nginx-tests: ssl_ocsp.t annotate

annotate ssl_ocsp.t @ 1938:e1059682aeef

Tests: fixed ClientHello with resending Initial QUIC packets. Previously it was rebuilt each time using distinct ClientHello.random resulting in different CRYPTO payload. As such, it led to TLS digest hash and derived secrets mismatch when resending Initial packet. Now ClientHello is built once and reused when resending Initial packets. Additionally, this required to preserve a generated secret value used in shared secret calculation as part of TLS key schedule. Previously it was regenerated when receiving a Retry packet, but this won't work with reused ClientHello as the resulting shared secrets won't match.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Wed, 30 Aug 2023 02:22:58 +0400
parents	0e1865aa9b33
children	0b5ec15c62ed

rev	line source
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for OCSP with client certificates.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use MIME::Base64 qw/ decode_base64 /;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 BEGIN { use FindBin; chdir($FindBin::Bin); }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use lib 'lib';
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	20 use Test::Nginx qw/ :DEFAULT http_end /;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDERR; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDOUT; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	28 ->has_daemon('openssl');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	30 plan(skip_all => 'no OCSP support in BoringSSL')
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	31 if $t->has_module('BoringSSL');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->write_file_expand('nginx.conf', <<'EOF');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 %%TEST_GLOBALS%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 daemon off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 events {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 http {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 %%TEST_GLOBALS_HTTP%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 ssl_ocsp leaf;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 ssl_verify_client on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47 ssl_verify_depth 2;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 ssl_client_certificate trusted.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50 ssl_certificate_key rsa.key;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 ssl_certificate rsa.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 ssl_session_cache shared:SSL:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 ssl_session_tickets off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	57 add_header X-SSL-Protocol $ssl_protocol always;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 server_name sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71 server {
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	72 listen 127.0.0.1:8443 ssl;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	73 server_name resolver;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	74
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	75 ssl_ocsp on;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	76 }
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	77
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	78 server {
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 listen 127.0.0.1:8444 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	82 ssl_ocsp_responder http://127.0.0.1:8081;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ssl_ocsp on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87 listen 127.0.0.1:8445 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 listen 127.0.0.1:8446 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97 ssl_ocsp_cache shared:OCSP:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 listen 127.0.0.1:8447 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 ssl_client_certificate root.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 my $d = $t->testdir();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 my $p = port(8081);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 $t->write_file('openssl.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 [ req ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 default_bits = 2048
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 encrypt_key = no
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 distinguished_name = req_distinguished_name
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	119 [ req_distinguished_name ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	121
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	122 $t->write_file('ca.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 [ ca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124 default_ca = myca
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 [ myca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 new_certs_dir = $d
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	128 database = $d/certindex
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129 default_md = sha256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 policy = myca_policy
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131 serial = $d/certserial
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 default_days = 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133 x509_extensions = myca_extensions
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135 [ myca_policy ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	136 commonName = supplied
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	137
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138 [ myca_extensions ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 basicConstraints = critical,CA:TRUE
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	140 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	141 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	142
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	143 # variant for int.crt to trigger missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	144
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	145 $t->write_file('ca2.conf', <<EOF);
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	146 [ ca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	147 default_ca = myca
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	148
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	149 [ myca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	150 new_certs_dir = $d
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	151 database = $d/certindex
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	152 default_md = sha256
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	153 policy = myca_policy
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	154 serial = $d/certserial
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	155 default_days = 1
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	156 x509_extensions = myca_extensions
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	157
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	158 [ myca_policy ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	159 commonName = supplied
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	160
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	161 [ myca_extensions ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	162 basicConstraints = critical,CA:TRUE
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	163 authorityInfoAccess = OCSP;URI:http://localhost:$p
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	164 EOF
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	165
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	166 foreach my $name ('root') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	167 system('openssl req -x509 -new '
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	168 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	169 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	170 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	171 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	172 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	173
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	174 foreach my $name ('int', 'end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	175 system("openssl req -new "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	176 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	177 . "-out $d/$name.csr -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	178 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	179 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	180 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	181
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	182 foreach my $name ('ec-end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	183 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	184 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	185 or die "Can't create EC param: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	186 system("openssl req -new -key $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	187 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	188 . "-out $d/$name.csr "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	189 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	190 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	191 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	192
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	193 $t->write_file('certserial', '1000');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	194 $t->write_file('certindex', '');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	195
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	196 system("openssl ca -batch -config $d/ca2.conf "
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	197 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	198 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	199 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	200 or die "Can't sign certificate for int: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	201
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	202 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	203 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	204 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	205 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	206 or die "Can't sign certificate for ec-end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	207
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	208 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	209 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	210 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	211 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	212 or die "Can't sign certificate for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	213
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	214 # RFC 6960, serialNumber
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	215
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	216 system("openssl x509 -in $d/int.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	217 . ">>$d/serial_int 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	218 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	219
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	220 my $serial_int = pack("n2", 0x0202, hex $1)
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	221 if $t->read_file('serial_int') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	222
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	223 system("openssl x509 -in $d/end.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	224 . ">>$d/serial 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	225 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	226
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	227 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	228
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	229 # ocsp end
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	230
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	231 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	232 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	233 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	234
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	235 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	236 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	237 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	238 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	239 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	240
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	241 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	242 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	243 or die "Can't create EC OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	244
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	245 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	246 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	247 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	248 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	249 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	250
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	251 $t->write_file('trusted.crt',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	252 $t->read_file('int.crt') . $t->read_file('root.crt'));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	253
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	254 # server cert/key
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	255
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	256 foreach my $name ('rsa') {
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	257 system('openssl req -x509 -new '
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	258 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	259 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	260 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	261 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	262 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	263
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	264 $t->run_daemon(\&http_daemon, $t, port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	265 $t->run_daemon(\&http_daemon, $t, port(8082));
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	266 $t->run()->plan(15);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	267
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	268 $t->waitforsocket("127.0.0.1:" . port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	269 $t->waitforsocket("127.0.0.1:" . port(8082));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	270
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	271 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	272
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	273 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	274
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	275 # demonstrate that ocsp int request is failed due to missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	276
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	277 like(get('end', sni => 'resolver'),
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	278 qr/400 Bad.*FAILED:certificate status request failed/s,
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	279 'ocsp many failed request');
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	280
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	281 # demonstrate that ocsp int request is actually made by failing ocsp response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	282
