Mercurial > hg > nginx-tests

comparison ssl_engine_keys.t @ 516:2bc470a58621

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: test for loading "engine:..." keys.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 23 Dec 2014 18:31:03 +0300
parents
children 907e89fba9c3
comparison
equal deleted inserted replaced
515:9f972a386434 516:2bc470a58621
1 #!/usr/bin/perl
2
3 # (C) Sergey Kandaurov
4 # (C) Nginx, Inc.
5
6 # Tests for http ssl module, loading "engine:..." keys.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
16
17 use lib 'lib';
18 use Test::Nginx;
19
20 ###############################################################################
21
22 select STDERR; $| = 1;
23 select STDOUT; $| = 1;
24
25 plan(skip_all => 'win32') if $^O eq 'MSWin32';
26
27 plan(skip_all => 'may not work, leaves coredump')
28 unless $ENV{TEST_NGINX_UNSAFE};
29
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl')
31 ->has_daemon('softhsm')->has_daemon('pkcs11-tool')->plan(1);
32
33 $t->write_file_expand('nginx.conf', <<'EOF');
34
35 %%TEST_GLOBALS%%
36
37 daemon off;
38
39 events {
40 }
41
42 http {
43 %%TEST_GLOBALS_HTTP%%
44
45 server {
46 listen 127.0.0.1:8443 ssl;
47 listen 127.0.0.1:8080;
48 server_name localhost;
49
50 ssl_certificate_key engine:pkcs11:slot_0-id_00;
51 ssl_certificate localhost.crt;
52
53 location / {
54 # index index.html by default
55 }
56 location /proxy {
57 proxy_pass https://127.0.0.1:8443/;
58 }
59 }
60 }
61
62 EOF
63
64 # Create a SoftHSM token with a secret key, and configure OpenSSL
65 # to access it using the pkcs11 engine, see detailed example
66 # posted by Dmitrii Pichulin here:
67 #
68 # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
69 #
70 # Note that library paths may differ on different systems,
71 # and may need to be adjusted.
72
73 $t->write_file('openssl.conf', <<EOF);
74 openssl_conf = openssl_def
75
76 [openssl_def]
77 engines = engine_section
78
79 [engine_section]
80 pkcs11 = pkcs11_section
81
82 [pkcs11_section]
83 engine_id = pkcs11
84 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so
85 MODULE_PATH = /usr/local/lib/softhsm/libsofthsm.so
86 init = 0
87 PIN = 1234
88
89 [ req ]
90 default_bits = 2048
91 encrypt_key = no
92 distinguished_name = req_distinguished_name
93 [ req_distinguished_name ]
94 EOF
95
96 my $d = $t->testdir();
97
98 $t->write_file('softhsm.conf', <<EOF);
99 0:$d/slot0.db
100 EOF
101
102 $ENV{SOFTHSM_CONF} = "$d/softhsm.conf";
103 $ENV{OPENSSL_CONF} = "$d/openssl.conf";
104
105 foreach my $name ('localhost') {
106 system('softhsm --init-token --slot 0 --label "NginxZero" '
107 . '--pin 1234 --so-pin 1234 '
108 . ">>$d/openssl.out 2>&1");
109
110 system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so '
111 . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 '
112 . ">>$d/openssl.out 2>&1");
113
114 system('openssl req -x509 -new -engine pkcs11 '
115 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
116 . "-out '$d/$name.crt' -keyform engine -text -key id_00 "
117 . ">>$d/openssl.out 2>&1") == 0
118 or die "Can't create certificate for $name: $!\n";
119 }
120
121 $t->try_run('no ssl_certificate_key engine');
122
123 $t->write_file('index.html', '');
124
125 ###############################################################################
126
127 like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys');
128
129 ###############################################################################