Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1728:6d5ecf445e57
Tests: added HTTP/2 test with big request body.
Notably, it is useful with body buffering in filters, in which case
the stream window is flow controlled based on the preread buffer.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Sat, 04 Sep 2021 14:50:02 +0300 |
| parents | 5ac6efbe5552 |
| children | 9d98c2ad3126 |
| rev | line source |
|---|---|
| 1570 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for OCSP with client certificates. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use MIME::Base64 qw/ decode_base64 /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 | |
| 22 ############################################################################### | |
| 23 | |
| 24 select STDERR; $| = 1; | |
| 25 select STDOUT; $| = 1; | |
| 26 | |
| 27 eval { | |
| 28 require Net::SSLeay; | |
| 29 Net::SSLeay::load_error_strings(); | |
| 30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 31 Net::SSLeay::randomize(); | |
| 32 Net::SSLeay::SSLeay(); | |
| 33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
| 34 }; | |
| 35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
| 36 | |
| 37 eval { | |
| 38 my $ctx = Net::SSLeay::CTX_new() or die; | |
| 39 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 41 }; | |
| 42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 43 | |
| 44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
| 45 | |
| 46 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | |
| 47 | |
| 48 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 49 | |
| 50 %%TEST_GLOBALS%% | |
| 51 | |
| 52 daemon off; | |
| 53 | |
| 54 events { | |
| 55 } | |
| 56 | |
| 57 http { | |
| 58 %%TEST_GLOBALS_HTTP%% | |
| 59 | |
| 60 ssl_ocsp leaf; | |
| 61 ssl_verify_client on; | |
| 62 ssl_verify_depth 2; | |
| 63 ssl_client_certificate trusted.crt; | |
| 64 | |
| 65 ssl_ciphers DEFAULT:ECCdraft; | |
| 66 | |
| 67 ssl_certificate_key ec.key; | |
| 68 ssl_certificate ec.crt; | |
| 69 | |
| 70 ssl_certificate_key rsa.key; | |
| 71 ssl_certificate rsa.crt; | |
| 72 | |
| 73 ssl_session_cache shared:SSL:1m; | |
| 74 ssl_session_tickets off; | |
| 75 | |
| 76 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
| 77 | |
| 78 server { | |
| 79 listen 127.0.0.1:8443 ssl; | |
| 80 server_name localhost; | |
| 81 } | |
| 82 | |
| 83 server { | |
| 84 listen 127.0.0.1:8443 ssl; | |
| 85 server_name sni; | |
| 86 | |
| 87 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 88 } | |
| 89 | |
| 90 server { | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 listen 127.0.0.1:8443 ssl; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 server_name resolver; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 ssl_ocsp on; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 } |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 server { |
| 1570 | 98 listen 127.0.0.1:8444 ssl; |
| 99 server_name localhost; | |
| 100 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
101 ssl_ocsp_responder http://127.0.0.1:8081; |
| 1570 | 102 ssl_ocsp on; |
| 103 } | |
| 104 | |
| 105 server { | |
| 106 listen 127.0.0.1:8445 ssl; | |
| 107 server_name localhost; | |
| 108 | |
| 109 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 110 } | |
| 111 | |
| 112 server { | |
| 113 listen 127.0.0.1:8446 ssl; | |
| 114 server_name localhost; | |
| 115 | |
| 116 ssl_ocsp_cache shared:OCSP:1m; | |
| 117 } | |
| 118 | |
| 119 server { | |
| 120 listen 127.0.0.1:8447 ssl; | |
| 121 server_name localhost; | |
| 122 | |
| 123 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 124 ssl_client_certificate root.crt; | |
| 125 } | |
| 126 } | |
| 127 | |
| 128 EOF | |
| 129 | |
| 130 my $d = $t->testdir(); | |
| 131 my $p = port(8081); | |
| 132 | |
| 133 $t->write_file('openssl.conf', <<EOF); | |
| 134 [ req ] | |
| 135 default_bits = 2048 | |
| 136 encrypt_key = no | |
| 137 distinguished_name = req_distinguished_name | |
| 138 [ req_distinguished_name ] | |
| 139 EOF | |
| 140 | |
| 141 $t->write_file('ca.conf', <<EOF); | |
| 142 [ ca ] | |
| 143 default_ca = myca | |
| 144 | |
| 145 [ myca ] | |
| 146 new_certs_dir = $d | |
| 147 database = $d/certindex | |
| 148 default_md = sha256 | |
| 149 policy = myca_policy | |
| 150 serial = $d/certserial | |
| 151 default_days = 1 | |
| 152 x509_extensions = myca_extensions | |
| 153 | |
| 154 [ myca_policy ] | |
| 155 commonName = supplied | |
| 156 | |
| 157 [ myca_extensions ] | |
| 158 basicConstraints = critical,CA:TRUE | |
| 159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
| 160 EOF | |
