Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1846:9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Fixed verbose logging, added $SIG{PIPE} handling to avoid hangs if
the server closes connection, fixed SKIP message for BoringSSL.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:50:24 +0300 |
parents | 5ac6efbe5552 |
children | a9704b9ed7a2 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { | |
28 require Net::SSLeay; | |
29 Net::SSLeay::load_error_strings(); | |
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
36 | |
37 eval { | |
38 my $ctx = Net::SSLeay::CTX_new() or die; | |
39 my $ssl = Net::SSLeay::new($ctx) or die; | |
40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
41 }; | |
42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
43 | |
44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
45 | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
46 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
47 if $t->has_module('BoringSSL'); |
1570 | 48 |
49 $t->write_file_expand('nginx.conf', <<'EOF'); | |
50 | |
51 %%TEST_GLOBALS%% | |
52 | |
53 daemon off; | |
54 | |
55 events { | |
56 } | |
57 | |
58 http { | |
59 %%TEST_GLOBALS_HTTP%% | |
60 | |
61 ssl_ocsp leaf; | |
62 ssl_verify_client on; | |
63 ssl_verify_depth 2; | |
64 ssl_client_certificate trusted.crt; | |
65 | |
66 ssl_ciphers DEFAULT:ECCdraft; | |
67 | |
68 ssl_certificate_key ec.key; | |
69 ssl_certificate ec.crt; | |
70 | |
71 ssl_certificate_key rsa.key; | |
72 ssl_certificate rsa.crt; | |
73 | |
74 ssl_session_cache shared:SSL:1m; | |
75 ssl_session_tickets off; | |
76 | |
77 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
78 | |
79 server { | |
80 listen 127.0.0.1:8443 ssl; | |
81 server_name localhost; | |
82 } | |
83 | |
84 server { | |
85 listen 127.0.0.1:8443 ssl; | |
86 server_name sni; | |
87 | |
88 ssl_ocsp_responder http://127.0.0.1:8082; | |
89 } | |
90 | |
91 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
98 server { |
1570 | 99 listen 127.0.0.1:8444 ssl; |
100 server_name localhost; | |
101 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
102 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 103 ssl_ocsp on; |
104 } | |
105 | |
106 server { | |
107 listen 127.0.0.1:8445 ssl; | |
108 server_name localhost; | |
109 | |
110 ssl_ocsp_responder http://127.0.0.1:8082; | |
111 } | |
112 | |
113 server { | |
114 listen 127.0.0.1:8446 ssl; | |
115 server_name localhost; | |
116 | |
117 ssl_ocsp_cache shared:OCSP:1m; | |
118 } | |
119 | |
120 server { | |
121 listen 127.0.0.1:8447 ssl; | |
122 server_name localhost; | |
123 | |
124 ssl_ocsp_responder http://127.0.0.1:8082; | |
125 ssl_client_certificate root.crt; | |
126 } | |
127 } | |
128 | |
129 EOF | |
130 | |
131 my $d = $t->testdir(); | |
132 my $p = port(8081); | |
133 | |
134 $t->write_file('openssl.conf', <<EOF); | |
135 [ req ] | |
136 default_bits = 2048 | |
137 encrypt_key = no | |
138 distinguished_name = req_distinguished_name | |
139 [ req_distinguished_name ] | |
140 EOF | |
141 | |
142 $t->write_file('ca.conf', <<EOF); | |
143 [ ca ] | |
144 default_ca = myca | |
145 | |
146 [ myca ] | |
147 new_certs_dir = $d | |
148 database = $d/certindex | |
149 default_md = sha256 | |
150 policy = myca_policy | |
151 serial = $d/certserial | |
152 default_days = 1 | |
153 x509_extensions = myca_extensions | |
154 | |
155 [ myca_policy ] | |
156 commonName = supplied | |
157 | |
158 [ myca_extensions ] | |
159 basicConstraints = critical,CA:TRUE | |
160 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
161 EOF | |
162 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
185 |
1570 | 186 foreach my $name ('root') { |
187 system('openssl req -x509 -new ' | |
188 . "-config $d/openssl.conf -subj /CN=$name/ " | |
189 . "-out $d/$name.crt -keyout $d/$name.key " | |
190 . ">>$d/openssl.out 2>&1") == 0 | |
191 or die "Can't create certificate for $name: $!\n"; | |
192 } | |
193 | |
194 foreach my $name ('int', 'end') { | |
195 system("openssl req -new " | |
196 . "-config $d/openssl.conf -subj /CN=$name/ " | |
197 . "-out $d/$name.csr -keyout $d/$name.key " | |
198 . ">>$d/openssl.out 2>&1") == 0 | |
199 or die "Can't create certificate for $name: $!\n"; | |
200 } | |
201 | |
