Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1847:a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Multiple server certificates are not needed to test OCSP verification of
client certificates (in contrast to OCSP stapling, where server certificates
are verified, and different staples should be correctly returned with
different server certificates). And using multiple server certificates
causes issues when testing with LibreSSL due to broken sigalgs-based
server certificate selection in LibreSSL with TLSv1.3.
Accordingly, the test is simplified to do not use multiple server
certificates.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 23 Mar 2023 19:50:26 +0300 |
| parents | 9d98c2ad3126 |
| children | 727741cdff74 |
| rev | line source |
|---|---|
| 1570 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for OCSP with client certificates. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use MIME::Base64 qw/ decode_base64 /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 | |
| 22 ############################################################################### | |
| 23 | |
| 24 select STDERR; $| = 1; | |
| 25 select STDOUT; $| = 1; | |
| 26 | |
| 27 eval { | |
| 28 require Net::SSLeay; | |
| 29 Net::SSLeay::load_error_strings(); | |
| 30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 31 Net::SSLeay::randomize(); | |
| 32 Net::SSLeay::SSLeay(); | |
| 33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
| 34 }; | |
| 35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
| 36 | |
| 37 eval { | |
| 38 my $ctx = Net::SSLeay::CTX_new() or die; | |
| 39 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 41 }; | |
| 42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 43 | |
| 44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
| 45 | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
46 plan(skip_all => 'no OCSP support in BoringSSL') |
|
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
47 if $t->has_module('BoringSSL'); |
| 1570 | 48 |
| 49 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 50 | |
| 51 %%TEST_GLOBALS%% | |
| 52 | |
| 53 daemon off; | |
| 54 | |
| 55 events { | |
| 56 } | |
| 57 | |
| 58 http { | |
| 59 %%TEST_GLOBALS_HTTP%% | |
| 60 | |
| 61 ssl_ocsp leaf; | |
| 62 ssl_verify_client on; | |
| 63 ssl_verify_depth 2; | |
| 64 ssl_client_certificate trusted.crt; | |
| 65 | |
| 66 ssl_certificate_key rsa.key; | |
| 67 ssl_certificate rsa.crt; | |
| 68 | |
| 69 ssl_session_cache shared:SSL:1m; | |
| 70 ssl_session_tickets off; | |
| 71 | |
| 72 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
| 73 | |
| 74 server { | |
| 75 listen 127.0.0.1:8443 ssl; | |
| 76 server_name localhost; | |
| 77 } | |
| 78 | |
| 79 server { | |
| 80 listen 127.0.0.1:8443 ssl; | |
| 81 server_name sni; | |
| 82 | |
| 83 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 84 } | |
| 85 | |
| 86 server { | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
87 listen 127.0.0.1:8443 ssl; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
88 server_name resolver; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
89 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
90 ssl_ocsp on; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 } |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 server { |
| 1570 | 94 listen 127.0.0.1:8444 ssl; |
| 95 server_name localhost; | |
| 96 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 ssl_ocsp_responder http://127.0.0.1:8081; |
| 1570 | 98 ssl_ocsp on; |
| 99 } | |
| 100 | |
| 101 server { | |
| 102 listen 127.0.0.1:8445 ssl; | |
| 103 server_name localhost; | |
| 104 | |
| 105 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 106 } | |
| 107 | |
| 108 server { | |
| 109 listen 127.0.0.1:8446 ssl; | |
| 110 server_name localhost; | |
| 111 | |
| 112 ssl_ocsp_cache shared:OCSP:1m; | |
| 113 } | |
| 114 | |
| 115 server { | |
| 116 listen 127.0.0.1:8447 ssl; | |
| 117 server_name localhost; | |
| 118 | |
| 119 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 120 ssl_client_certificate root.crt; | |
| 121 } | |
| 122 } | |
| 123 | |
| 124 EOF | |
| 125 | |
| 126 my $d = $t->testdir(); | |
| 127 my $p = port(8081); | |
| 128 | |
| 129 $t->write_file('openssl.conf', <<EOF); | |
| 130 [ req ] | |
| 131 default_bits = 2048 | |
| 132 encrypt_key = no | |
| 133 distinguished_name = req_distinguished_name | |
| 134 [ req_distinguished_name ] | |
| 135 EOF | |
| 136 | |
| 137 $t->write_file('ca.conf', <<EOF); | |
| 138 [ ca ] | |
| 139 default_ca = myca | |
| 140 | |
| 141 [ myca ] | |
| 142 new_certs_dir = $d | |
| 143 database = $d/certindex | |
| 144 default_md = sha256 | |
| 145 policy = myca_policy | |
| 146 serial = $d/certserial | |
| 147 default_days = 1 | |
| 148 x509_extensions = myca_extensions | |
| 149 | |
| 150 [ myca_policy ] | |
| 151 commonName = supplied | |
| 152 | |
| 153 [ myca_extensions ] | |
| 154 basicConstraints = critical,CA:TRUE | |
| 155 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
| 156 EOF | |