| 161 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 # variant for int.crt to trigger missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 $t->write_file('ca2.conf', <<EOF); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 [ ca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 default_ca = myca |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 [ myca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 new_certs_dir = $d |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 database = $d/certindex |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 default_md = sha256 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 policy = myca_policy |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 serial = $d/certserial |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 default_days = 1 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 x509_extensions = myca_extensions |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 [ myca_policy ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 commonName = supplied |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 [ myca_extensions ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 basicConstraints = critical,CA:TRUE |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 authorityInfoAccess = OCSP;URI:http://localhost:$p |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 EOF |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 |
| 1570 | 185 foreach my $name ('root') { |
| 186 system('openssl req -x509 -new ' | |
| 187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 188 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 189 . ">>$d/openssl.out 2>&1") == 0 | |
| 190 or die "Can't create certificate for $name: $!\n"; | |
| 191 } | |
| 192 | |
| 193 foreach my $name ('int', 'end') { | |
| 194 system("openssl req -new " | |
| 195 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 196 . "-out $d/$name.csr -keyout $d/$name.key " | |
| 197 . ">>$d/openssl.out 2>&1") == 0 | |
| 198 or die "Can't create certificate for $name: $!\n"; | |
| 199 } | |
| 200 | |
| 201 foreach my $name ('ec-end') { | |
| 202 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
| 203 . ">>$d/openssl.out 2>&1") == 0 | |
| 204 or die "Can't create EC param: $!\n"; | |
| 205 system("openssl req -new -key $d/$name.key " | |
| 206 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 207 . "-out $d/$name.csr " | |
| 208 . ">>$d/openssl.out 2>&1") == 0 | |
| 209 or die "Can't create certificate for $name: $!\n"; | |
| 210 } | |
| 211 | |
| 212 $t->write_file('certserial', '1000'); | |
| 213 $t->write_file('certindex', ''); | |
| 214 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
215 system("openssl ca -batch -config $d/ca2.conf " |
| 1570 | 216 . "-keyfile $d/root.key -cert $d/root.crt " |
| 217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
| 218 . ">>$d/openssl.out 2>&1") == 0 | |
| 219 or die "Can't sign certificate for int: $!\n"; | |
| 220 | |
| 221 system("openssl ca -batch -config $d/ca.conf " | |
| 222 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 223 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
| 224 . ">>$d/openssl.out 2>&1") == 0 | |
| 225 or die "Can't sign certificate for ec-end: $!\n"; | |
| 226 | |
| 227 system("openssl ca -batch -config $d/ca.conf " | |
| 228 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 229 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
| 230 . ">>$d/openssl.out 2>&1") == 0 | |
| 231 or die "Can't sign certificate for end: $!\n"; | |
| 232 | |
| 233 # RFC 6960, serialNumber | |
| 234 | |
| 235 system("openssl x509 -in $d/int.crt -serial -noout " | |
| 236 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
| 237 or die "Can't obtain serial for end: $!\n"; | |
| 238 | |
| 239 my $serial_int = pack("n2", 0x0202, hex $1) | |
| 240 if $t->read_file('serial_int') =~ /(\d+)/; | |
| 241 | |
| 242 system("openssl x509 -in $d/end.crt -serial -noout " | |
| 243 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
| 244 or die "Can't obtain serial for end: $!\n"; | |
| 245 | |
| 246 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
| 247 | |
| 248 # ocsp end | |
| 249 | |
| 250 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 251 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 252 or die "Can't create OCSP request: $!\n"; | |
| 253 | |
| 254 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 255 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 256 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
| 257 . ">>$d/openssl.out 2>&1") == 0 | |
| 258 or die "Can't create OCSP response: $!\n"; | |
| 259 | |
| 260 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 261 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 262 or die "Can't create EC OCSP request: $!\n"; | |
| 263 | |
| 264 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 265 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 266 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 267 . ">>$d/openssl.out 2>&1") == 0 | |
| 268 or die "Can't create EC OCSP response: $!\n"; | |
| 269 | |
| 270 $t->write_file('trusted.crt', | |
| 271 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
| 272 | |
| 273 # server cert/key | |
| 274 | |
| 275 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
| 276 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
| 277 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
| 278 or die "Can't create RSA pem: $!\n"; | |
| 279 | |
| 280 foreach my $name ('ec', 'rsa') { | |
