From b76d1bcc4d135f0d46a1f5daa54a0faa939cfd20 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Tue, 5 Aug 2014 15:11:33 -0700
Subject: added kkp_ca_file config option

---
 config/default.yml              |  2 +-
 config/sks-keyservers.netCA.pem | 32 ++++++++++++++++++++++++++++
 lib/nickserver/config.rb        | 18 ++++++++++++++++
 test/files/autistici-ca.pem     | 40 +++++++++++++++++++++++++++++++++++
 test/files/mayfirst-ca.pem      | 22 ++++++++++++++++++++
 test/test_helper.rb             | 13 +++++++++++-
 test/unit/hkp_test.rb           | 46 +++++++++++++++++++++++++++++++----------
 7 files changed, 160 insertions(+), 13 deletions(-)
 create mode 100644 config/sks-keyservers.netCA.pem
 create mode 100644 test/files/autistici-ca.pem
 create mode 100644 test/files/mayfirst-ca.pem

diff --git a/config/default.yml b/config/default.yml
index 8ddadce..898b91b 100644
--- a/config/default.yml
+++ b/config/default.yml
@@ -21,4 +21,4 @@ couch_password: ~
 # HKP
 #
 hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup'
-
+hkp_ca_file: 'config/sks-keyservers.netCA.pem'
diff --git a/config/sks-keyservers.netCA.pem b/config/sks-keyservers.netCA.pem
new file mode 100644
index 0000000..24a2ad2
--- /dev/null
+++ b/config/sks-keyservers.netCA.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
diff --git a/lib/nickserver/config.rb b/lib/nickserver/config.rb
index 31fbfea..0f44b79 100644
--- a/lib/nickserver/config.rb
+++ b/lib/nickserver/config.rb
@@ -9,6 +9,7 @@ module Nickserver
 
     class << self
       attr_accessor :hkp_url
+      attr_accessor :hkp_ca_file
       attr_accessor :couch_port
       attr_accessor :couch_host
       attr_accessor :couch_database
@@ -32,10 +33,27 @@ module Nickserver
         end
         true
       end
+      self.validate
     end
 
