nginx-tests: ssl_ocsp.t annotate

annotate ssl_ocsp.t @ 1974:b5036a0f9ae0 default tip

Tests: improved compatibility when using recent "openssl" app. Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys in PKCS#8 format instead of previously used PKCS#1 format. Further, since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256. Such keys are not supported by old SSL libraries, notably by OpenSSL before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c), and trying to load such keys into nginx compiled with an old SSL library results in "unsupported prf" errors. To facilitate testing with old SSL libraries, keys are now generated with "openssl genrsa -traditional" if the flag is available.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 06 May 2024 00:04:26 +0300
parents	c924ae8d7104
children

rev	line source
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for OCSP with client certificates.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use MIME::Base64 qw/ decode_base64 /;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 BEGIN { use FindBin; chdir($FindBin::Bin); }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use lib 'lib';
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	20 use Test::Nginx qw/ :DEFAULT http_end /;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDERR; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDOUT; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	28 ->has_daemon('openssl');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	30 plan(skip_all => 'no OCSP support in BoringSSL')
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	31 if $t->has_module('BoringSSL');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->write_file_expand('nginx.conf', <<'EOF');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 %%TEST_GLOBALS%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 daemon off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 events {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 http {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 %%TEST_GLOBALS_HTTP%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 ssl_ocsp leaf;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 ssl_verify_client on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47 ssl_verify_depth 2;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 ssl_client_certificate trusted.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50 ssl_certificate_key rsa.key;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 ssl_certificate rsa.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 ssl_session_cache shared:SSL:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 ssl_session_tickets off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	57 add_header X-SSL-Protocol $ssl_protocol always;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 server_name sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71 server {
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	72 listen 127.0.0.1:8443 ssl;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	73 server_name resolver;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	74
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	75 ssl_ocsp on;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	76 }
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	77
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	78 server {
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 listen 127.0.0.1:8444 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	82 ssl_ocsp_responder http://127.0.0.1:8081;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ssl_ocsp on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87 listen 127.0.0.1:8445 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 listen 127.0.0.1:8446 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97 ssl_ocsp_cache shared:OCSP:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 listen 127.0.0.1:8447 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 ssl_client_certificate root.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 my $d = $t->testdir();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 my $p = port(8081);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 $t->write_file('openssl.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 [ req ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 default_bits = 2048
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 encrypt_key = no
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 distinguished_name = req_distinguished_name
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	119 x509_extensions = myca_extensions
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 [ req_distinguished_name ]
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	121 [ myca_extensions ]
0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	122 basicConstraints = critical,CA:TRUE
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125 $t->write_file('ca.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 [ ca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 default_ca = myca
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	128
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129 [ myca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 new_certs_dir = $d
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131 database = $d/certindex
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 default_md = sha256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133 policy = myca_policy
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134 serial = $d/certserial
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135 default_days = 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	136 x509_extensions = myca_extensions
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	137
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138 [ myca_policy ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 commonName = supplied
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	140
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	141 [ myca_extensions ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	142 basicConstraints = critical,CA:TRUE
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	144 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	145
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	146 # variant for int.crt to trigger missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	147
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	148 $t->write_file('ca2.conf', <<EOF);
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	149 [ ca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	150 default_ca = myca
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	151
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	152 [ myca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	153 new_certs_dir = $d
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	154 database = $d/certindex
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	155 default_md = sha256
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	156 policy = myca_policy
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	157 serial = $d/certserial
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	158 default_days = 1
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	159 x509_extensions = myca_extensions
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	160
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	161 [ myca_policy ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	162 commonName = supplied
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	163
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	164 [ myca_extensions ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	165 basicConstraints = critical,CA:TRUE
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	166 authorityInfoAccess = OCSP;URI:http://localhost:$p
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	167 EOF
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	168
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	169 foreach my $name ('root') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	170 system('openssl req -x509 -new '
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	171 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	172 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	173 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	174 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	175 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	176
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	177 foreach my $name ('int', 'end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	178 system("openssl req -new "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	179 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	180 . "-out $d/$name.csr -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	181 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	182 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	183 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	184
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	185 foreach my $name ('ec-end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	187 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	188 or die "Can't create EC param: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	189 system("openssl req -new -key $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	190 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	191 . "-out $d/$name.csr "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	192 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	193 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	194 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	195
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	196 $t->write_file('certserial', '1000');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	197 $t->write_file('certindex', '');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	198
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	199 system("openssl ca -batch -config $d/ca2.conf "
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	200 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	202 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	203 or die "Can't sign certificate for int: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	204
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	205 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	206 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	208 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	209 or die "Can't sign certificate for ec-end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	210
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	211 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	212 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	214 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	215 or die "Can't sign certificate for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	216
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	217 # RFC 6960, serialNumber
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	218
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	219 system("openssl x509 -in $d/int.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	220 . ">>$d/serial_int 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	221 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	222
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	223 my $serial_int = pack("n2", 0x0202, hex $1)
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	224 if $t->read_file('serial_int') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	225
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	226 system("openssl x509 -in $d/end.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	227 . ">>$d/serial 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	228 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	229
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	231
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	232 # ocsp end
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	233
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	236 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	237
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	238 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	239 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	241 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	242 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	243
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	246 or die "Can't create EC OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	247
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	248 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	249 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	251 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	252 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	253
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	254 $t->write_file('trusted.crt',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	255 $t->read_file('int.crt') . $t->read_file('root.crt'));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	257 # server cert/key
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	258
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	259 foreach my $name ('rsa') {
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	260 system('openssl req -x509 -new '
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	261 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	262 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	263 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	264 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	265 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	266
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	267 $t->run_daemon(\&http_daemon, $t, port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	268 $t->run_daemon(\&http_daemon, $t, port(8082));
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	269 $t->run()->plan(15);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	270
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	271 $t->waitforsocket("127.0.0.1:" . port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	272 $t->waitforsocket("127.0.0.1:" . port(8082));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	273
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	274 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	275
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	277
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	278 # demonstrate that ocsp int request is failed due to missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	279
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	280 like(get('end', sni => 'resolver'),
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	281 qr/400 Bad.*FAILED:certificate status request failed/s,
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	282 'ocsp many failed request');
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	283
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	284 # demonstrate that ocsp int request is actually made by failing ocsp response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	285
