Mercurial > hg > nginx-tests
view ssl_engine_keys.t @ 1747:7f09d144d15c
Tests: updated ssl_engine_keys.t test to use SoftHSM v2.
Notably, this implies not using slots to identify keys, since
"softhsm2-util --init-token" automatically reassigns initialized token
to a new slot.
Additionally, the "-config" option of is no longer used when generating
certificates, as in OpenSSL 1.1.0 and later it conflicts with the
configuration file provided via OPENSSL_CONF and results in "conflicting
engine id" errors.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 23 Nov 2021 03:58:07 +0300 |
| parents | 144c6ce732e4 |
| children |
line wrap: on
line source
#!/usr/bin/perl # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for http ssl module, loading "engine:..." keys. ############################################################################### use warnings; use strict; use Test::More; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; plan(skip_all => 'win32') if $^O eq 'MSWin32'; plan(skip_all => 'may not work, leaves coredump') unless $ENV{TEST_NGINX_UNSAFE}; my $t = Test::Nginx->new()->has(qw/http proxy http_ssl/)->has_daemon('openssl') ->has_daemon('softhsm2-util')->has_daemon('pkcs11-tool')->plan(2); $t->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } http { %%TEST_GLOBALS_HTTP%% server { listen 127.0.0.1:8081 ssl; listen 127.0.0.1:8080; server_name localhost; ssl_certificate localhost.crt; ssl_certificate_key engine:pkcs11:id_00; location / { # index index.html by default } location /proxy { proxy_pass https://127.0.0.1:8081/; } location /var { proxy_pass https://127.0.0.1:8082/; proxy_ssl_name localhost; proxy_ssl_server_name on; } } server { listen 127.0.0.1:8082 ssl; server_name localhost; ssl_certificate $ssl_server_name.crt; ssl_certificate_key engine:pkcs11:id_00; location / { # index index.html by default } } } EOF # Create a SoftHSM token with a secret key, and configure OpenSSL # to access it using the pkcs11 engine, see detailed example # posted by Dmitrii Pichulin here: # # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html # # Note that library paths may differ on different systems, # and may need to be adjusted. $t->write_file('openssl.conf', <<EOF); openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/local/lib/engines/pkcs11.so MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so init = 1 PIN = 1234 [ req ] default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF my $d = $t->testdir(); $t->write_file('softhsm2.conf', <<EOF); directories.tokendir = $d/tokens/ objectstore.backend = file EOF mkdir($d . '/tokens'); $ENV{SOFTHSM2_CONF} = "$d/softhsm2.conf"; $ENV{OPENSSL_CONF} = "$d/openssl.conf"; foreach my $name ('localhost') { system('softhsm2-util --init-token --slot 0 --label NginxZero ' . '--pin 1234 --so-pin 1234 ' . ">>$d/openssl.out 2>&1"); system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so ' . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 ' . ">>$d/openssl.out 2>&1"); system('openssl req -x509 -new ' . "-subj /CN=$name/ -out $d/$name.crt -text " . "-engine pkcs11 -keyform engine -key id_00 " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->run(); $t->write_file('index.html', ''); ############################################################################### like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys'); like(http_get('/var'), qr/200 OK/, 'ssl_certificate with variable'); ###############################################################################