     private
 
+    def self.validate
+      if @hkp_ca_file
+        # look for the hkp_ca_file either by absolute path or relative to nickserver gem root
+        [@hkp_ca_file, File.expand_path(@hkp_ca_file, "#{__FILE__}/../../../")].each do |file|
+          if File.exists?(file)
+            @hkp_ca_file = file
+            break
+          end
+        end
+        unless File.exists?(@hkp_ca_file)
+          STDERR.puts "ERROR in configuration: cannot find hkp_ca_file `#{@hkp_ca_file}`"
+          exit(1)
+        end
+      end
+    end
+
     def self.load_config(file_path)
       begin
         YAML.load(File.read(file_path)).each do |key, value|
diff --git a/test/files/autistici-ca.pem b/test/files/autistici-ca.pem
new file mode 100644
index 0000000..f7f5c12
--- /dev/null
+++ b/test/files/autistici-ca.pem
@@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIHGzCCBQOgAwIBAgIJAOz4nHK3k904MA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
+VQQGEwJJVDEcMBoGA1UEChMTQXV0aXN0aWNpL0ludmVudGF0aTE0MDIGA1UEAxMr
+QXV0aXN0aWNpL0ludmVudGF0aSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEfMB0G
+CSqGSIb3DQEJARYQY2FAYXV0aXN0aWNpLm9yZzAeFw0wNTEwMDgxNDIxMTRaFw0x
+NTA5MjkxNDIxMTRaMIGCMQswCQYDVQQGEwJJVDEcMBoGA1UEChMTQXV0aXN0aWNp
+L0ludmVudGF0aTE0MDIGA1UEAxMrQXV0aXN0aWNpL0ludmVudGF0aSBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQY2FAYXV0aXN0aWNpLm9y
+ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM0J8NPYkgcSrBpBXxEo
+rDoxPwbwUP+IYfVD/clMV66mBTovzGaZYC/q+Y8JcpvYPpLDs+Cwm0MSGRFLV8j8
+w6fmQI0ybaV5m4htGiM4HmzMaJ2b7kBuBuCM2GprSgpESS9EXJ+q0kmuMiKkvl5/
+ZdHB0DVUoNN7qnvlRTz9yK7PzXioPVHA+i6ViH90WxYpdndBjI+vSEcA9t7kVU2N
+gjuZuFDcz99e+yHn5o/yTomX0Te8BndznVlyaypIUyTVTdKAoHHJ5PoL3FkdaYAe
+CamXbLev8+9nt9p4Vc1JBiou9y6jG/Eklp9v4+fQ+p+RJxt64H+DmYpTgnWTm/3Q
+XZQuLCLyRFuLuc5hrywBQMiBFPIaZBYJmW6fYI9yIjbXbndQujWq1WFdk65NWg4t
+8PxRvmzvpIdd7WKRAPbjXsUVfDPD/k3XqZzHNd7W70kWCvszbQLH+syNUVMhgBF2
+rx19A9fbsH8GT5asNx1xqfJpueyhgl+7o2s1kjCC20RPw+Umue/JqDlorvrqBqSx
+I/VOGKipUsw/WW3c3CSIE+k5GVGoBQ07f+I+qmFl3p1yqVLk4aiDUy+UBQMWsCYH
+pyPJpyNF7254WLgb5ZaBCB55K1T72iUDx4VJn1uQd8sXjPpFlyjhIvvIszcXw0t0
+IuO8TJYgLyQbGvLwskPpaxwJAgMBAAGjggGQMIIBjDAdBgNVHQ4EFgQUcgSPaLY/
+zYu2JDg6NydLKwFrjW0wgbcGA1UdIwSBrzCBrIAUcgSPaLY/zYu2JDg6NydLKwFr
+jW2hgYikgYUwgYIxCzAJBgNVBAYTAklUMRwwGgYDVQQKExNBdXRpc3RpY2kvSW52
+ZW50YXRpMTQwMgYDVQQDEytBdXRpc3RpY2kvSW52ZW50YXRpIENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBhdXRpc3RpY2kub3JnggkA
+7PiccreT3TgwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4
+QgEBBAQDAgAHMEYGCWCGSAGG+EIBDQQ5FjdBdXRpc3RpY2kvSW52ZW50YXRpIENl
+cnRpZmljYXRpb24gQXV0aG9yaXR5IENlcnRpZmljYXRlMBsGA1UdEQQUMBKBEGNh
+QGF1dGlzdGljaS5vcmcwGwYDVR0SBBQwEoEQY2FAYXV0aXN0aWNpLm9yZzANBgkq
+hkiG9w0BAQUFAAOCAgEAOEHJZVfVVNwe2b9tu2CGjvnKjf/wIAc6qGvVp/o2aQpZ
+TDJWNWEMXqCgQ/c90Fk4thIr47TzYYl0eaNQBNN/l87WHGRmjuCTzhJCdBcdPrqI
+jwep3IouuwZMoN0VZCTlIgeZ/DX/HC3B3bE3HNGTWlBdk3mNobw1saE9CKKEbuDX
+FE1BFbZQ3Kc3vqCY3ZOOrOy1usposj5aq2n8kfnlylvSW3Xyxpd6Ad4MkEhDuohK
+W1vQlmKMyoLwMhLlGtfiqDxeKg/nzZCBavEXg4DIelRTbCuqMwglSDFO95R0uCUG
+meI6GQ/N1+8VVY4+3yMxSmua7kQ1A00J839qqduqcMfE5/KlnZ1IDY+kBP39jBa1
+JHgpRLc3zi8Rn0GRuxuMX3L4bYAWhqcNdlodgCvh1HU2JqWRdCv0xamy2XRk99m1
+zyTYZh5ZkthQJTCJcnKm/C91jLwzm0Jxze/xftBzTQopdZ2zrr4JFGei9MHNpLZ7
+kBXXeobvgkl0bq4TLHP0wE6A9QgA39b8KQ/7LlCSHjpNxtQKv4y54Yz9Lsdj7eUh
+ZIRZTLZuwNzIlT0TGXaqQnLCmqKiP2AJKGAhUyAT4P3QXGheExdpcSyQ3X0kaVaS
+kWSqyylqMmL7oO1p7RVnSApnoVToqaTZXEj8DtmztgWUe7s2n/x8jYKR0qCtx84=
+-----END CERTIFICATE-----
diff --git a/test/files/mayfirst-ca.pem b/test/files/mayfirst-ca.pem
new file mode 100644
index 0000000..471f532
--- /dev/null
+++ b/test/files/mayfirst-ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAvagAwIBAgIJANhg2/WVrETtMA0GCSqGSIb3DQEBBQUAMIGMMR4wHAYD
+VQQKExVNYXkgRmlyc3QvUGVvcGxlIExpbmsxIDAeBgkqhkiG9w0BCQEWEWluZm9A
+bWF5Zmlyc3Qub3JnMREwDwYDVQQHEwhOZXcgWW9yazERMA8GA1UECBMITmV3IFlv
+cmsxCzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxNRlBMIFJvb3QgQ0EwHhcNMDkwMTEy
+MTYyNjU3WhcNMTkwMTEwMTYyNjU3WjCBjDEeMBwGA1UEChMVTWF5IEZpcnN0L1Bl
+b3BsZSBMaW5rMSAwHgYJKoZIhvcNAQkBFhFpbmZvQG1heWZpcnN0Lm9yZzERMA8G
+A1UEBxMITmV3IFlvcmsxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQGEwJVUzEV
+MBMGA1UEAxMMTUZQTCBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDQgYTGNjAJADudHV2MZ1QJQdf3YAMB1g/buR9ADsoTzM3vKWzXBvgoC6CFrojw
+RNbVtgU3A9aetLxaWJuBSqqREub+HyZvzD14tP90hq10YthtXoCtjhs6C/mEqckk
+LCGdTZ/lsIiM8tSdoE/OFQNRqk81A4lHgyumHlw3wnVICQIDAQABo4H0MIHxMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFHzhAs1Q0Pu6lbptL6VlnVVTDni0MIHBBgNV
+HSMEgbkwgbaAFHzhAs1Q0Pu6lbptL6VlnVVTDni0oYGSpIGPMIGMMR4wHAYDVQQK
+ExVNYXkgRmlyc3QvUGVvcGxlIExpbmsxIDAeBgkqhkiG9w0BCQEWEWluZm9AbWF5
+Zmlyc3Qub3JnMREwDwYDVQQHEwhOZXcgWW9yazERMA8GA1UECBMITmV3IFlvcmsx
+CzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxNRlBMIFJvb3QgQ0GCCQDYYNv1laxE7TAN
+BgkqhkiG9w0BAQUFAAOBgQA8kagGZR+Tp6GRyQWYlcNW9xVYza/xPZhPY4dVYUtv
+Czcw5N1mB0R444c4jhVLIrPWUjcpz46akXXHMGpcIsX/rNetbLCtcE9/AuB+Xg1K
+Fwr/SXkZXVK1vIppXmV0ZBaIB/tRV/SozcGRN/D9ETYX4JhBZU6OXPxNVjp5dvlH
+vQ==
+-----END CERTIFICATE-----
diff --git a/test/test_helper.rb b/test/test_helper.rb
index d6eabe5..7fbe400 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -19,7 +19,11 @@ class Minitest::Test
   end
 
