From fd8e964bd884c9412ead413e314d0245775c883c Mon Sep 17 00:00:00 2001
From: Heikki Hannikainen <hessu@hes.iki.fi>
Date: Tue, 25 Oct 2022 01:16:06 +0300
Subject: [PATCH] tests: Create test CA + server cert, add tls1 test server
 config

---
 .github/workflows/tests.yml |  2 +-
 tests/Makefile              | 25 ++++++++++++-
 tests/cfg-aprsc/basic       |  6 ----
 tests/cfg-aprsc/tls1        | 64 +++++++++++++++++++++++++++++++++
 tests/tls-openssl.conf      | 70 +++++++++++++++++++++++++++++++++++++
 5 files changed, 159 insertions(+), 8 deletions(-)
 create mode 100644 tests/cfg-aprsc/tls1
 create mode 100644 tests/tls-openssl.conf

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 9b9abc7..52e66d6 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -16,7 +16,7 @@ jobs:
     
     - name: install deps
       run: |
-        sudo apt-get install -y libevent-dev perl-modules libio-socket-inet6-perl libjson-xs-perl libwww-perl libsctp-dev
+        sudo apt-get install -y libevent-dev perl-modules libio-socket-inet6-perl libjson-xs-perl libwww-perl libsctp-dev openssl
 
     - name: configure
       run: |
diff --git a/tests/Makefile b/tests/Makefile
index ff033ab..2625db4 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -15,7 +15,7 @@ TESTID=`echo $$$$_$$RANDOM$$RANDOM$$RANDOM`
 TEST_SRCCALLS="XX7FIT-1,XX7FIT-2"
 TEST_IGATE="XX7IG"
 
-test:
+test: tls-testcert
 	@rm -f logs/aprsc.log
 	PERL_DL_NONLAZY=1 $(PERL) "-MExtUtils::Command::MM" "-e" "test_harness($(TEST_VERBOSE), '$(INST_LIB)', '$(INST_ARCHLIB)')" $(TEST_FILES)
 
@@ -30,3 +30,26 @@ aggrtest:
 	TEST_ID=$(TESTID) TEST_IGATE=$(TEST_IGATE) TEST_SRCCALLS=$(TEST_SRCCALLS) \
 	PERL_DL_NONLAZY=1 $(PERL) "-MExtUtils::Command::MM" "-e" "test_harness($(TEST_VERBOSE), '$(INST_LIB)', '$(INST_ARCHLIB)')" $(AGGREGATOR_FILES)
 
+tls-testca: tls-testca/cacert.pem
+tls-testcert: tls-testca cfg-aprsc/tls1-cert.pem
+
+tls-testca/serial:
+	mkdir -p tls-testca tmp
+	(cd tls-testca && mkdir -p certs newcerts private)
+	touch tls-testca/index.txt tls-testca/index.txt.attr
+	echo 00 > tls-testca/serial
+
+tls-testca/cacert.pem: tls-testca/serial
+	openssl req -x509 -new -nodes -newkey rsa:2048 -keyout tls-testca/private/cakey.pem -sha256 -days 7300 \
+		-subj "/O=aprsc TEST/OU=Testing Department/CN=Testing CA" -out tls-testca/cacert.pem
+
+cfg-aprsc/tls1-cert.pem:
+	openssl req -new -config tls-openssl.conf \
+		-keyout cfg-aprsc/tls1-key.pem -out tmp/tls1-req.pem \
+		-newkey rsa:2048 -nodes -sha256 \
+		-subj "/O=aprsc TEST/callSign=TLS1/CN=tls1host.example.com"
+
+	openssl ca -config tls-openssl.conf -batch \
+		-in tmp/tls1-req.pem -out cfg-aprsc/tls1-cert.pem \
+		-days 3650
+
diff --git a/tests/cfg-aprsc/basic b/tests/cfg-aprsc/basic
index 5829a6f..11b7f61 100644
--- a/tests/cfg-aprsc/basic
+++ b/tests/cfg-aprsc/basic
@@ -1,9 +1,3 @@
-#
-# USE RCS !!!
-# $Id$
-#
-
-# Configuration for aprsc, an APRS-IS server for core servers
 
