nginx-tests: ssl_ocsp.t annotate

annotate ssl_ocsp.t @ 1848:727741cdff74

Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. LibreSSL does not support session reuse with TLSv1.3.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 23 Mar 2023 19:50:29 +0300
parents	a9704b9ed7a2
children	0e1865aa9b33

rev	line source
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for OCSP with client certificates.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use MIME::Base64 qw/ decode_base64 /;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 BEGIN { use FindBin; chdir($FindBin::Bin); }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use lib 'lib';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	20 use Test::Nginx;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDERR; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDOUT; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	27 eval {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	28 require Net::SSLeay;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29 Net::SSLeay::load_error_strings();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	30 Net::SSLeay::SSLeay_add_ssl_algorithms();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	31 Net::SSLeay::randomize();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32 Net::SSLeay::SSLeay();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 defined &Net::SSLeay::set_tlsext_status_type or die;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34 };
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 eval {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38 my $ctx = Net::SSLeay::CTX_new() or die;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 my $ssl = Net::SSLeay::new($ctx) or die;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41 };
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	46 plan(skip_all => 'no OCSP support in BoringSSL')
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	47 if $t->has_module('BoringSSL');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49 $t->write_file_expand('nginx.conf', <<'EOF');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 %%TEST_GLOBALS%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 daemon off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55 events {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	57
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58 http {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 %%TEST_GLOBALS_HTTP%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 ssl_ocsp leaf;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 ssl_verify_client on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63 ssl_verify_depth 2;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 ssl_client_certificate trusted.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 ssl_certificate_key rsa.key;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67 ssl_certificate rsa.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 ssl_session_cache shared:SSL:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70 ssl_session_tickets off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	72 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	73
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	74 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	75 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	76 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	77 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	78
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81 server_name sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	82
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 server {
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	87 listen 127.0.0.1:8443 ssl;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	88 server_name resolver;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	89
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	90 ssl_ocsp on;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	91 }
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	92
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	93 server {
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 listen 127.0.0.1:8444 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	97 ssl_ocsp_responder http://127.0.0.1:8081;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 ssl_ocsp on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 listen 127.0.0.1:8445 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 listen 127.0.0.1:8446 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 ssl_ocsp_cache shared:OCSP:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 listen 127.0.0.1:8447 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	119 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 ssl_client_certificate root.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	121 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	122 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 my $d = $t->testdir();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 my $p = port(8081);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	128
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129 $t->write_file('openssl.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 [ req ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131 default_bits = 2048
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 encrypt_key = no
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133 distinguished_name = req_distinguished_name
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134 [ req_distinguished_name ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	136
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	137 $t->write_file('ca.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138 [ ca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 default_ca = myca
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	140
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	141 [ myca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	142 new_certs_dir = $d
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	143 database = $d/certindex
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	144 default_md = sha256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	145 policy = myca_policy
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	146 serial = $d/certserial
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	147 default_days = 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	148 x509_extensions = myca_extensions
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	149
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	150 [ myca_policy ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	151 commonName = supplied
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	152
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	153 [ myca_extensions ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	154 basicConstraints = critical,CA:TRUE
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	155 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	156 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	157
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	158 # variant for int.crt to trigger missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	159
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	160 $t->write_file('ca2.conf', <<EOF);
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	161 [ ca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	162 default_ca = myca
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	163
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	164 [ myca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	165 new_certs_dir = $d
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	166 database = $d/certindex
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	167 default_md = sha256
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	168 policy = myca_policy
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	169 serial = $d/certserial
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	170 default_days = 1
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	171 x509_extensions = myca_extensions
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	172
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	173 [ myca_policy ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	174 commonName = supplied
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	175
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	176 [ myca_extensions ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	177 basicConstraints = critical,CA:TRUE
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	178 authorityInfoAccess = OCSP;URI:http://localhost:$p
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	179 EOF
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	180
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	181 foreach my $name ('root') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	182 system('openssl req -x509 -new '
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	183 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	184 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	185 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	186 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	187 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	188
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	189 foreach my $name ('int', 'end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	190 system("openssl req -new "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	191 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	192 . "-out $d/$name.csr -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	193 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	194 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	195 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	196
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	197 foreach my $name ('ec-end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	198 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	199 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	200 or die "Can't create EC param: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	201 system("openssl req -new -key $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	202 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	203 . "-out $d/$name.csr "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	204 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	205 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	206 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	207
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	208 $t->write_file('certserial', '1000');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	209 $t->write_file('certindex', '');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	210
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	211 system("openssl ca -batch -config $d/ca2.conf "
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	212 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	213 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	214 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	215 or die "Can't sign certificate for int: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	216
