Mercurial > hg > nginx-tests
comparison ssl_engine_keys.t @ 516:2bc470a58621
Tests: test for loading "engine:..." keys.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 23 Dec 2014 18:31:03 +0300 |
parents | |
children | 907e89fba9c3 |
comparison
equal
deleted
inserted
replaced
515:9f972a386434 | 516:2bc470a58621 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http ssl module, loading "engine:..." keys. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 plan(skip_all => 'win32') if $^O eq 'MSWin32'; | |
26 | |
27 plan(skip_all => 'may not work, leaves coredump') | |
28 unless $ENV{TEST_NGINX_UNSAFE}; | |
29 | |
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') | |
31 ->has_daemon('softhsm')->has_daemon('pkcs11-tool')->plan(1); | |
32 | |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 server { | |
46 listen 127.0.0.1:8443 ssl; | |
47 listen 127.0.0.1:8080; | |
48 server_name localhost; | |
49 | |
50 ssl_certificate_key engine:pkcs11:slot_0-id_00; | |
51 ssl_certificate localhost.crt; | |
52 | |
53 location / { | |
54 # index index.html by default | |
55 } | |
56 location /proxy { | |
57 proxy_pass https://127.0.0.1:8443/; | |
58 } | |
59 } | |
60 } | |
61 | |
62 EOF | |
63 | |
64 # Create a SoftHSM token with a secret key, and configure OpenSSL | |
65 # to access it using the pkcs11 engine, see detailed example | |
66 # posted by Dmitrii Pichulin here: | |
67 # | |
68 # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html | |
69 # | |
70 # Note that library paths may differ on different systems, | |
71 # and may need to be adjusted. | |
72 | |
73 $t->write_file('openssl.conf', <<EOF); | |
74 openssl_conf = openssl_def | |
75 | |
76 [openssl_def] | |
77 engines = engine_section | |
78 | |
79 [engine_section] | |
80 pkcs11 = pkcs11_section | |
81 | |
82 [pkcs11_section] | |
83 engine_id = pkcs11 | |
84 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so | |
85 MODULE_PATH = /usr/local/lib/softhsm/libsofthsm.so | |
86 init = 0 | |
87 PIN = 1234 | |
88 | |
89 [ req ] | |
90 default_bits = 2048 | |
91 encrypt_key = no | |
92 distinguished_name = req_distinguished_name | |
93 [ req_distinguished_name ] | |
94 EOF | |
95 | |
96 my $d = $t->testdir(); | |
97 | |
98 $t->write_file('softhsm.conf', <<EOF); | |
99 0:$d/slot0.db | |
100 EOF | |
101 | |
102 $ENV{SOFTHSM_CONF} = "$d/softhsm.conf"; | |
103 $ENV{OPENSSL_CONF} = "$d/openssl.conf"; | |
104 | |
105 foreach my $name ('localhost') { | |
106 system('softhsm --init-token --slot 0 --label "NginxZero" ' | |
107 . '--pin 1234 --so-pin 1234 ' | |
108 . ">>$d/openssl.out 2>&1"); | |
109 | |
110 system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so ' | |
111 . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 ' | |
112 . ">>$d/openssl.out 2>&1"); | |
113 | |
114 system('openssl req -x509 -new -engine pkcs11 ' | |
115 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
116 . "-out '$d/$name.crt' -keyform engine -text -key id_00 " | |
117 . ">>$d/openssl.out 2>&1") == 0 | |
118 or die "Can't create certificate for $name: $!\n"; | |
119 } | |
120 | |
121 $t->try_run('no ssl_certificate_key engine'); | |
122 | |
123 $t->write_file('index.html', ''); | |
124 | |
125 ############################################################################### | |
126 | |
127 like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys'); | |
128 | |
129 ############################################################################### |