Mercurial > hg > nginx-tests

comparison ssl_crl.t @ 1125:97a6cb846926

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: basic ssl_crl tests.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 06 Feb 2017 19:13:49 +0300
parents
children 0af58b78df35
comparison
equal deleted inserted replaced
1124:5b22e2014f76 1125:97a6cb846926
1 #!/usr/bin/perl
2
3 # (C) Sergey Kandaurov
4 # (C) Nginx, Inc.
5
6 # Tests for http ssl module, ssl_crl directive.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
16
17 use lib 'lib';
18 use Test::Nginx;
19
20 ###############################################################################
21
22 select STDERR; $| = 1;
23 select STDOUT; $| = 1;
24
25 eval { require IO::Socket::SSL; };
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
28 plan(skip_all => 'IO::Socket::SSL too old') if $@;
29
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)
31 ->has_daemon('openssl')->plan(3);
32
33 $t->write_file_expand('nginx.conf', <<'EOF');
34
35 %%TEST_GLOBALS%%
36
37 daemon off;
38
39 events {
40 }
41
42 http {
43 %%TEST_GLOBALS_HTTP%%
44
45 ssl_certificate_key localhost.key;
46 ssl_certificate localhost.crt;
47
48 ssl_verify_client on;
49 ssl_client_certificate int-root.crt;
50
51 add_header X-Verify $ssl_client_verify always;
52
53 server {
54 listen 127.0.0.1:8080 ssl;
55 server_name localhost;
56
57 ssl_client_certificate root.crt;
58 ssl_crl empty.crl;
59 }
60
61 server {
62 listen 127.0.0.1:8081 ssl;
63 server_name localhost;
64
65 ssl_client_certificate root.crt;
66 ssl_crl root.crl;
67 }
68
69 server {
70 listen 127.0.0.1:8082 ssl;
71 server_name localhost;
72
73 ssl_verify_depth 2;
74 ssl_crl root.crl;
75 }
76 }
77
78 EOF
79
80 my $d = $t->testdir();
81
82 $t->write_file('openssl.conf', <<EOF);
83 [ req ]
84 default_bits = 1024
85 encrypt_key = no
86 distinguished_name = req_distinguished_name
87 [ req_distinguished_name ]
88 EOF
89
90 $t->write_file('ca.conf', <<EOF);
91 [ ca ]
92 default_ca = myca
93
94 [ myca ]
95 new_certs_dir = $d
96 database = $d/certindex
97 default_md = sha1
98 policy = myca_policy
99 serial = $d/certserial
100 default_days = 1
101
102 [ myca_policy ]
103 commonName = supplied
104 EOF
105
106 foreach my $name ('root', 'localhost') {
107 system('openssl req -x509 -new '
108 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
109 . "-out '$d/$name.crt' -keyout '$d/$name.key' "
110 . ">>$d/openssl.out 2>&1") == 0
111 or die "Can't create certificate for $name: $!\n";
112 }
113
114 foreach my $name ('int', 'end') {
115 system("openssl req -new "
116 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
117 . "-out '$d/$name.csr' -keyout '$d/$name.key' "
118 . ">>$d/openssl.out 2>&1") == 0
119 or die "Can't create certificate for $name: $!\n";
120 }
121
122 $t->write_file('certserial', '1000');
123 $t->write_file('certindex', '');
124
125 system("openssl ca -batch -config '$d/ca.conf' "
126 . "-keyfile '$d/root.key' -cert '$d/root.crt' "
127 . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' "
128 . ">>$d/openssl.out 2>&1") == 0
129 or die "Can't sign certificate for int: $!\n";
130
131 system("openssl ca -batch -config '$d/ca.conf' "
132 . "-keyfile '$d/int.key' -cert '$d/int.crt' "
133 . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' "
134 . ">>$d/openssl.out 2>&1") == 0
135 or die "Can't sign certificate for end: $!\n";
136
137 system("openssl ca -gencrl -config '$d/ca.conf' "
138 . "-keyfile '$d/root.key' -cert '$d/root.crt' "
139 . "-out '$d/empty.crl' -crldays 1 "
140 . ">>$d/openssl.out 2>&1") == 0
141 or die "Can't create empty crl: $!\n";
142
143 system("openssl ca -config '$d/ca.conf' -revoke '$d/int.crt' "
144 . "-keyfile '$d/root.key' -cert '$d/root.crt' "
145 . ">>$d/openssl.out 2>&1") == 0
146 or die "Can't revoke int.crt: $!\n";
147
148 system("openssl ca -gencrl -config '$d/ca.conf' "
149 . "-keyfile '$d/root.key' -cert '$d/root.crt' "
150 . "-out '$d/root.crl' -crldays 1 "
151 . ">>$d/openssl.out 2>&1") == 0
152 or die "Can't update crl: $!\n";
153
154 $t->write_file('int-root.crt',
155 $t->read_file('int.crt') . $t->read_file('root.crt'));
156
157 $t->write_file('t', '');
158 $t->run();
159
160 ###############################################################################
161
162 like(get(8080, 'int'), qr/SUCCESS/, 'crl - no revoked certs');
163 like(get(8081, 'int'), qr/FAILED/, 'crl - client cert revoked');
164 like(get(8082, 'end'), qr/FAILED/, 'crl - intermediate cert revoked');
165
166 ###############################################################################
167
168 sub get {
169 my ($port, $cert) = @_;
170 my $s = get_ssl_socket($port, $cert) or return;
171 http_get('/t', socket => $s);
172 }
173
174 sub get_ssl_socket {
175 my ($port, $cert) = @_;
176 my ($s);
177
178 eval {
179 local $SIG{ALRM} = sub { die "timeout\n" };
180 local $SIG{PIPE} = sub { die "sigpipe\n" };
181 alarm(2);
182 $s = IO::Socket::SSL->new(
183 Proto => 'tcp',
184 PeerAddr => '127.0.0.1',
185 PeerPort => port($port),
186 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
187 SSL_cert_file => "$d/$cert.crt",
188 SSL_key_file => "$d/$cert.key",
189 SSL_error_trap => sub { die $_[1] }
190 );
191 alarm(0);
192 };
193 alarm(0);
194
195 if ($@) {
196 log_in("died: $@");
197 return undef;
198 }
199
200 return $s;
201 }
202
203 ###############################################################################