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	217 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	218 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	219 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	220 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	221 or die "Can't sign certificate for ec-end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	222
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	223 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	224 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	225 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	226 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	227 or die "Can't sign certificate for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	228
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	229 # RFC 6960, serialNumber
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	230
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	231 system("openssl x509 -in $d/int.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	232 . ">>$d/serial_int 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	233 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	234
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	235 my $serial_int = pack("n2", 0x0202, hex $1)
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	236 if $t->read_file('serial_int') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	237
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	238 system("openssl x509 -in $d/end.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	239 . ">>$d/serial 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	240 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	241
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	242 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	243
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	244 # ocsp end
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	245
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	246 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	247 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	248 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	249
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	250 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	251 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	252 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	253 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	254 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	255
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	256 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	257 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	258 or die "Can't create EC OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	259
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	260 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	261 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	262 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	263 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	264 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	265
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	266 $t->write_file('trusted.crt',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	267 $t->read_file('int.crt') . $t->read_file('root.crt'));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	268
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	269 # server cert/key
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	270
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	271 foreach my $name ('rsa') {
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	272 system('openssl req -x509 -new '
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	273 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	274 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	275 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	276 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	277 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	278
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	279 $t->run_daemon(\&http_daemon, $t, port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	280 $t->run_daemon(\&http_daemon, $t, port(8082));
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	281 $t->run()->plan(15);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	282
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	283 $t->waitforsocket("127.0.0.1:" . port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	284 $t->waitforsocket("127.0.0.1:" . port(8082));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	285
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	286 my $version = get_version();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	287
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	288 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	289
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	290 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	291
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	292 # demonstrate that ocsp int request is failed due to missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	293
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	294 like(get('end', sni => 'resolver'),
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	295 qr/400 Bad.*FAILED:certificate status request failed/s,
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	296 'ocsp many failed request');
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	297
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	298 # demonstrate that ocsp int request is actually made by failing ocsp response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	299
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	300 like(get('end', port => 8444),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	301 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	302 'ocsp many failed');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	303
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	304 # now prepare valid ocsp int response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	305
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	306 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	307 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	308 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	309
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	310 system("openssl ocsp -index $d/certindex -CA $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	311 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	312 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	313 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	314 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	315
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	316 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	317
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	318 # store into ssl_ocsp_cache
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	319
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	320 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	321
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	322 # revoke
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	323
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	324 system("openssl ca -config $d/ca.conf -revoke $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	325 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	326 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	327 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	328
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	329 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	330 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	331 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	332
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	333 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	334 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	335 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	336 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	337 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	338
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	339 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	340
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	341 # with different responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	342
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	343 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	344
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	345 # with different context to responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	346
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	347 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	348
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	349 # with cached ocsp response it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	350
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	351 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	352
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	353 # ocsp end response signed with invalid (root) cert, expect HTTP 400
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	354
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	355 like(get('ec-end'),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	356 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	357 'root ca not trusted');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	358
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	359 # now sign ocsp end response with valid int cert
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	360
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	361 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	362 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	363 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	364 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	365 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	366
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	367 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	368
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	369 my ($s, $ssl) = get('ec-end');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	370 my $ses = Net::SSLeay::get_session($ssl);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	371
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	372 TODO: {
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	373 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	374 if $t->has_module('LibreSSL') and $version > 0x303;
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	375
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	376 like(get('ec-end', ses => $ses),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	377 qr/200 OK.*SUCCESS:r/s, 'session reused');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	378
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	379 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	380
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	381 # revoke with saved session
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	382
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	383 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	384 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	385 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	386 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	387
