Mercurial > hg > nginx-tests
comparison ssl_certificate_chain.t @ 686:0af386a519d2
Tests: tests for http ssl module with certificate chain.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 11 Sep 2015 12:57:13 +0300 |
| parents | |
| children | e9064d691790 |
comparison
equal
deleted
inserted
replaced
| 685:fdc748de6fad | 686:0af386a519d2 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for http ssl module with certificate chain. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 16 | |
| 17 use lib 'lib'; | |
| 18 use Test::Nginx; | |
| 19 | |
| 20 ############################################################################### | |
| 21 | |
| 22 select STDERR; $| = 1; | |
| 23 select STDOUT; $| = 1; | |
| 24 | |
| 25 eval { require IO::Socket::SSL; }; | |
| 26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
| 27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
| 28 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
| 29 | |
| 30 my $t = Test::Nginx->new()->has(qw/http http_ssl/) | |
| 31 ->has_daemon('openssl')->plan(3); | |
| 32 | |
| 33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 34 | |
| 35 %%TEST_GLOBALS%% | |
| 36 | |
| 37 daemon off; | |
| 38 | |
| 39 events { | |
| 40 } | |
| 41 | |
| 42 http { | |
| 43 %%TEST_GLOBALS_HTTP%% | |
| 44 | |
| 45 server { | |
| 46 listen 127.0.0.1:8081 ssl; | |
| 47 server_name localhost; | |
| 48 | |
| 49 ssl_certificate_key end.key; | |
| 50 ssl_certificate end.crt; | |
| 51 } | |
| 52 | |
| 53 server { | |
| 54 listen 127.0.0.1:8082 ssl; | |
| 55 server_name localhost; | |
| 56 | |
| 57 ssl_certificate_key int.key; | |
| 58 ssl_certificate int.crt; | |
| 59 } | |
| 60 | |
| 61 server { | |
| 62 listen 127.0.0.1:8083 ssl; | |
| 63 server_name localhost; | |
| 64 | |
| 65 ssl_certificate_key end.key; | |
| 66 ssl_certificate end-int.crt; | |
| 67 } | |
| 68 } | |
| 69 | |
| 70 EOF | |
| 71 | |
| 72 my $d = $t->testdir(); | |
| 73 | |
| 74 $t->write_file('openssl.conf', <<EOF); | |
| 75 [ req ] | |
| 76 default_bits = 2048 | |
| 77 encrypt_key = no | |
| 78 distinguished_name = req_distinguished_name | |
| 79 [ req_distinguished_name ] | |
| 80 EOF | |
| 81 | |
| 82 $t->write_file('ca.conf', <<EOF); | |
| 83 [ ca ] | |
| 84 default_ca = myca | |
| 85 | |
| 86 [ myca ] | |
| 87 new_certs_dir = $d | |
| 88 database = $d/certindex | |
| 89 default_md = sha1 | |
| 90 policy = myca_policy | |
| 91 serial = $d/certserial | |
| 92 default_days = 1 | |
| 93 x509_extensions = myca_extensions | |
| 94 | |
| 95 [ myca_policy ] | |
| 96 commonName = supplied | |
| 97 | |
| 98 [ myca_extensions ] | |
| 99 basicConstraints = critical,CA:TRUE | |
| 100 EOF | |
| 101 | |
| 102 foreach my $name ('root') { | |
| 103 system('openssl req -x509 -new ' | |
| 104 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 105 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 106 . ">>$d/openssl.out 2>&1") == 0 | |
| 107 or die "Can't create certificate for $name: $!\n"; | |
| 108 } | |
| 109 | |
| 110 foreach my $name ('int', 'end') { | |
| 111 system("openssl req -new " | |
| 112 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 113 . "-out '$d/$name.csr' -keyout '$d/$name.key' " | |
| 114 . ">>$d/openssl.out 2>&1") == 0 | |
| 115 or die "Can't create certificate for $name: $!\n"; | |
| 116 } | |
| 117 | |
| 118 $t->write_file('certserial', '1000'); | |
| 119 $t->write_file('certindex', ''); | |
| 120 | |
| 121 system("openssl ca -batch -config '$d/ca.conf' " | |
| 122 . "-keyfile '$d/root.key' -cert '$d/root.crt' " | |
| 123 . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' " | |
| 124 . ">>$d/openssl.out 2>&1") == 0 | |
| 125 or die "Can't sign certificate for int: $!\n"; | |
| 126 | |
| 127 system("openssl ca -batch -config '$d/ca.conf' " | |
| 128 . "-keyfile '$d/int.key' -cert '$d/int.crt' " | |
| 129 . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' " | |
| 130 . ">>$d/openssl.out 2>&1") == 0 | |
| 131 or die "Can't sign certificate for end: $!\n"; | |
| 132 | |
| 133 $t->write_file('end-int.crt', | |
| 134 $t->read_file('end.crt') . $t->read_file('int.crt')); | |
| 135 | |
| 136 $t->run(); | |
| 137 | |
| 138 ############################################################################### | |
| 139 | |
| 140 is(get_ssl_socket(8081), undef, 'incomplete chain'); | |
| 141 ok(get_ssl_socket(8082), 'intermediate'); | |
| 142 ok(get_ssl_socket(8083), 'intermediate server'); | |
| 143 | |
| 144 ############################################################################### | |
| 145 | |
| 146 sub get_ssl_socket { | |
| 147 my ($port) = @_; | |
| 148 my ($s, $verify); | |
| 149 | |
| 150 eval { | |
| 151 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 152 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 153 alarm(2); | |
| 154 $s = IO::Socket::SSL->new( | |
| 155 Proto => 'tcp', | |
| 156 PeerAddr => '127.0.0.1', | |
| 157 PeerPort => $port, | |
| 158 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER(), | |
| 159 SSL_ca_file => "$d/root.crt", | |
| 160 SSL_verify_callback => sub { | |
| 161 my ($ok) = @_; | |
| 162 $verify = $ok; | |
| 163 return $ok; | |
| 164 }, | |
| 165 SSL_error_trap => sub { die $_[1] } | |
| 166 ); | |
| 167 alarm(0); | |
| 168 }; | |
| 169 alarm(0); | |
| 170 | |
| 171 if ($@) { | |
| 172 log_in("died: $@"); | |
| 173 return undef; | |
| 174 } | |
| 175 | |
| 176 return $verify; | |
| 177 } | |
| 178 | |
| 179 ############################################################################### |