| 281 system("openssl req -x509 -new -key $d/$name.key " | |
| 282 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 283 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 284 . ">>$d/openssl.out 2>&1") == 0 | |
| 285 or die "Can't create certificate for $name: $!\n"; | |
| 286 } | |
| 287 | |
| 288 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
| 289 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
|
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1636
diff
changeset
|
290 $t->run()->plan(14); |
| 1570 | 291 |
| 292 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
| 293 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
| 294 | |
| 295 my $version = get_version(); | |
| 296 | |
| 297 ############################################################################### | |
| 298 | |
| 299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
| 300 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
301 # demonstrate that ocsp int request is failed due to missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 like(get('RSA', 'end', sni => 'resolver'), |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 qr/400 Bad.*FAILED:certificate status request failed/s, |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 'ocsp many failed request'); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 |
| 1570 | 307 # demonstrate that ocsp int request is actually made by failing ocsp response |
| 308 | |
| 309 like(get('RSA', 'end', port => 8444), | |
| 310 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 311 'ocsp many failed'); | |
| 312 | |
| 313 # now prepare valid ocsp int response | |
| 314 | |
| 315 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
| 316 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
| 317 or die "Can't create OCSP request: $!\n"; | |
| 318 | |
| 319 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
| 320 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 321 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
| 322 . ">>$d/openssl.out 2>&1") == 0 | |
| 323 or die "Can't create OCSP response: $!\n"; | |
| 324 | |
| 325 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
| 326 | |
| 327 # store into ssl_ocsp_cache | |
| 328 | |
| 329 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
| 330 | |
| 331 # revoke | |
| 332 | |
| 333 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
| 334 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 335 . ">>$d/openssl.out 2>&1") == 0 | |
| 336 or die "Can't revoke end.crt: $!\n"; | |
| 337 | |
| 338 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 339 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 340 or die "Can't create OCSP request: $!\n"; | |
| 341 | |
| 342 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 343 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 344 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
| 345 . ">>$d/openssl.out 2>&1") == 0 | |
| 346 or die "Can't create OCSP response: $!\n"; | |
| 347 | |
| 348 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
| 349 | |
| 350 # with different responder where it's still valid | |
| 351 | |
| 352 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
| 353 | |
| 354 # with different context to responder where it's still valid | |
| 355 | |
| 356 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
| 357 | |
| 358 # with cached ocsp response it's still valid | |
| 359 | |
| 360 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
| 361 | |
| 362 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
| 363 | |
| 364 like(get('ECDSA', 'ec-end'), | |
| 365 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 366 'root ca not trusted'); | |
| 367 | |
| 368 # now sign ocsp end response with valid int cert | |
| 369 | |
| 370 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 371 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 372 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 373 . ">>$d/openssl.out 2>&1") == 0 | |
| 374 or die "Can't create EC OCSP response: $!\n"; | |
| 375 | |
| 376 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
| 377 | |
| 378 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
| 379 my $ses = Net::SSLeay::get_session($ssl); | |
| 380 | |
| 381 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 382 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
| 383 | |
| 384 # revoke with saved session | |
| 385 | |
| 386 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
| 387 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 388 . ">>$d/openssl.out 2>&1") == 0 | |
| 389 or die "Can't revoke end.crt: $!\n"; | |
| 390 | |
| 391 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 392 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 393 or die "Can't create OCSP request: $!\n"; | |
| 394 | |
| 395 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 396 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 397 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 398 . ">>$d/openssl.out 2>&1") == 0 | |