| 157 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 # variant for int.crt to trigger missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 $t->write_file('ca2.conf', <<EOF); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ ca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 default_ca = myca |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 new_certs_dir = $d |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 database = $d/certindex |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 default_md = sha256 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 policy = myca_policy |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 serial = $d/certserial |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 default_days = 1 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 x509_extensions = myca_extensions |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 [ myca_policy ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 commonName = supplied |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 [ myca_extensions ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 basicConstraints = critical,CA:TRUE |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 authorityInfoAccess = OCSP;URI:http://localhost:$p |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 EOF |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 |
| 1570 | 181 foreach my $name ('root') { |
| 182 system('openssl req -x509 -new ' | |
| 183 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 184 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 185 . ">>$d/openssl.out 2>&1") == 0 | |
| 186 or die "Can't create certificate for $name: $!\n"; | |
| 187 } | |
| 188 | |
| 189 foreach my $name ('int', 'end') { | |
| 190 system("openssl req -new " | |
| 191 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 192 . "-out $d/$name.csr -keyout $d/$name.key " | |
| 193 . ">>$d/openssl.out 2>&1") == 0 | |
| 194 or die "Can't create certificate for $name: $!\n"; | |
| 195 } | |
| 196 | |
| 197 foreach my $name ('ec-end') { | |
| 198 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
| 199 . ">>$d/openssl.out 2>&1") == 0 | |
| 200 or die "Can't create EC param: $!\n"; | |
| 201 system("openssl req -new -key $d/$name.key " | |
| 202 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 203 . "-out $d/$name.csr " | |
| 204 . ">>$d/openssl.out 2>&1") == 0 | |
| 205 or die "Can't create certificate for $name: $!\n"; | |
| 206 } | |
| 207 | |
| 208 $t->write_file('certserial', '1000'); | |
| 209 $t->write_file('certindex', ''); | |
| 210 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
211 system("openssl ca -batch -config $d/ca2.conf " |
| 1570 | 212 . "-keyfile $d/root.key -cert $d/root.crt " |
| 213 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
| 214 . ">>$d/openssl.out 2>&1") == 0 | |
| 215 or die "Can't sign certificate for int: $!\n"; | |
| 216 | |
| 217 system("openssl ca -batch -config $d/ca.conf " | |
| 218 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 219 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
| 220 . ">>$d/openssl.out 2>&1") == 0 | |
| 221 or die "Can't sign certificate for ec-end: $!\n"; | |
| 222 | |
| 223 system("openssl ca -batch -config $d/ca.conf " | |
| 224 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 225 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
| 226 . ">>$d/openssl.out 2>&1") == 0 | |
| 227 or die "Can't sign certificate for end: $!\n"; | |
| 228 | |
| 229 # RFC 6960, serialNumber | |
| 230 | |
| 231 system("openssl x509 -in $d/int.crt -serial -noout " | |
| 232 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
| 233 or die "Can't obtain serial for end: $!\n"; | |
| 234 | |
| 235 my $serial_int = pack("n2", 0x0202, hex $1) | |
| 236 if $t->read_file('serial_int') =~ /(\d+)/; | |
| 237 | |
| 238 system("openssl x509 -in $d/end.crt -serial -noout " | |
| 239 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
| 240 or die "Can't obtain serial for end: $!\n"; | |
| 241 | |
| 242 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
| 243 | |
| 244 # ocsp end | |
| 245 | |
| 246 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 247 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 248 or die "Can't create OCSP request: $!\n"; | |
| 249 | |
| 250 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 251 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 252 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
| 253 . ">>$d/openssl.out 2>&1") == 0 | |
| 254 or die "Can't create OCSP response: $!\n"; | |
| 255 | |
| 256 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 257 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 258 or die "Can't create EC OCSP request: $!\n"; | |
| 259 | |
| 260 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 261 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 262 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 263 . ">>$d/openssl.out 2>&1") == 0 | |
| 264 or die "Can't create EC OCSP response: $!\n"; | |
| 265 | |
| 266 $t->write_file('trusted.crt', | |
| 267 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
| 268 | |
| 269 # server cert/key | |
| 270 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
271 foreach my $name ('rsa') { |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
272 system('openssl req -x509 -new ' |
| 1570 | 273 . "-config $d/openssl.conf -subj /CN=$name/ " |
| 274 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 275 . ">>$d/openssl.out 2>&1") == 0 | |
| 276 or die "Can't create certificate for $name: $!\n"; | |
| 277 } | |
| 278 | |
| 279 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
