void zcert_test (bool verbose) { printf (" * zcert: "); #if (ZMQ_VERSION_MAJOR == 4) // @selftest // Create temporary directory for test files # define TESTDIR ".test_zcert" zsys_dir_create (TESTDIR); // Create a simple certificate with metadata zcert_t *cert = zcert_new (); # if defined (HAVE_LIBSODIUM) zcert_set_meta (cert, "email", "*****@*****.**"); zcert_set_meta (cert, "name", "Pieter Hintjens"); zcert_set_meta (cert, "organization", "iMatix Corporation"); zcert_set_meta (cert, "version", "%d", 1); assert (streq (zcert_meta (cert, "email"), "*****@*****.**")); zlist_t *keys = zcert_meta_keys (cert); assert (zlist_size (keys) == 4); zlist_destroy (&keys); // Check the dup and eq methods zcert_t *shadow = zcert_dup (cert); assert (zcert_eq (cert, shadow)); zcert_destroy (&shadow); // Check we can save and load certificate zcert_save (cert, TESTDIR "/mycert.txt"); assert (zsys_file_exists (TESTDIR "/mycert.txt")); assert (zsys_file_exists (TESTDIR "/mycert.txt_secret")); // Load certificate, will in fact load secret one shadow = zcert_load (TESTDIR "/mycert.txt"); assert (shadow); assert (zcert_eq (cert, shadow)); zcert_destroy (&shadow); // Delete secret certificate, load public one int rc = zsys_file_delete (TESTDIR "/mycert.txt_secret"); assert (rc == 0); shadow = zcert_load (TESTDIR "/mycert.txt"); // 32-byte null key encodes as 40 '0' characters assert (streq (zcert_secret_txt (shadow), "0000000000000000000000000000000000000000")); zcert_destroy (&shadow); zcert_destroy (&cert); # else // Libsodium isn't installed; should have returned NULL assert (cert == NULL); # endif // Delete all test files zdir_t *dir = zdir_new (TESTDIR, NULL); zdir_remove (dir, true); zdir_destroy (&dir); // @end #endif printf ("OK\n"); }
void zyre_set_zcert(zyre_t *self, zcert_t *zcert) { assert (zcert); // actor will assert check the keys zstr_sendx (self->actor, "SET PUBLICKEY", zcert_public_txt(zcert), NULL); zstr_sendx (self->actor, "SET SECRETKEY", zcert_secret_txt(zcert), NULL); }
int main(int argc, char **argv) { char *a = argv[1]; // name of cert char sa[500]; // name of serv_cert char ca[500]; // name of client_cert uint8_t serv_priv[32]; uint8_t serv_pub[32]; uint8_t cli_priv[32]; uint8_t cli_pub[32]; zcert_t *serv_cert = zcert_new(); zcert_t *cli_cert = zcert_new(); uint8_t *serv_privp = zcert_secret_key(serv_cert); uint8_t *serv_pubp = zcert_public_key(serv_cert); uint8_t *cli_privp = zcert_secret_key(cli_cert); uint8_t *cli_pubp = zcert_public_key(cli_cert); memmove(serv_priv, serv_privp, sizeof(serv_priv)); memmove(serv_pub, serv_pubp, sizeof(serv_pub)); memmove(cli_priv, cli_privp, sizeof(cli_priv)); memmove(cli_pub, cli_pubp, sizeof(cli_pub)); char *serv_cprivp = zcert_secret_txt(serv_cert); char *serv_cpubp = zcert_public_txt(serv_cert); char *cli_cprivp = zcert_secret_txt(cli_cert); char *cli_cpubp = zcert_public_txt(cli_cert); char servhnam[1000]; char clihnam[1000]; sprintf(servhnam, "servcert_%s.h", a); sprintf(clihnam, "clicert_%s.h", a); FILE *serv = fopen(servhnam, "w"); FILE *cli = fopen(clihnam, "w"); fprintf(serv, "char *%s_server_private_txt = \"%s\";\n", a, serv_cprivp); fprintf(serv, "char *%s_server_public_txt = \"%s\";\n\n\n", a, serv_cpubp); fprintf(cli, "char *%s_cli_private_txt = \"%s\";\n", a, cli_cprivp); fprintf(cli, "char *%s_cli_public_txt = \"%s\";\n\n\n", a, cli_cpubp); sprintf(sa, "server_%s", a); sprintf(ca, "client_%s", a); zcert_save(serv_cert, sa); zcert_save(cli_cert, ca); // we don't need the secret keys on disk; just a security hazard unlink("server_banshare_secret"); unlink("client_banshare_secret"); fprintf (serv, "uint8_t %s_server_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n", a, serv_priv[0], serv_priv[1], serv_priv[2], serv_priv[3], serv_priv[4], serv_priv[5], serv_priv[6], serv_priv[7], serv_priv[8], serv_priv[9], serv_priv[10], serv_priv[11], serv_priv[12], serv_priv[13], serv_priv[14], serv_priv[15], serv_priv[16], serv_priv[17], serv_priv[18], serv_priv[19], serv_priv[20], serv_priv[21], serv_priv[22], serv_priv[23], serv_priv[24], serv_priv[25], serv_priv[26], serv_priv[27], serv_priv[28], serv_priv[29], serv_priv[30], serv_priv[31]); fprintf (serv, "uint8_t %s_server_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n", a, serv_pub[0], serv_pub[1], serv_pub[2], serv_pub[3], serv_pub[4], serv_pub[5], serv_pub[6], serv_pub[7], serv_pub[8], serv_pub[9], serv_pub[10], serv_pub[11], serv_pub[12], serv_pub[13], serv_pub[14], serv_pub[15], serv_pub[16], serv_pub[17], serv_pub[18], serv_pub[19], serv_pub[20], serv_pub[21], serv_pub[22], serv_pub[23], serv_pub[24], serv_pub[25], serv_pub[26], serv_pub[27], serv_pub[28], serv_pub[29], serv_pub[30], serv_pub[31]); fprintf (cli, "uint8_t %s_client_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n", a, cli_priv[0], cli_priv[1], cli_priv[2], cli_priv[3], cli_priv[4], cli_priv[5], cli_priv[6], cli_priv[7], cli_priv[8], cli_priv[9], cli_priv[10], cli_priv[11], cli_priv[12], cli_priv[13], cli_priv[14], cli_priv[15], cli_priv[16], cli_priv[17], cli_priv[18], cli_priv[19], cli_priv[20], cli_priv[21], cli_priv[22], cli_priv[23], cli_priv[24], cli_priv[25], cli_priv[26], cli_priv[27], cli_priv[28], cli_priv[29], cli_priv[30], cli_priv[31]); fprintf (cli, "uint8_t %s_client_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n", a, cli_pub[0], cli_pub[1], cli_pub[2], cli_pub[3], cli_pub[4], cli_pub[5], cli_pub[6], cli_pub[7], cli_pub[8], cli_pub[9], cli_pub[10], cli_pub[11], cli_pub[12], cli_pub[13], cli_pub[14], cli_pub[15], cli_pub[16], cli_pub[17], cli_pub[18], cli_pub[19], cli_pub[20], cli_pub[21], cli_pub[22], cli_pub[23], cli_pub[24], cli_pub[25], cli_pub[26], cli_pub[27], cli_pub[28], cli_pub[29], cli_pub[30], cli_pub[31]); fclose(serv); fclose(cli); exit(0); }
/// // Return secret part of key pair as Z85 armored string const QString QmlZcert::secretTxt () { return QString (zcert_secret_txt (self)); };
/// // Return secret part of key pair as Z85 armored string const QString QZcert::secretTxt () { const QString rv = QString (zcert_secret_txt (self)); return rv; }
void zgossip_test (bool verbose) { printf (" * zgossip: "); if (verbose) printf ("\n"); // @selftest // Test basic client-to-server operation of the protocol zactor_t *server = zactor_new (zgossip, "server"); assert (server); if (verbose) zstr_send (server, "VERBOSE"); zstr_sendx (server, "BIND", "inproc://zgossip", NULL); zsock_t *client = zsock_new (ZMQ_DEALER); assert (client); zsock_set_rcvtimeo (client, 2000); int rc = zsock_connect (client, "inproc://zgossip"); assert (rc == 0); // Send HELLO, which gets no message zgossip_msg_t *message = zgossip_msg_new (); zgossip_msg_set_id (message, ZGOSSIP_MSG_HELLO); zgossip_msg_send (message, client); // Send PING, expect PONG back zgossip_msg_set_id (message, ZGOSSIP_MSG_PING); zgossip_msg_send (message, client); zgossip_msg_recv (message, client); assert (zgossip_msg_id (message) == ZGOSSIP_MSG_PONG); zgossip_msg_destroy (&message); zactor_destroy (&server); zsock_destroy (&client); // Test peer-to-peer operations zactor_t *base = zactor_new (zgossip, "base"); assert (base); if (verbose) zstr_send (base, "VERBOSE"); // Set a 100msec timeout on clients so we can test expiry zstr_sendx (base, "SET", "server/timeout", "100", NULL); zstr_sendx (base, "BIND", "inproc://base", NULL); zactor_t *alpha = zactor_new (zgossip, "alpha"); assert (alpha); zstr_sendx (alpha, "CONNECT", "inproc://base", NULL); zstr_sendx (alpha, "PUBLISH", "inproc://alpha-1", "service1", NULL); zstr_sendx (alpha, "PUBLISH", "inproc://alpha-2", "service2", NULL); zactor_t *beta = zactor_new (zgossip, "beta"); assert (beta); zstr_sendx (beta, "CONNECT", "inproc://base", NULL); zstr_sendx (beta, "PUBLISH", "inproc://beta-1", "service1", NULL); zstr_sendx (beta, "PUBLISH", "inproc://beta-2", "service2", NULL); // got