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	388 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	389 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	390 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	391
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	392 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	393 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	394 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	395 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	396 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	397
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	398 # reusing session with revoked certificate
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	399
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	400 TODO: {
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	401 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	402 if $t->has_module('LibreSSL') and $version > 0x303;
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	403
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	404 like(get('ec-end', ses => $ses),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	405 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	406
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	407 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	408
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	409 # regression test for self-signed
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	410
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	411 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	412
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	413 # check for errors
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	414
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	415 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	416
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	417 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	418
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	419 sub get {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	420 my ($cert, %extra) = @_;
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	421 my ($s, $ssl) = get_ssl_socket($cert, %extra);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	422 my $cipher = Net::SSLeay::get_cipher($ssl);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	423 Test::Nginx::log_core('\|\|', "cipher: $cipher");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	424 my $host = $extra{sni} ? $extra{sni} : 'localhost';
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	425 local $SIG{PIPE} = 'IGNORE';
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	426 log_out("GET /serial HTTP/1.0\nHost: $host\n\n");
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	427 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	428 my $r = Net::SSLeay::read($ssl);
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	429 log_in($r);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	430 $s->close();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	431 return $r unless wantarray();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	432 return ($s, $ssl);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	433 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	434
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	435 sub get_ssl_socket {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	436 my ($cert, %extra) = @_;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	437 my $ses = $extra{ses};
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	438 my $sni = $extra{sni};
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	439 my $port = $extra{port} \|\| 8443;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	440 my $s;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	441
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	442 eval {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	443 local $SIG{ALRM} = sub { die "timeout\n" };
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	444 local $SIG{PIPE} = sub { die "sigpipe\n" };
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	445 alarm(8);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	446 $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	447 alarm(0);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	448 };
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	449 alarm(0);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	450
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	451 if ($@) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	452 log_in("died: $@");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	453 return undef;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	454 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	455
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	456 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	457
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	458 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	459 or die if $cert;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	460 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	461 Net::SSLeay::set_session($ssl, $ses) if defined $ses;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	462 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	463 Net::SSLeay::set_fd($ssl, fileno($s));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	464 Net::SSLeay::connect($ssl) or die("ssl connect");
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	465 return ($s, $ssl);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	466 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	467
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	468 sub get_version {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	469 my ($s, $ssl) = get_ssl_socket();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	470 return Net::SSLeay::version($ssl);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	471 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	472
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	473 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	474
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	475 sub http_daemon {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	476 my ($t, $port) = @_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	477 my $server = IO::Socket::INET->new(
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	478 Proto => 'tcp',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	479 LocalHost => "127.0.0.1:$port",
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	480 Listen => 5,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	481 Reuse => 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	482 )
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	483 or die "Can't create listening socket: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	484
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	485 local $SIG{PIPE} = 'IGNORE';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	486
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	487 while (my $client = $server->accept()) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	488 $client->autoflush(1);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	489
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	490 my $headers = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	491 my $uri = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	492 my $resp;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	493
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	494 while (<$client>) {
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	495 Test::Nginx::log_core('\|\|', $_);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	496 $headers .= $_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	497 last if (/^\x0d?\x0a?$/);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	498 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	499
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	500 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	501 next unless $uri;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	502
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	503 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	504 my $req = decode_base64($uri);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	505
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	506 if (index($req, $serial_int) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	507 $resp = 'int-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	508
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	509 } elsif (index($req, $serial) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	510 $resp = 'resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	511
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	512 # used to differentiate ssl_ocsp_responder
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	513
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	514 if ($port == port(8081) && -e "$d/revoked.der") {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	515 $resp = 'revoked';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	516 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	517
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	518 } else {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	519 $resp = 'ec-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	520 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	521
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	522 next unless -s "$d/$resp.der";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	523
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	524 # ocsp dummy handler
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	525
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	526 select undef, undef, undef, 0.02;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	527
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	528 $headers = <<"EOF";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	529 HTTP/1.1 200 OK
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	530 Connection: close
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	531 Content-Type: application/ocsp-response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	532
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	533 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	534
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	535 local $/;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	536 open my $fh, '<', "$d/$resp.der"
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	537 or die "Can't open $resp.der: $!";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	538 binmode $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	539 my $content = <$fh>;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	540 close $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	541
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	542 print $client $headers . $content;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	543 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	544 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	545
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	546 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_ocsp.t @ 1848:727741cdff74