Mercurial > hg > nginx-tests

comparison ssl_verify_depth.t @ 1115:54e07593713a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: ssl_verify_depth tests.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 20 Jan 2017 14:13:46 +0300
parents
children 3e2af4dedd9c
comparison
equal deleted inserted replaced
1114:c5df4742ad40 1115:54e07593713a
1 #!/usr/bin/perl
2
3 # (C) Sergey Kandaurov
4 # (C) Nginx, Inc.
5
6 # Tests for http ssl module, ssl_verify_depth.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
16
17 use lib 'lib';
18 use Test::Nginx;
19
20 ###############################################################################
21
22 select STDERR; $| = 1;
23 select STDOUT; $| = 1;
24
25 eval { require IO::Socket::SSL; };
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
28 plan(skip_all => 'IO::Socket::SSL too old') if $@;
29
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)
31 ->has_daemon('openssl')->plan(7);
32
33 $t->write_file_expand('nginx.conf', <<'EOF');
34
35 %%TEST_GLOBALS%%
36
37 daemon off;
38
39 events {
40 }
41
42 http {
43 %%TEST_GLOBALS_HTTP%%
44
45 ssl_certificate_key localhost.key;
46 ssl_certificate localhost.crt;
47
48 ssl_verify_client optional_no_ca;
49 ssl_client_certificate int-root.crt;
50
51 add_header X-Verify $ssl_client_verify;
52
53 server {
54 listen 127.0.0.1:8080 ssl;
55 server_name localhost;
56 ssl_verify_depth 0;
57 }
58
59 server {
60 listen 127.0.0.1:8081 ssl;
61 server_name localhost;
62 ssl_verify_depth 1;
63 }
64
65 server {
66 listen 127.0.0.1:8082 ssl;
67 server_name localhost;
68 ssl_verify_depth 2;
69 }
70 }
71
72 EOF
73
74 my $d = $t->testdir();
75
76 $t->write_file('openssl.conf', <<EOF);
77 [ req ]
78 default_bits = 1024
79 encrypt_key = no
80 distinguished_name = req_distinguished_name
81 [ req_distinguished_name ]
82 EOF
83
84 $t->write_file('ca.conf', <<EOF);
85 [ ca ]
86 default_ca = myca
87
88 [ myca ]
89 new_certs_dir = $d
90 database = $d/certindex
91 default_md = sha1
92 policy = myca_policy
93 serial = $d/certserial
94 default_days = 1
95 x509_extensions = myca_extensions
96
97 [ myca_policy ]
98 commonName = supplied
99
100 [ myca_extensions ]
101 basicConstraints = critical,CA:TRUE
102 EOF
103
104 foreach my $name ('root', 'localhost') {
105 system('openssl req -x509 -new '
106 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
107 . "-out '$d/$name.crt' -keyout '$d/$name.key' "
108 . ">>$d/openssl.out 2>&1") == 0
109 or die "Can't create certificate for $name: $!\n";
110 }
111
112 foreach my $name ('int', 'end') {
113 system("openssl req -new "
114 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
115 . "-out '$d/$name.csr' -keyout '$d/$name.key' "
116 . ">>$d/openssl.out 2>&1") == 0
117 or die "Can't create certificate for $name: $!\n";
118 }
119
120 $t->write_file('certserial', '1000');
121 $t->write_file('certindex', '');
122
123 system("openssl ca -batch -config '$d/ca.conf' "
124 . "-keyfile '$d/root.key' -cert '$d/root.crt' "
125 . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' "
126 . ">>$d/openssl.out 2>&1") == 0
127 or die "Can't sign certificate for int: $!\n";
128
129 system("openssl ca -batch -config '$d/ca.conf' "
130 . "-keyfile '$d/int.key' -cert '$d/int.crt' "
131 . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' "
132 . ">>$d/openssl.out 2>&1") == 0
133 or die "Can't sign certificate for end: $!\n";
134
135 $t->write_file('int-root.crt',
136 $t->read_file('int.crt') . $t->read_file('root.crt'));
137
138 $t->write_file('t', '');
139 $t->run();
140
141 ###############################################################################
142
143 like(get(8080, 'end'), qr/FAILED/, 'verify depth 2 max 0');
144
145 TODO: {
146 local $TODO = 'not yet';
147
148 like(get(8081, 'end'), qr/FAILED/, 'verify depth 2 max 1');
149
150 }
151
152 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 max 2');
153
154 like(get(8080, 'int'), qr/FAILED/, 'verify depth 1 max 0');
155 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 max 1');
156 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 1 max 2');
157
158 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 max 0');
159
160 ###############################################################################
161
162 sub get {
163 my ($port, $cert) = @_;
164 my $s = get_ssl_socket($port, $cert) or return;
165 http_get('/t', socket => $s);
166 }
167
168 sub get_ssl_socket {
169 my ($port, $cert) = @_;
170 my ($s);
171
172 eval {
173 local $SIG{ALRM} = sub { die "timeout\n" };
174 local $SIG{PIPE} = sub { die "sigpipe\n" };
175 alarm(2);
176 $s = IO::Socket::SSL->new(
177 Proto => 'tcp',
178 PeerAddr => '127.0.0.1',
179 PeerPort => port($port),
180 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
181 SSL_cert_file => "$d/$cert.crt",
182 SSL_key_file => "$d/$cert.key",
183 SSL_error_trap => sub { die $_[1] }
184 );
185 alarm(0);
186 };
187 alarm(0);
188
189 if ($@) {
190 log_in("died: $@");
191 return undef;
192 }
193
194 return $s;
195 }
196
197 ###############################################################################