nothing zclock_sleep (200); zstr_send (alpha, "STATUS"); char *command, *status, *key, *value; zstr_recvx (alpha, &command, &key, &value, NULL); assert (streq (command, "DELIVER")); assert (streq (key, "inproc://alpha-1")); assert (streq (value, "service1")); zstr_free (&command); zstr_free (&key); zstr_free (&value); zstr_recvx (alpha, &command, &key, &value, NULL); assert (streq (command, "DELIVER")); assert (streq (key, "inproc://alpha-2")); assert (streq (value, "service2")); zstr_free (&command); zstr_free (&key); zstr_free (&value); zstr_recvx (alpha, &command, &key, &value, NULL); assert (streq (command, "DELIVER")); assert (streq (key, "inproc://beta-1")); assert (streq (value, "service1")); zstr_free (&command); zstr_free (&key); zstr_free (&value); zstr_recvx (alpha, &command, &key, &value, NULL); assert (streq (command, "DELIVER")); assert (streq (key, "inproc://beta-2")); assert (streq (value, "service2")); zstr_free (&command); zstr_free (&key); zstr_free (&value); zstr_recvx (alpha, &command, &status, NULL); assert (streq (command, "STATUS")); assert (atoi (status) == 4); zstr_free (&command); zstr_free (&status); zactor_destroy (&base); zactor_destroy (&alpha); zactor_destroy (&beta); #ifdef CZMQ_BUILD_DRAFT_API // DRAFT-API: Security // curve if (zsys_has_curve()) { if (verbose) printf("testing CURVE support"); zclock_sleep (2000); zactor_t *auth = zactor_new(zauth, NULL); assert (auth); if (verbose) { zstr_sendx (auth, "VERBOSE", NULL); zsock_wait (auth); } zstr_sendx(auth,"ALLOW","127.0.0.1",NULL); zsock_wait(auth); zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL); zsock_wait (auth); server = zactor_new (zgossip, "server"); if (verbose) zstr_send (server, "VERBOSE"); assert (server); zcert_t *client1_cert = zcert_new (); zcert_t *server_cert = zcert_new (); zstr_sendx (server, "SET PUBLICKEY", zcert_public_txt (server_cert), NULL); zstr_sendx (server, "SET SECRETKEY", zcert_secret_txt (server_cert), NULL); zstr_sendx (server, "ZAP DOMAIN", "TEST", NULL); zstr_sendx (server, "BIND", "tcp://127.0.0.1:*", NULL); zstr_sendx (server, "PORT", NULL); zstr_recvx (server, &command, &value, NULL); assert (streq (command, "PORT")); int port = atoi (value); zstr_free (&command); zstr_free (&value); char endpoint [32]; sprintf (endpoint, "tcp://127.0.0.1:%d", port); zactor_t *client1 = zactor_new (zgossip, "client"); if (verbose) zstr_send (client1, "VERBOSE"); assert (client1); zstr_sendx (client1, "SET PUBLICKEY", zcert_public_txt (client1_cert), NULL); zstr_sendx (client1, "SET SECRETKEY", zcert_secret_txt (client1_cert), NULL); zstr_sendx (client1, "ZAP DOMAIN", "TEST", NULL); const char *public_txt = zcert_public_txt (server_cert); zstr_sendx (client1, "CONNECT", endpoint, public_txt, NULL); zstr_sendx (client1, "PUBLISH", "tcp://127.0.0.1:9001", "service1", NULL); zclock_sleep (500); zstr_send (server, "STATUS"); zclock_sleep (500); zstr_recvx (server, &command, &key, &value, NULL); assert (streq (command, "DELIVER")); assert (streq (value, "service1")); zstr_free (&command); zstr_free (&key); zstr_free (&value); zstr_sendx (client1, "$TERM", NULL); zstr_sendx (server, "$TERM", NULL); zclock_sleep(500); zcert_destroy (&client1_cert); zcert_destroy (&server_cert); zactor_destroy (&client1); zactor_destroy (&server); zactor_destroy (&auth); } #endif #if defined (__WINDOWS__) zsys_shutdown(); #endif // @end printf ("OK\n"); }