202 foreach my $name ('ec-end') { | |
203 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
204 . ">>$d/openssl.out 2>&1") == 0 | |
205 or die "Can't create EC param: $!\n"; | |
206 system("openssl req -new -key $d/$name.key " | |
207 . "-config $d/openssl.conf -subj /CN=$name/ " | |
208 . "-out $d/$name.csr " | |
209 . ">>$d/openssl.out 2>&1") == 0 | |
210 or die "Can't create certificate for $name: $!\n"; | |
211 } | |
212 | |
213 $t->write_file('certserial', '1000'); | |
214 $t->write_file('certindex', ''); | |
215 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
216 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 217 . "-keyfile $d/root.key -cert $d/root.crt " |
218 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
219 . ">>$d/openssl.out 2>&1") == 0 | |
220 or die "Can't sign certificate for int: $!\n"; | |
221 | |
222 system("openssl ca -batch -config $d/ca.conf " | |
223 . "-keyfile $d/int.key -cert $d/int.crt " | |
224 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
225 . ">>$d/openssl.out 2>&1") == 0 | |
226 or die "Can't sign certificate for ec-end: $!\n"; | |
227 | |
228 system("openssl ca -batch -config $d/ca.conf " | |
229 . "-keyfile $d/int.key -cert $d/int.crt " | |
230 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
231 . ">>$d/openssl.out 2>&1") == 0 | |
232 or die "Can't sign certificate for end: $!\n"; | |
233 | |
234 # RFC 6960, serialNumber | |
235 | |
236 system("openssl x509 -in $d/int.crt -serial -noout " | |
237 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
238 or die "Can't obtain serial for end: $!\n"; | |
239 | |
240 my $serial_int = pack("n2", 0x0202, hex $1) | |
241 if $t->read_file('serial_int') =~ /(\d+)/; | |
242 | |
243 system("openssl x509 -in $d/end.crt -serial -noout " | |
244 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
245 or die "Can't obtain serial for end: $!\n"; | |
246 | |
247 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
248 | |
249 # ocsp end | |
250 | |
251 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
252 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
253 or die "Can't create OCSP request: $!\n"; | |
254 | |
255 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
256 . "-rsigner $d/int.crt -rkey $d/int.key " | |
257 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
258 . ">>$d/openssl.out 2>&1") == 0 | |
259 or die "Can't create OCSP response: $!\n"; | |
260 | |
261 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
262 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
263 or die "Can't create EC OCSP request: $!\n"; | |
264 | |
265 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
266 . "-rsigner $d/root.crt -rkey $d/root.key " | |
267 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
268 . ">>$d/openssl.out 2>&1") == 0 | |
269 or die "Can't create EC OCSP response: $!\n"; | |
270 | |
271 $t->write_file('trusted.crt', | |
272 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
273 | |
274 # server cert/key | |
275 | |
276 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
277 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
278 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
279 or die "Can't create RSA pem: $!\n"; | |
280 | |
281 foreach my $name ('ec', 'rsa') { | |
282 system("openssl req -x509 -new -key $d/$name.key " | |
283 . "-config $d/openssl.conf -subj /CN=$name/ " | |
284 . "-out $d/$name.crt -keyout $d/$name.key " | |
285 . ">>$d/openssl.out 2>&1") == 0 | |
286 or die "Can't create certificate for $name: $!\n"; | |
287 } | |
288 | |
289 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
290 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1636
diff
changeset
|
291 $t->run()->plan(14); |
1570 | 292 |
293 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
294 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
295 | |
296 my $version = get_version(); | |
297 | |
298 ############################################################################### | |
299 | |
300 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
301 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 like(get('RSA', 'end', sni => 'resolver'), |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
307 |
1570 | 308 # demonstrate that ocsp int request is actually made by failing ocsp response |
309 | |
310 like(get('RSA', 'end', port => 8444), | |
311 qr/400 Bad.*FAILED:certificate status request failed/s, | |
312 'ocsp many failed'); | |
313 | |
314 # now prepare valid ocsp int response | |
315 | |
316 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
317 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
318 or die "Can't create OCSP request: $!\n"; | |
319 | |
320 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
321 . "-rsigner $d/root.crt -rkey $d/root.key " | |
322 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
323 . ">>$d/openssl.out 2>&1") == 0 | |
324 or die "Can't create OCSP response: $!\n"; | |
325 | |
326 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
327 | |
328 # store into ssl_ocsp_cache | |
329 | |
330 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
331 | |
332 # revoke | |
333 | |
334 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
335 . "-keyfile $d/root.key -cert $d/root.crt " | |
336 . ">>$d/openssl.out 2>&1") == 0 | |
337 or die "Can't revoke end.crt: $!\n"; | |
338 | |
339 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
340 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
341 or die "Can't create OCSP request: $!\n"; | |
342 | |
343 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
344 . "-rsigner $d/int.crt -rkey $d/int.key " | |
345 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
346 . ">>$d/openssl.out 2>&1") == 0 | |
347 or die "Can't create OCSP response: $!\n"; | |
348 | |
349 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
350 | |
351 # with different responder where it's still valid | |
352 | |
353 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
354 | |
355 # with different context to responder where it's still valid | |
356 | |
357 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
358 | |
359 # with cached ocsp response it's still valid | |
360 | |
361 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
362 | |
363 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
364 | |
365 like(get('ECDSA', 'ec-end'), | |
366 qr/400 Bad.*FAILED:certificate status request failed/s, | |
367 'root ca not trusted'); | |
368 | |
369 # now sign ocsp end response with valid int cert | |
370 | |
371 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
372 . "-rsigner $d/int.crt -rkey $d/int.key " | |
373 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
374 . ">>$d/openssl.out 2>&1") == 0 | |
375 or die "Can't create EC OCSP response: $!\n"; | |
376 | |
377 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
378 | |
379 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
380 my $ses = Net::SSLeay::get_session($ssl); | |
381 | |
382 like(get('ECDSA', 'ec-end', ses => $ses), | |
383 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
384 | |
385 # revoke with saved session | |
386 | |
387 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
388 . "-keyfile $d/root.key -cert $d/root.crt " | |
389 . ">>$d/openssl.out 2>&1") == 0 | |
390 or die "Can't revoke end.crt: $!\n"; | |
391 | |
392 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
393 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
394 or die "Can't create OCSP request: $!\n"; | |
395 | |
396 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
397 . "-rsigner $d/int.crt -rkey $d/int.key " | |
398 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
399 . ">>$d/openssl.out 2>&1") == 0 | |
400 or die "Can't create OCSP response: $!\n"; | |
401 | |
402 # reusing session with revoked certificate | |
403 | |
404 like(get('ECDSA', 'ec-end', ses => $ses), | |
405 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
406 | |
407 # regression test for self-signed | |
408 | |
409 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
410 | |
411 ############################################################################### | |
412 | |
413 sub get { | |
414 my ($type, $cert, %extra) = @_; | |
415 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
416 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
417 my $cipher = Net::SSLeay::get_cipher($ssl); | |
418 Test::Nginx::log_core('||', "cipher: $cipher"); | |
419 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
420 local $SIG{PIPE} = 'IGNORE'; |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
421 log_out("GET /serial HTTP/1.0\nHost: $host\n\n"); |
1570 | 422 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); |
423 my $r = Net::SSLeay::read($ssl); | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
424 log_in($r); |
1570 | 425 $s->close(); |
426 return $r unless wantarray(); | |
427 return ($s, $ssl); | |
428 } | |
429 | |
430 sub get_ssl_socket { | |
431 my ($type, $cert, %extra) = @_; | |
432 my $ses = $extra{ses}; | |
433 my $sni = $extra{sni}; | |
434 my $port = $extra{port} || 8443; | |
435 my $s; | |
436 | |
437 eval { | |
438 local $SIG{ALRM} = sub { die "timeout\n" }; | |
439 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
440 alarm(8); | |
441 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
442 alarm(0); | |
443 }; | |
444 alarm(0); | |
445 | |
446 if ($@) { | |
447 log_in("died: $@"); | |
448 return undef; | |
449 } | |
450 | |
451 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
452 | |
453 if (defined $type) { | |
454 my $ssleay = Net::SSLeay::SSLeay(); | |
455 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
456 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
457 or die("Failed to set cipher list"); | |
458 } else { | |
459 # SSL_CTRL_SET_SIGALGS_LIST | |
460 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
461 or die("Failed to set sigalgs"); | |
462 } | |
463 } | |
464 | |
465 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
466 or die if $cert; | |
467 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
468 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
469 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
470 Net::SSLeay::set_fd($ssl, fileno($s)); | |
471 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
472 return ($s, $ssl); | |
473 } | |
474 | |
475 sub get_version { | |
476 my ($s, $ssl) = get_ssl_socket(); | |
477 return Net::SSLeay::version($ssl); | |
478 } | |
479 | |
480 ############################################################################### | |
481 | |
482 sub http_daemon { | |
483 my ($t, $port) = @_; | |
484 my $server = IO::Socket::INET->new( | |
485 Proto => 'tcp', | |
486 LocalHost => "127.0.0.1:$port", | |
487 Listen => 5, | |
488 Reuse => 1 | |
489 ) | |
490 or die "Can't create listening socket: $!\n"; | |
491 | |
492 local $SIG{PIPE} = 'IGNORE'; | |
493 | |
494 while (my $client = $server->accept()) { | |
495 $client->autoflush(1); | |
496 | |
497 my $headers = ''; | |
498 my $uri = ''; | |
499 my $resp; | |
500 | |
501 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
502 Test::Nginx::log_core('||', $_); |
1570 | 503 $headers .= $_; |
504 last if (/^\x0d?\x0a?$/); | |
505 } | |
506 | |
507 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
508 next unless $uri; | |
509 | |
510 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
511 my $req = decode_base64($uri); | |
512 | |
513 if (index($req, $serial_int) > 0) { | |
514 $resp = 'int-resp'; | |
515 | |
516 } elsif (index($req, $serial) > 0) { | |
517 $resp = 'resp'; | |
518 | |
519 # used to differentiate ssl_ocsp_responder | |
520 | |
521 if ($port == port(8081) && -e "$d/revoked.der") { | |
522 $resp = 'revoked'; | |
523 } | |
524 | |
525 } else { | |
526 $resp = 'ec-resp'; | |
527 } | |
528 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
529 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
530 |
1570 | 531 # ocsp dummy handler |
532 | |
533 select undef, undef, undef, 0.02; | |
534 | |
535 $headers = <<"EOF"; | |
536 HTTP/1.1 200 OK | |
537 Connection: close | |
538 Content-Type: application/ocsp-response | |
539 | |
540 EOF | |
541 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
543 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
544 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
545 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
546 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
547 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
548 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
549 print $client $headers . $content; |
1570 | 550 } |
551 } | |
552 | |
553 ############################################################################### |