 ServerId   TESTING
 PassCode   31421
diff --git a/tests/cfg-aprsc/tls1 b/tests/cfg-aprsc/tls1
new file mode 100644
index 0000000..8854729
--- /dev/null
+++ b/tests/cfg-aprsc/tls1
@@ -0,0 +1,64 @@
+
+ServerId   TLS1
+PassCode   29855
+MyEmail    email@example.com
+MyAdmin    "Admin, N0CALL"
+
+### Directories #########
+# Data directory (for database files)
+RunDir data
+
+### Intervals #########
+# Interval specification format examples:
+# 600 (600 seconds), 5m, 2h, 1h30m, 1d3h15m24s, etc...
+
+# When no data is received from an upstream server in N seconds, switch to
+# another server
+UpstreamTimeout		60s
+
+# When no data is received from a downstream server in N seconds, disconnect
+ClientTimeout		48h
+
+### TCP listener ##########
+# Listen <socketname> <porttype> tcp <address to bind> <port>
+#	socketname: any name you wish to show up in logs and statistics
+#	porttype: one of:
+#		fullfeed - everything, after dupe filtering
+#		dupefeed - everything that comes in - with dupes!
+#		msgonly - messages only
+#		userfilter - user-specified filters
+#
+Listen "Full feed TLS"     fullfeed    tcp ::0      55152   acl "cfg-aprsc/acl-all.acl" \
+	sslkey cfg-aprsc/tls1-key.pem sslcert cfg-aprsc/tls1-cert.pem sslca tls-testca/cacert.pem
+Listen "Igate port TLS"    igate       tcp 0.0.0.0  55580   acl "cfg-aprsc/acl-all.acl" \
+	sslkey cfg-aprsc/tls1-key.pem sslcert cfg-aprsc/tls1-cert.pem sslca tls-testca/cacert.pem
+
+### Uplink configuration ########
+# Uplink <name> <type> tcp <address> <port>
+#	name: a name of the server or service you're connecting
+#	type: one of:
+#		full - full feed
+#		ro   - read-only, do not transmit anything upstream
+#
+Uplink full1 full tcp 127.0.0.1 10153
+
+# UDP peering, first address is my local address, the rest are remote.
+PeerGroup TLS1 udp 127.0.0.1:16404 \
+	SELF 127.0.0.1:16404 \
+	PEER1 127.0.0.1:16405 \
+	PEER2 127.0.0.1:16406
+
+### HTTP listener ##########
+# Status port provides a status view to web browsers.
+# It starts up by default on 0.0.0.0:14501.
+HTTPStatus 127.0.0.1 55501
+# Upload port allows position uploads.
+# It does not start up by default.
+HTTPUpload 127.0.0.1 55080
+
+### Internals ############
+# Only use 3 threads in these basic tests, to keep startup/shutdown times
+# short.
+WorkerThreads 3
+
+
diff --git a/tests/tls-openssl.conf b/tests/tls-openssl.conf
new file mode 100644
index 0000000..be7cdda
--- /dev/null
+++ b/tests/tls-openssl.conf
@@ -0,0 +1,70 @@
+
+HOME                    = .
+# RANDFILE                = .rnd
+
+
+# Extra OBJECT IDENTIFIER info:
+oid_section             = new_oids
+
+[ new_oids ]
+# Amateur radio callsign OID used by LotW
+callSign = 1.3.6.1.4.1.12348.1.1
+
+[ ca ]
+default_ca      = testca
+
+[ testca ]
+
+dir             = ./tls-testca          # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+unique_subject  = no                    # Set to 'no' to allow creation of
+                                        # several ctificates with same subject.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+private_key     = $dir/private/cakey.pem # The private key
+
+x509_extensions = aprsc_cert
+default_md      = sha256
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+
+
+policy          = policy_client
+
+[ policy_client ]
+callSign                = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+distinguished_name      = req_distinguished_name
+default_bits            = 2048
+
+
+[ req_distinguished_name ]
+callSign                        = Callsign
+callSign_max                    = 12
+
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 64
+
+[ aprsc_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+extendedKeyUsage = clientAuth,serverAuth
+
+