   def file_content(filename)
-    (@file_contents ||= {})[filename] ||= File.read("%s/files/%s" % [File.dirname(__FILE__), filename])
+    (@file_contents ||= {})[filename] ||= File.read(file_path(filename))
+  end
+
+  def file_path(filename)
+    "%s/files/%s" % [File.dirname(__FILE__), filename]
   end
 
   def real_network
@@ -54,4 +58,11 @@ class Minitest::Test
     end
   end
 
+  #
+  # temporarily stubs the config property for the duration of the given block
+  #
+  def stub_config(property, value, &block)
+    Nickserver::Config.stub(property, value, &block)
+  end
+
 end
diff --git a/test/unit/hkp_test.rb b/test/unit/hkp_test.rb
index 0ac4728..9c10aab 100644
--- a/test/unit/hkp_test.rb
+++ b/test/unit/hkp_test.rb
@@ -34,16 +34,6 @@ class HkpTest < Minitest::Test
     end
   end
 
-  def test_key_info_real_network
-    real_network do
-      uid = 'elijah@riseup.net'
-      test_em_callback "Nickserver::HKP::FetchKeyInfo.new.search '#{uid}'" do |keys|
-        assert_equal 1, keys.size
-        assert keys.first.keyid =~ /00440025$/
-      end
-    end
-  end
-
   def test_fetch_key
     uid    = 'cloudadmin@leap.se'
     key_id = 'E818C478D3141282F7590D29D041EB11B1647490'
@@ -77,6 +67,39 @@ class HkpTest < Minitest::Test
     end
   end
 
+  #
+  # real network tests
+  # remember: must be run with REAL_NET=true
+  #
+
+  def test_key_info_real_network
+    real_network do
+      uid = 'elijah@riseup.net'
+      test_em_callback "Nickserver::HKP::FetchKeyInfo.new.search '#{uid}'" do |keys|
+        assert_equal 1, keys.size
+        assert keys.first.keyid =~ /00440025$/
+      end
+    end
+  end
+
+  def test_tls_validation_with_real_network
+    hkp_url = 'https://keys.mayfirst.org/pks/lookup'
+    ca_file = file_path('mayfirst-ca.pem')
+
+    real_network do
+      stub_config(:hkp_url, hkp_url) do
+        stub_config(:hkp_ca_file, ca_file) do
+        #stub_config(:hkp_ca_file, file_path('autistici-ca.pem')) do
+          assert File.exists?(Nickserver::Config.hkp_ca_file)
+          uid = 'elijah@riseup.net'
+          test_em_callback "Nickserver::HKP::FetchKeyInfo.new.search '#{uid}'" do |keys|
+            assert_equal 1, keys.size
+            assert keys.first.keyid =~ /00440025$/
+          end
+        end
+      end
+    end
+  end
 
   protected
 
@@ -97,7 +120,8 @@ class HkpTest < Minitest::Test
       }
       deferrable.errback {|response, msg|
         EM.stop
-        flunk "Expecting callback, but errback invoked with response: #{response} #{msg}"
+        puts caller.join("\n")
+        flunk "Expecting callback, but errback invoked with response: #{response} #{msg}\n\n#{caller.join("\n")}"
       }
     end
     assert false, 'should not get here'
-- 
cgit v1.2.3