verify results from the CPAN

verify

App-CamelPKI

view release on metacpan or search on metacpan

lib/App/CamelPKI/CA.pm view on Meta::CPAN

of a subclass of L<App::CamelPKI::CertTemplate>; $key1 => $val1, ... are
nominatives parameters to pass to $certtemplate for him to generate
associated certificates (see details in 
L<App::CamelPKI::CertTemplate/prepare_certificate> and
L<App::CamelPKI::CertTemplate/list_keys>).

Internally, I<sign> control arguments, and the calls

  $certtemplate->test_certificate_conflict($db, $key1 => $val1, ...)

to verify if the certificate to create is compliant to the existing
certificates. If it's ok, I<sign> invokes

  $certtemplate->prepare_certificate($cacert, $newcert, $key1 => $val1, ...)

At last, I<sign> fix the serial number, conforming to the current CA status,
and records the certificate in database. The certificate may then be retrieved
using L</commit>.

=cut

lib/App/CamelPKI/Model/CA.pm view on Meta::CPAN


    $model_ca->do_ceremony($privdir, $webserver);
    ok($model_ca->instance->is_operational);
    ok($webserver->is_operational);

    my $ca0key = App::CamelPKI::PrivateKey->load(catfile($privdir, "ca0.key"));
    my $ca0cert = App::CamelPKI::Certificate->load(catfile($privdir, "ca0.crt"));
    ok($ca0key->isa("App::CamelPKI::PrivateKey"));
    ok($ca0cert->isa("App::CamelPKI::Certificate"));
    ok($ca0key->get_public_key->equals($ca0cert->get_public_key));
    $ca0cert->as_crypt_openssl_ca_x509->verify
        ($ca0cert->as_crypt_openssl_ca_x509->get_public_key);
    certificate_chain_ok($model_ca->instance->certificate->serialize,
                         [$ca0cert->serialize]);

    my $adminkey = App::CamelPKI::PrivateKey->load
        (catfile($privdir, "admin.key"));
    my $admincert = App::CamelPKI::Certificate->load
        (catfile($privdir, "admin.pem"));
    ok($adminkey->isa("App::CamelPKI::PrivateKey"));
    ok($admincert->isa("App::CamelPKI::Certificate"));

lib/App/CamelPKI/SysV/Apache.pm view on Meta::CPAN

        no strict "refs"; *{$persistent_field} = $getsetter;
    }
}

=head2 set_keys(-certificate => $cert, -key => $key,
                -certification_chain => \@chain)

Installs key material that will allow this Apache daemon to
authenticate itself to its HTTP/S clients ($cert and $key, which must
be instances of L<App::CamelPKI::Certificate> and L<App::CamelPKI::PrivateKey>
respectively), and also to verify the identity of HTTP/S clients that
themselves use a certificate (@chain, which is a list of instances of
L<App::CamelPKI::Certificate>; see also L</update_crl>).  If $cert is a
self-signed certificate, C<-certification_chain> and its parameter
\@chain may be omitted.

=cut

sub set_keys {
    throw App::CamelPKI::Error::Internal("WRONG_NUMBER_ARGS")
        unless (@_ % 2);

t/lib/App/CamelPKI/Test.pm view on Meta::CPAN

Checks that a certificate passed as a PEM string is validly signed by
the certificate chain @certchain, which is a list of PEM strings
passed as a reference.

=cut

sub certificate_chain_ok {
    my ($cert, $certchain, $testname) = @_;

    test (($testname || "certificate_chain_ok") => sub {
        my $out = _run_openssl_verify($cert, $certchain, $testname);
        return if ! defined $out; # Already failed
        like($out, qr/OK/, "verify successful");
        unlike($out, qr/error/, "no errors");
    });
}

sub _run_openssl_verify {
    my ($cert, $certchain, $testname) = @_;

    # This is mostly a hack to get the test suite to
    # work, but CA:FALSE certificates *really* should
    # not be made part of a certification chain.

    my @certchain = grep {
        my $out = run_thru_openssl($_, qw(x509 -noout -text));
        ( $out =~ m/CA:TRUE/ ) ? 1 : (warn(<<"WARNING"), 0);
$testname: ignoring a non-CA certificate that was passed as

t/lib/App/CamelPKI/Test.pm view on Meta::CPAN

WARNING
    } @$certchain;
    fail("no remaining certificates in chain"), return undef
        if ! @certchain;

    my $bundlefile = catfile
        (tempdir(), sprintf("ca-bundle-%d-%d.crt", $$,
                             _unique_number()));
    write_file($bundlefile,
                            join("\n", @certchain));
    return scalar run_thru_openssl($cert, qw(verify),
                                   -CAfile => $bundlefile);
}

=item I<certificate_chain_invalid_ok($pem_certificate, \@certchain )>

The converse of L</certificate_chain_ok>; checks that
I<$pem_certificate> is B<not> validly signed by @certchain.  Note,
however, that there is a case where both I<certificate_chain_ok> and
I<certificate_chain_invalid_ok> both fail, and that is when @certchain
doesn't contain any B<valid> CA certificate.

=cut

sub certificate_chain_invalid_ok {
    my ($cert, $certchain, $testname) = @_;

    test (($testname || "certificate_chain_ok") => sub {
        my $out = _run_openssl_verify($cert, $certchain, $testname);
        return if ! defined $out; # Already failed
        like($out, qr/error/, "verify failed as expected");
    });
}

=item I<x509_schema()>

Returns the ASN.1 schema for the whole X509 specification, as a string
that L<Convert::ASN1> will grok.

=cut

( run in 2.297 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )