJxCBwZsj" ]] - [[ "${lines[26]}" == "Dee558Jlpd9zcK5TfQE8N1v3WH6sOFXj5WQSQA08FuApDqQKIc20wB26DJp4fHMW" ]] - [[ "${lines[27]}" == "mp6AYa+BDaXhWn3yXgzvMEIbor9FtkOUO81QKDASUQ==" ]] - [[ "${lines[28]}" == "-----END EC PRIVATE KEY-----" ]] - [[ "${lines[29]}" == "Public key (PEM):" ]] - [[ "${lines[30]}" == "-----BEGIN PUBLIC KEY-----" ]] - [[ "${lines[31]}" == "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQ51HeOLjSap1Xr+pnFQJqvBZc92T" ]] - [[ "${lines[32]}" == "XyL4KwIZdpsHl95Pc0Xcn8Xzyox0cWhMyycQgcGbIw3nuefCZaXfc3CuU30BPDdb" ]] - [[ "${lines[33]}" == "91h+rDhV4+VkEkANPBbgKQ6kCiHNtMAdugyaeHxzFpqegGGvgQ2l4Vp98l4M7zBC" ]] - [[ "${lines[34]}" == "G6K/RbZDlDvNUCgwElE=" ]] + [[ "${lines[11]}" == " subject alt name :" ]] + [[ "${lines[12]}" == " dNSName : pi.hole" ]] + [[ "${lines[13]}" == "Private key:" ]] + [[ "${lines[14]}" == " Type: EC" ]] + [[ "${lines[15]}" == " Curve type: Short Weierstrass (y^2 = x^3 + a x + b)" ]] + [[ "${lines[16]}" == " Bitlen: 383 bit" ]] + [[ "${lines[17]}" == " Private key:" ]] + [[ "${lines[18]}" == " D = 0x465886D0D75BFCB108EB963F8A512ECE26847433DC7267230B8647A3B5794718D5E7DA52BC6733D651403AF99AA0740F"* ]] + [[ "${lines[19]}" == " Public key:" ]] + [[ "${lines[20]}" == " X = 0xB87EEC59F19192F9B9B392D5613C1B33A3E3666B8AE0A3E1039A9A59F56A270E23784324BF24F808AB62AEE2C405CAB3"* ]] + [[ "${lines[21]}" == " Y = 0x8A690184FE9D94C39433F2B471A442E499B8E9F302F5B577EF889B617C625F86E48AEF26FC60E3339460892D43D71F94"* ]] + [[ "${lines[22]}" == " Z = 0x01"* ]] + [[ "${lines[23]}" == "Private key (PEM):" ]] + [[ "${lines[24]}" == "-----BEGIN EC PRIVATE KEY-----" ]] + [[ "${lines[25]}" == "MIGkAgEBBDBGWIbQ11v8sQjrlj+KUS7OJoR0M9xyZyMLhkejtXlHGNXn2lK8ZzPW" ]] + [[ "${lines[26]}" == "UUA6+ZqgdA+gBwYFK4EEACKhZANiAAS4fuxZ8ZGS+bmzktVhPBszo+Nma4rgo+ED" ]] + [[ "${lines[27]}" == "mppZ9WonDiN4QyS/JPgIq2Ku4sQFyrOKaQGE/p2Uw5Qz8rRxpELkmbjp8wL1tXfv" ]] + [[ "${lines[28]}" == "iJthfGJfhuSK7yb8YOMzlGCJLUPXH5Q=" ]] + [[ "${lines[29]}" == "-----END EC PRIVATE KEY-----" ]] + [[ "${lines[30]}" == "Public key (PEM):" ]] + [[ "${lines[31]}" == "-----BEGIN PUBLIC KEY-----" ]] + [[ "${lines[32]}" == "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEuH7sWfGRkvm5s5LVYTwbM6PjZmuK4KPh" ]] + [[ "${lines[33]}" == "A5qaWfVqJw4jeEMkvyT4CKtiruLEBcqzimkBhP6dlMOUM/K0caRC5Jm46fMC9bV3" ]] + [[ "${lines[34]}" == "74ibYXxiX4bkiu8m/GDjM5RgiS1D1x+U" ]] [[ "${lines[35]}" == "-----END PUBLIC KEY-----" ]] [[ "${lines[36]}" == "" ]] } @@ -1567,7 +1568,7 @@ @test "SHA256 checksum working" { run bash -c './pihole-FTL sha256sum test/test.pem' printf "%s\n" "${lines[@]}" - [[ ${lines[0]} == "eae293f0c30369935a7457a789658bedebf92d544e7526bc43aa07883a597fa9 test/test.pem" ]] + [[ ${lines[0]} == "ce4c01340ef46bf3bc26831f7c53763d57c863528826aa795f1da5e16d6e7b2d test/test.pem" ]] } @test "API validation" {