| 399 or die "Can't create OCSP response: $!\n"; | |
| 400 | |
| 401 # reusing session with revoked certificate | |
| 402 | |
| 403 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 404 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
| 405 | |
| 406 # regression test for self-signed | |
| 407 | |
| 408 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
| 409 | |
| 410 ############################################################################### | |
| 411 | |
| 412 sub get { | |
| 413 my ($type, $cert, %extra) = @_; | |
| 414 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
| 415 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
| 416 my $cipher = Net::SSLeay::get_cipher($ssl); | |
| 417 Test::Nginx::log_core('||', "cipher: $cipher"); | |
| 418 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
| 419 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); | |
| 420 my $r = Net::SSLeay::read($ssl); | |
| 421 Test::Nginx::log_core($r); | |
| 422 $s->close(); | |
| 423 return $r unless wantarray(); | |
| 424 return ($s, $ssl); | |
| 425 } | |
| 426 | |
| 427 sub get_ssl_socket { | |
| 428 my ($type, $cert, %extra) = @_; | |
| 429 my $ses = $extra{ses}; | |
| 430 my $sni = $extra{sni}; | |
| 431 my $port = $extra{port} || 8443; | |
| 432 my $s; | |
| 433 | |
| 434 eval { | |
| 435 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 436 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 437 alarm(8); | |
| 438 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
| 439 alarm(0); | |
| 440 }; | |
| 441 alarm(0); | |
| 442 | |
| 443 if ($@) { | |
| 444 log_in("died: $@"); | |
| 445 return undef; | |
| 446 } | |
| 447 | |
| 448 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 449 | |
| 450 if (defined $type) { | |
| 451 my $ssleay = Net::SSLeay::SSLeay(); | |
| 452 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
| 453 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
| 454 or die("Failed to set cipher list"); | |
| 455 } else { | |
| 456 # SSL_CTRL_SET_SIGALGS_LIST | |
| 457 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
| 458 or die("Failed to set sigalgs"); | |
| 459 } | |
| 460 } | |
| 461 | |
| 462 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
| 463 or die if $cert; | |
| 464 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
| 465 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
| 466 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
| 467 Net::SSLeay::set_fd($ssl, fileno($s)); | |
| 468 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 469 return ($s, $ssl); | |
| 470 } | |
| 471 | |
| 472 sub get_version { | |
| 473 my ($s, $ssl) = get_ssl_socket(); | |
| 474 return Net::SSLeay::version($ssl); | |
| 475 } | |
| 476 | |
| 477 ############################################################################### | |
| 478 | |
| 479 sub http_daemon { | |
| 480 my ($t, $port) = @_; | |
| 481 my $server = IO::Socket::INET->new( | |
| 482 Proto => 'tcp', | |
| 483 LocalHost => "127.0.0.1:$port", | |
| 484 Listen => 5, | |
| 485 Reuse => 1 | |
| 486 ) | |
| 487 or die "Can't create listening socket: $!\n"; | |
| 488 | |
| 489 local $SIG{PIPE} = 'IGNORE'; | |
| 490 | |
| 491 while (my $client = $server->accept()) { | |
| 492 $client->autoflush(1); | |
| 493 | |
| 494 my $headers = ''; | |
| 495 my $uri = ''; | |
| 496 my $resp; | |
| 497 | |
| 498 while (<$client>) { | |
| 499 $headers .= $_; | |
| 500 last if (/^\x0d?\x0a?$/); | |
| 501 } | |
| 502 | |
| 503 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
| 504 next unless $uri; | |
| 505 | |
| 506 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
| 507 my $req = decode_base64($uri); | |
| 508 | |
| 509 if (index($req, $serial_int) > 0) { | |
| 510 $resp = 'int-resp'; | |
| 511 | |
| 512 } elsif (index($req, $serial) > 0) { | |
| 513 $resp = 'resp'; | |
| 514 | |
| 515 # used to differentiate ssl_ocsp_responder | |
| 516 | |
| 517 if ($port == port(8081) && -e "$d/revoked.der") { | |
| 518 $resp = 'revoked'; | |
| 519 } | |
| 520 | |
| 521 } else { | |
| 522 $resp = 'ec-resp'; | |
| 523 } | |
| 524 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
525 next unless -s "$d/$resp.der"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
526 |
| 1570 | 527 # ocsp dummy handler |
| 528 | |
| 529 select undef, undef, undef, 0.02; | |
| 530 | |
| 531 $headers = <<"EOF"; | |
| 532 HTTP/1.1 200 OK | |
| 533 Connection: close | |
| 534 Content-Type: application/ocsp-response | |
| 535 | |
| 536 EOF | |
| 537 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
538 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
539 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
540 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
541 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
543 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
544 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
545 print $client $headers . $content; |
| 1570 | 546 } |
| 547 } | |
| 548 | |
| 549 ############################################################################### |