| 280 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
281 $t->run()->plan(15); |
| 1570 | 282 |
| 283 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
| 284 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
| 285 | |
| 286 my $version = get_version(); | |
| 287 | |
| 288 ############################################################################### | |
| 289 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
290 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
| 1570 | 291 |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
292 # demonstrate that ocsp int request is failed due to missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
293 |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
294 like(get('end', sni => 'resolver'), |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
295 qr/400 Bad.*FAILED:certificate status request failed/s, |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
296 'ocsp many failed request'); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
297 |
| 1570 | 298 # demonstrate that ocsp int request is actually made by failing ocsp response |
| 299 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
300 like(get('end', port => 8444), |
| 1570 | 301 qr/400 Bad.*FAILED:certificate status request failed/s, |
| 302 'ocsp many failed'); | |
| 303 | |
| 304 # now prepare valid ocsp int response | |
| 305 | |
| 306 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
| 307 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
| 308 or die "Can't create OCSP request: $!\n"; | |
| 309 | |
| 310 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
| 311 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 312 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
| 313 . ">>$d/openssl.out 2>&1") == 0 | |
| 314 or die "Can't create OCSP response: $!\n"; | |
| 315 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
316 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
| 1570 | 317 |
| 318 # store into ssl_ocsp_cache | |
| 319 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
320 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
| 1570 | 321 |
| 322 # revoke | |
| 323 | |
| 324 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
| 325 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 326 . ">>$d/openssl.out 2>&1") == 0 | |
| 327 or die "Can't revoke end.crt: $!\n"; | |
| 328 | |
| 329 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 330 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 331 or die "Can't create OCSP request: $!\n"; | |
| 332 | |
| 333 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 334 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 335 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
| 336 . ">>$d/openssl.out 2>&1") == 0 | |
| 337 or die "Can't create OCSP response: $!\n"; | |
| 338 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
339 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
| 1570 | 340 |
| 341 # with different responder where it's still valid | |
| 342 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
343 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
| 1570 | 344 |
| 345 # with different context to responder where it's still valid | |
| 346 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
347 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
| 1570 | 348 |
| 349 # with cached ocsp response it's still valid | |
| 350 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
351 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
| 1570 | 352 |
| 353 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
| 354 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
355 like(get('ec-end'), |
| 1570 | 356 qr/400 Bad.*FAILED:certificate status request failed/s, |
| 357 'root ca not trusted'); | |
| 358 | |
| 359 # now sign ocsp end response with valid int cert | |
| 360 | |
| 361 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 362 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 363 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 364 . ">>$d/openssl.out 2>&1") == 0 | |
| 365 or die "Can't create EC OCSP response: $!\n"; | |
| 366 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
367 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
| 1570 | 368 |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
369 my ($s, $ssl) = get('ec-end'); |
| 1570 | 370 my $ses = Net::SSLeay::get_session($ssl); |
| 371 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
372 like(get('ec-end', ses => $ses), |
| 1570 | 373 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
| 374 | |
| 375 # revoke with saved session | |
| 376 | |
| 377 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
| 378 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 379 . ">>$d/openssl.out 2>&1") == 0 | |
| 380 or die "Can't revoke end.crt: $!\n"; | |
| 381 | |
| 382 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 383 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 384 or die "Can't create OCSP request: $!\n"; | |
| 385 | |
| 386 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 387 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 388 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 389 . ">>$d/openssl.out 2>&1") == 0 | |
| 390 or die "Can't create OCSP response: $!\n"; | |
| 391 | |