// Authentication test procedure for zproxy sockets - matches zauth_test steps static void zproxy_test_authentication (int selected_sockets, bool verbose) { # define TESTDIR ".test_zproxy" # define TESTPWDS TESTDIR "/password-file" # define TESTCERT TESTDIR "/mycert.txt" # define TESTFRONTEND (selected_sockets & FRONTEND_SOCKET) # define TESTBACKEND (selected_sockets & BACKEND_SOCKET) // Demarcate test boundaries zsys_info ("zproxy: TEST authentication type=%s%s%s", TESTFRONTEND? "FRONTEND": "", TESTFRONTEND && TESTBACKEND? "+": "", TESTBACKEND? "BACKEND": ""); // Create temporary directory for test files zsys_dir_create (TESTDIR); // Clear out any test files from previous run if (zsys_file_exists (TESTPWDS)) zsys_file_delete (TESTPWDS); if (zsys_file_exists (TESTCERT)) zsys_file_delete (TESTCERT); zactor_t *proxy = NULL; zsock_t *faucet = NULL; zsock_t *sink = NULL; char *frontend = NULL; char *backend = NULL; // Check there's no authentication s_create_test_sockets (&proxy, &faucet, &sink, verbose); s_bind_proxy_sockets (proxy, &frontend, &backend); bool success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // Install the authenticator zactor_t *auth = zactor_new (zauth, NULL); assert (auth); if (verbose) { zstr_sendx (auth, "VERBOSE", NULL); zsock_wait (auth); } // Check there's no authentication on a default NULL server s_bind_proxy_sockets (proxy, &frontend, &backend); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // When we set a domain on the server, we switch on authentication // for NULL sockets, but with no policies, the client connection // will be allowed. s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // Blacklist 127.0.0.1, connection should fail s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); zstr_sendx (auth, "DENY", "127.0.0.1", NULL); zsock_wait (auth); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (!success); // Whitelist our address, which overrides the blacklist s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL); zsock_wait (auth); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // Try PLAIN authentication // Test negative case (no server-side passwords defined) s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password"); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (!success); // Test positive case (server-side passwords defined) FILE *password = fopen (TESTPWDS, "w"); assert (password); fprintf (password, "admin=Password\n"); fclose (password); s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password"); zstr_sendx (auth, "PLAIN", TESTPWDS, NULL); zsock_wait (auth); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // Test negative case (bad client password) s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Bogus"); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (!success); if (zsys_has_curve ()) { // We'll create two new certificates and save the client public // certificate on disk zcert_t *server_cert = zcert_new (); assert (server_cert); zcert_t *client_cert = zcert_new (); assert (client_cert); char *public_key = zcert_public_txt (server_cert); char *secret_key = zcert_secret_txt (server_cert); // Try CURVE authentication // Test without setting-up any authentication s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (!success); // Test CURVE_ALLOW_ANY s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key); zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL); zsock_wait (auth); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); // Test with client certificate file in authentication folder s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL); s_bind_proxy_sockets (proxy, &frontend, &backend); s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key); zcert_save_public (client_cert, TESTCERT); zstr_sendx (auth, "CURVE", TESTDIR, NULL); zsock_wait (auth); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); zcert_destroy (&server_cert); zcert_destroy (&client_cert); } // Remove the authenticator and check a normal connection works zactor_destroy (&auth); s_bind_proxy_sockets (proxy, &frontend, &backend); success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose); assert (success); zsock_destroy (&faucet); zsock_destroy (&sink); zactor_destroy (&proxy); zstr_free (&frontend); zstr_free (&backend); }
String HHVM_METHOD(ZMQCert, getSecretTxt) { return String(zcert_secret_txt(Native::data<ZMQCert>(this_)->zcert), CopyString); }