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	283 like(get('end', port => 8444),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	284 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	285 'ocsp many failed');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	286
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	287 # now prepare valid ocsp int response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	288
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	289 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	290 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	291 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	292
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	293 system("openssl ocsp -index $d/certindex -CA $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	294 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	295 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	296 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	297 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	298
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	299 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	300
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	301 # store into ssl_ocsp_cache
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	302
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	303 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	304
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	305 # revoke
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	306
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	307 system("openssl ca -config $d/ca.conf -revoke $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	308 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	309 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	310 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	311
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	312 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	313 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	314 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	315
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	316 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	317 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	318 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	319 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	320 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	321
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	322 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	323
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	324 # with different responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	325
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	326 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	327
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	328 # with different context to responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	329
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	330 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	331
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	332 # with cached ocsp response it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	333
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	334 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	335
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	336 # ocsp end response signed with invalid (root) cert, expect HTTP 400
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	337
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	338 like(get('ec-end'),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	339 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	340 'root ca not trusted');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	341
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	342 # now sign ocsp end response with valid int cert
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	343
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	344 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	345 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	346 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	347 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	348 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	349
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	350 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	351
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	352 my $s = session('ec-end');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	353
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	354 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	355 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	356 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	357 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	358 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	359 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	360 if $t->has_module('LibreSSL') && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	361
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	362 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	363 qr/200 OK.*SUCCESS:r/s, 'session reused');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	364
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	365 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	366
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	367 # revoke with saved session
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	368
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	369 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	370 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	371 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	372 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	373
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	374 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	375 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	376 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	377
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	378 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	379 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	380 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	381 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	382 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	383
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	384 # reusing session with revoked certificate
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	385
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	386 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	387 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	388 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	389 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	390 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	391 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	392 if $t->has_module('LibreSSL') && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	393
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	394 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	395 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	396
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	397 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	398
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	399 # regression test for self-signed
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	400
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	401 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	402
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	403 # check for errors
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	404
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	405 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	406
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	407 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	408
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	409 sub get {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	410 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	411 return http_end($s);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	412 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	413
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	414 sub session {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	415 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	416 http_end($s);
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	417 return $s;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	418 }
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	419
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	420 sub get_socket {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	421 my ($cert, %extra) = @_;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	422 my $ses = $extra{ses};
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	423 my $sni = $extra{sni} \|\| 'localhost';
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	424 my $port = $extra{port} \|\| 8443;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	425
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	426 return http(
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	427 "GET /serial HTTP/1.0\nHost: $sni\n\n",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	428 start => 1, PeerAddr => '127.0.0.1:' . port($port),
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	429 SSL => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	430 SSL_hostname => $sni,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	431 SSL_session_cache_size => 100,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	432 SSL_reuse_ctx => $ses,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	433 $cert ? (
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	434 SSL_cert_file => "$d/$cert.crt",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	435 SSL_key_file => "$d/$cert.key"
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	436 ) : ()
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	437 );
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	438 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	439
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	440 sub test_tls13 {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	441 return http_get('/', SSL => 1) =~ /TLSv1.3/;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	442 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	443
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	444 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	445
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	446 sub http_daemon {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	447 my ($t, $port) = @_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	448 my $server = IO::Socket::INET->new(
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	449 Proto => 'tcp',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	450 LocalHost => "127.0.0.1:$port",
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	451 Listen => 5,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	452 Reuse => 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	453 )
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	454 or die "Can't create listening socket: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	455
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	456 local $SIG{PIPE} = 'IGNORE';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	457
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	458 while (my $client = $server->accept()) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	459 $client->autoflush(1);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	460
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	461 my $headers = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	462 my $uri = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	463 my $resp;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	464
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	465 while (<$client>) {
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	466 Test::Nginx::log_core('\|\|', $_);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	467 $headers .= $_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	468 last if (/^\x0d?\x0a?$/);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	469 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	470
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	471 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	472 next unless $uri;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	473
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	474 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	475 my $req = decode_base64($uri);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	476
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	477 if (index($req, $serial_int) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	478 $resp = 'int-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	479
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	480 } elsif (index($req, $serial) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	481 $resp = 'resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	482
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	483 # used to differentiate ssl_ocsp_responder
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	484
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	485 if ($port == port(8081) && -e "$d/revoked.der") {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	486 $resp = 'revoked';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	487 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	488
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	489 } else {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	490 $resp = 'ec-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	491 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	492
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	493 next unless -s "$d/$resp.der";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	494
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	495 # ocsp dummy handler
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	496
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	497 select undef, undef, undef, 0.02;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	498
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	499 $headers = <<"EOF";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	500 HTTP/1.1 200 OK
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	501 Connection: close
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	502 Content-Type: application/ocsp-response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	503
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	504 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	505
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	506 local $/;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	507 open my $fh, '<', "$d/$resp.der"
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	508 or die "Can't open $resp.der: $!";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	509 binmode $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	510 my $content = <$fh>;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	511 close $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	512
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	513 print $client $headers . $content;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	514 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	515 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	516
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	517 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_ocsp.t @ 1938:e1059682aeef