| 392 # reusing session with revoked certificate | |
| 393 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
394 like(get('ec-end', ses => $ses), |
| 1570 | 395 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
| 396 | |
| 397 # regression test for self-signed | |
| 398 | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
399 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
400 |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
401 # check for errors |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
402 |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
403 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
| 1570 | 404 |
| 405 ############################################################################### | |
| 406 | |
| 407 sub get { | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
408 my ($cert, %extra) = @_; |
|
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
409 my ($s, $ssl) = get_ssl_socket($cert, %extra); |
| 1570 | 410 my $cipher = Net::SSLeay::get_cipher($ssl); |
| 411 Test::Nginx::log_core('||', "cipher: $cipher"); | |
| 412 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
413 local $SIG{PIPE} = 'IGNORE'; |
|
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
414 log_out("GET /serial HTTP/1.0\nHost: $host\n\n"); |
| 1570 | 415 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); |
| 416 my $r = Net::SSLeay::read($ssl); | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
417 log_in($r); |
| 1570 | 418 $s->close(); |
| 419 return $r unless wantarray(); | |
| 420 return ($s, $ssl); | |
| 421 } | |
| 422 | |
| 423 sub get_ssl_socket { | |
|
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
424 my ($cert, %extra) = @_; |
| 1570 | 425 my $ses = $extra{ses}; |
| 426 my $sni = $extra{sni}; | |
| 427 my $port = $extra{port} || 8443; | |
| 428 my $s; | |
| 429 | |
| 430 eval { | |
| 431 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 432 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 433 alarm(8); | |
| 434 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
| 435 alarm(0); | |
| 436 }; | |
| 437 alarm(0); | |
| 438 | |
| 439 if ($@) { | |
| 440 log_in("died: $@"); | |
| 441 return undef; | |
| 442 } | |
| 443 | |
| 444 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 445 | |
| 446 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
| 447 or die if $cert; | |
| 448 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
| 449 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
| 450 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
| 451 Net::SSLeay::set_fd($ssl, fileno($s)); | |
| 452 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 453 return ($s, $ssl); | |
| 454 } | |
| 455 | |
| 456 sub get_version { | |
| 457 my ($s, $ssl) = get_ssl_socket(); | |
| 458 return Net::SSLeay::version($ssl); | |
| 459 } | |
| 460 | |
| 461 ############################################################################### | |
| 462 | |
| 463 sub http_daemon { | |
| 464 my ($t, $port) = @_; | |
| 465 my $server = IO::Socket::INET->new( | |
| 466 Proto => 'tcp', | |
| 467 LocalHost => "127.0.0.1:$port", | |
| 468 Listen => 5, | |
| 469 Reuse => 1 | |
| 470 ) | |
| 471 or die "Can't create listening socket: $!\n"; | |
| 472 | |
| 473 local $SIG{PIPE} = 'IGNORE'; | |
| 474 | |
| 475 while (my $client = $server->accept()) { | |
| 476 $client->autoflush(1); | |
| 477 | |
| 478 my $headers = ''; | |
| 479 my $uri = ''; | |
| 480 my $resp; | |
| 481 | |
| 482 while (<$client>) { | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
483 Test::Nginx::log_core('||', $_); |
| 1570 | 484 $headers .= $_; |
| 485 last if (/^\x0d?\x0a?$/); | |
| 486 } | |
| 487 | |
| 488 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
| 489 next unless $uri; | |
| 490 | |
| 491 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
| 492 my $req = decode_base64($uri); | |
| 493 | |
| 494 if (index($req, $serial_int) > 0) { | |
| 495 $resp = 'int-resp'; | |
| 496 | |
| 497 } elsif (index($req, $serial) > 0) { | |
| 498 $resp = 'resp'; | |
| 499 | |
| 500 # used to differentiate ssl_ocsp_responder | |
| 501 | |
| 502 if ($port == port(8081) && -e "$d/revoked.der") { | |
| 503 $resp = 'revoked'; | |
| 504 } | |
| 505 | |
| 506 } else { | |
| 507 $resp = 'ec-resp'; | |
| 508 } | |
| 509 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
510 next unless -s "$d/$resp.der"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
511 |
| 1570 | 512 # ocsp dummy handler |
| 513 | |
| 514 select undef, undef, undef, 0.02; | |
| 515 | |
| 516 $headers = <<"EOF"; | |
| 517 HTTP/1.1 200 OK | |
| 518 Connection: close | |
| 519 Content-Type: application/ocsp-response | |
| 520 | |
| 521 EOF | |
| 522 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
523 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
524 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
525 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
526 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
527 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
528 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
529 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
530 print $client $headers . $content; |
| 1570 | 531 } |
| 532 } | |
| 533 | |
| 534 ############################################################################### |