diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2021-10-19 20:11:42 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2021-10-19 20:11:42 +0200 |
| commit | b4c4a00eada3c512e819e9163114a5ad1606bc7e (patch) | |
| tree | e9b916270e6d2c0134711c7f6ef6c93f52fe08bf /src/test/ssl/t | |
| parent | 3e310d837a9b3de8ad977c0a3e2a769bcdf61cc9 (diff) | |
| download | postgresql-b4c4a00eada3c512e819e9163114a5ad1606bc7e.tar.gz postgresql-b4c4a00eada3c512e819e9163114a5ad1606bc7e.zip | |
Refactor the sslfiles Makefile target for ease of use
The Makefile handling of certificate and keypairs used for TLS testing
had become quite difficult to work with. Adding a new cert without the
need to regenerate everything was too complicated. This patch refactors
the sslfiles make target such that adding a new certificate requires
only adding a .config file, adding it to the top of the Makefile, and
running make sslfiles.
Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
dirs.
- New certificates have serial numbers based on the current time,
reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
possible copy-paste errors).
- all configuration files underneath the conf/ directory.
The target is moved to its own makefile in order to avoid colliding
with global make settings.
Author: Jacob Champion <pchampion@vmware.com>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 3bc711f4a77..a901077469a 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -485,6 +485,21 @@ TODO: } # pg_stat_ssl + +my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +if ($? == 0) +{ + $serialno =~ s/^serial=//; + $serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal +} +else +{ + # OpenSSL isn't functioning on the user's PATH. This probably isn't worth + # skipping the test over, so just fall back to a generic integer match. + warn 'couldn\'t run `openssl x509` to get client cert serialno'; + $serialno = '\d+'; +} + command_like( [ 'psql', @@ -500,7 +515,7 @@ command_like( "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,$serialno,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions |