nginx-tests: ssl_password

annotate ssl_password_file.t @ 1974:b5036a0f9ae0 default tip

Tests: improved compatibility when using recent "openssl" app. Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys in PKCS#8 format instead of previously used PKCS#1 format. Further, since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256. Such keys are not supported by old SSL libraries, notably by OpenSSL before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c), and trying to load such keys into nginx compiled with an old SSL library results in "unsupported prf" errors. To facilitate testing with old SSL libraries, keys are now generated with "openssl genrsa -traditional" if the flag is available.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 06 May 2024 00:04:26 +0300
parents	a797d7428fa5
children

rev	line source
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for ssl_password_file directive.
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use POSIX qw/ mkfifo /;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16 use Socket qw/ $CRLF /;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18 BEGIN { use FindBin; chdir($FindBin::Bin); }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	20 use lib 'lib';
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21 use Test::Nginx;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23 ###############################################################################
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDERR; $\| = 1;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26 select STDOUT; $\| = 1;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	27
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	28 plan(skip_all => 'win32') if $^O eq 'MSWin32';
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
1858 cdcd75657e52 Tests: added has_feature() tests for IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1488 diff changeset	30 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite socket_ssl/)
431 05c46688b54b Tests: ssl_password_file.t fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 430 diff changeset	31 ->has_daemon('openssl');
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->plan(3)->write_file_expand('nginx.conf', <<'EOF');
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 %%TEST_GLOBALS%%
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 daemon off;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 events {
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 http {
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 %%TEST_GLOBALS_HTTP%%
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 ssl_certificate_key localhost.key;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 ssl_certificate localhost.crt;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 # inherited by server "inherits"
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49 ssl_password_file password_http;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 server {
1866 a797d7428fa5 Tests: simplified http SSL tests with IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1858 diff changeset	52 listen 127.0.0.1:8443 ssl;
974 882267679006 Tests: simplified parallel modifications in tests. Andrey Zelenkov <zelenkov@nginx.com> parents: 952 diff changeset	53 listen 127.0.0.1:8080;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 server_name localhost;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 ssl_password_file password;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	57
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58 location / {
496 d13ea470657d Tests: fixed indentation. Sergey Kandaurov <pluknet@nginx.com> parents: 480 diff changeset	59 return 200 "$scheme";
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63 server {
974 882267679006 Tests: simplified parallel modifications in tests. Andrey Zelenkov <zelenkov@nginx.com> parents: 952 diff changeset	64 listen 127.0.0.1:8080;
421 e8db4355fe0b Tests: fixed building the server_names_hash. Sergey Kandaurov <pluknet@nginx.com> parents: 420 diff changeset	65 server_name two_entries;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67 ssl_password_file password_many;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70 server {
974 882267679006 Tests: simplified parallel modifications in tests. Andrey Zelenkov <zelenkov@nginx.com> parents: 952 diff changeset	71 listen 127.0.0.1:8080;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	72 server_name file_is_fifo;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	73
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	74 ssl_password_file password_fifo;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	75 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	76
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	77 server {
974 882267679006 Tests: simplified parallel modifications in tests. Andrey Zelenkov <zelenkov@nginx.com> parents: 952 diff changeset	78 listen 127.0.0.1:8080;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 server_name inherits;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81 ssl_certificate_key inherits.key;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	82 ssl_certificate inherits.crt;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 EOF
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 $t->write_file('openssl.conf', <<EOF);
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89 [ req ]
1488 dbce8fb5f5f8 Tests: align with OpenSSL security level 2. Sergey Kandaurov <pluknet@nginx.com> parents: 1421 diff changeset	90 default_bits = 2048
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 encrypt_key = no
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92 distinguished_name = req_distinguished_name
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 [ req_distinguished_name ]
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 EOF
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96 my $d = $t->testdir();
1974 b5036a0f9ae0 Tests: improved compatibility when using recent "openssl" app. Maxim Dounin <mdounin@mdounin.ru> parents: 1866 diff changeset	97 my $tr = `openssl genrsa -help 2>&1` =~ /-traditional/ ? '-traditional' : '';
b5036a0f9ae0 Tests: improved compatibility when using recent "openssl" app. Maxim Dounin <mdounin@mdounin.ru> parents: 1866 diff changeset	98
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99 mkfifo("$d/password_fifo", 0700);
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 foreach my $name ('localhost', 'inherits') {
1220 0af58b78df35 Tests: removed single quotes from system() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 1140 diff changeset	102 system("openssl genrsa -out $d/$name.key -passout pass:$name "
1974 b5036a0f9ae0 Tests: improved compatibility when using recent "openssl" app. Maxim Dounin <mdounin@mdounin.ru> parents: 1866 diff changeset	103 . "-aes128 $tr 2048 >>$d/openssl.out 2>&1") == 0
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 or die "Can't create private key: $!\n";
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 system('openssl req -x509 -new '
1220 0af58b78df35 Tests: removed single quotes from system() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 1140 diff changeset	106 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 1140 diff changeset	107 . "-out $d/$name.crt "
0af58b78df35 Tests: removed single quotes from system() calls. Sergey Kandaurov <pluknet@nginx.com> parents: 1140 diff changeset	108 . "-key $d/$name.key -passin pass:$name"
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 . ">>$d/openssl.out 2>&1") == 0
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110 or die "Can't create certificate for $name: $!\n";
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 }
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113 $t->write_file('password', 'localhost');
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF");
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 $t->write_file('password_http', 'inherits');
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116
1087 534d209f6ae4 Tests: fixed ssl_password_file test hang with missing FIFO reader. Sergey Kandaurov <pluknet@nginx.com> parents: 1039 diff changeset	117 my $p = fork();
534d209f6ae4 Tests: fixed ssl_password_file test hang with missing FIFO reader. Sergey Kandaurov <pluknet@nginx.com> parents: 1039 diff changeset	118 exec("echo localhost > $d/password_fifo") if $p == 0;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	119
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 # do not mangle with try_run()
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	121 # we need to distinguish ssl_password_file support vs its brokenness
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	122
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 eval {
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124 open OLDERR, ">&", \*STDERR; close STDERR;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125 $t->run();
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 open STDERR, ">&", \*OLDERR;
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 };
1087 534d209f6ae4 Tests: fixed ssl_password_file test hang with missing FIFO reader. Sergey Kandaurov <pluknet@nginx.com> parents: 1039 diff changeset	128 kill 'INT', $p if $@;
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 ###############################################################################
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 is($@, '', 'ssl_password_file works');
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134 # simple tests to ensure that nothing broke with ssl_password_file directive
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135
431 05c46688b54b Tests: ssl_password_file.t fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 430 diff changeset	136 like(http_get('/'), qr/200 OK.*http/ms, 'http');
1866 a797d7428fa5 Tests: simplified http SSL tests with IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1858 diff changeset	137 like(http_get('/', SSL => 1), qr/200 OK.*https/ms, 'https');
420 a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138
a37ec4447597 Tests: ssl_password_file tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_password_file.t @ 1974:b5036a0f9ae0 default tip