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	286 like(get('end', port => 8444),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	287 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	288 'ocsp many failed');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	289
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	290 # now prepare valid ocsp int response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	291
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	294 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	295
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	296 system("openssl ocsp -index $d/certindex -CA $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	297 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	299 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	300 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	301
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	303
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	304 # store into ssl_ocsp_cache
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	305
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	307
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	308 # revoke
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	309
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	311 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	312 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	313 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	314
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	317 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	318
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	319 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	320 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	322 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	323 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	324
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	326
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	327 # with different responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	328
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	330
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	331 # with different context to responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	332
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	334
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	335 # with cached ocsp response it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	336
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	338
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	339 # ocsp end response signed with invalid (root) cert, expect HTTP 400
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	340
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	341 like(get('ec-end'),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	342 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	343 'root ca not trusted');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	344
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	345 # now sign ocsp end response with valid int cert
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	346
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	347 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	348 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	350 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	351 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	352
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	354
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	355 my $s = session('ec-end');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	356
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	357 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	359 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	362 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	363 if $t->has_module('LibreSSL') && test_tls13();
1966 c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	364 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)'
c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	365 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	366
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	367 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	368 qr/200 OK.*SUCCESS:r/s, 'session reused');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	369
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	370 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	371
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	372 # revoke with saved session
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	373
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	374 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	375 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	376 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	377 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	378
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	379 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	380 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	381 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	382
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	383 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	384 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	385 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	386 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	387 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	388
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	389 # reusing session with revoked certificate
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	390
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	391 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	392 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	393 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	394 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	395 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	396 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	397 if $t->has_module('LibreSSL') && test_tls13();
1966 c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	398 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)'
c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	399 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	400
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	401 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	402 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	403
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	404 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	405
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	406 # regression test for self-signed
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	407
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	408 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	409
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	410 # check for errors
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	411
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	412 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	413
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	414 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	415
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	416 sub get {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	417 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	418 return http_end($s);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	419 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	420
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	421 sub session {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	422 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	423 http_end($s);
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	424 return $s;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	425 }
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	426
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	427 sub get_socket {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	428 my ($cert, %extra) = @_;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	429 my $ses = $extra{ses};
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	430 my $sni = $extra{sni} \|\| 'localhost';
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	431 my $port = $extra{port} \|\| 8443;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	432
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	433 return http(
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	434 "GET /serial HTTP/1.0\nHost: $sni\n\n",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	435 start => 1, PeerAddr => '127.0.0.1:' . port($port),
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	436 SSL => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	437 SSL_hostname => $sni,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	438 SSL_session_cache_size => 100,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	439 SSL_reuse_ctx => $ses,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	440 $cert ? (
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	441 SSL_cert_file => "$d/$cert.crt",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	442 SSL_key_file => "$d/$cert.key"
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	443 ) : ()
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	444 );
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	445 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	446
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	447 sub test_tls13 {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	448 return http_get('/', SSL => 1) =~ /TLSv1.3/;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	449 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	450
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	451 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	452
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	453 sub http_daemon {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	454 my ($t, $port) = @_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	455 my $server = IO::Socket::INET->new(
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	456 Proto => 'tcp',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	457 LocalHost => "127.0.0.1:$port",
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	458 Listen => 5,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	459 Reuse => 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	460 )
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	461 or die "Can't create listening socket: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	462
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	463 local $SIG{PIPE} = 'IGNORE';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	464
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	465 while (my $client = $server->accept()) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	466 $client->autoflush(1);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	467
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	468 my $headers = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	469 my $uri = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	470 my $resp;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	471
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	472 while (<$client>) {
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	473 Test::Nginx::log_core('\|\|', $_);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	474 $headers .= $_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	475 last if (/^\x0d?\x0a?$/);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	476 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	477
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	478 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	479 next unless $uri;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	480
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	481 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	482 my $req = decode_base64($uri);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	483
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	484 if (index($req, $serial_int) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	485 $resp = 'int-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	486
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	487 } elsif (index($req, $serial) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	488 $resp = 'resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	489
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	490 # used to differentiate ssl_ocsp_responder
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	491
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	492 if ($port == port(8081) && -e "$d/revoked.der") {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	493 $resp = 'revoked';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	494 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	495
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	496 } else {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	497 $resp = 'ec-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	498 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	499
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	500 next unless -s "$d/$resp.der";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	501
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	502 # ocsp dummy handler
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	503
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	504 select undef, undef, undef, 0.02;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	505
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	506 $headers = <<"EOF";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	507 HTTP/1.1 200 OK
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	508 Connection: close
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	509 Content-Type: application/ocsp-response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	510
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	511 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	512
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	513 local $/;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	514 open my $fh, '<', "$d/$resp.der"
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	515 or die "Can't open $resp.der: $!";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	516 binmode $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	517 my $content = <$fh>;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	518 close $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	519
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	520 print $client $headers . $content;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	521 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	522 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	523
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	524 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_ocsp.t @ 1974:b5036a0f9ae0 default tip