Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1846:9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Fixed verbose logging, added $SIG{PIPE} handling to avoid hangs if
the server closes connection, fixed SKIP message for BoringSSL.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 23 Mar 2023 19:50:24 +0300 |
| parents | 5ac6efbe5552 |
| children | a9704b9ed7a2 |
| rev | line source |
|---|---|
| 1570 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for OCSP with client certificates. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use MIME::Base64 qw/ decode_base64 /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 | |
| 22 ############################################################################### | |
| 23 | |
| 24 select STDERR; $| = 1; | |
| 25 select STDOUT; $| = 1; | |
| 26 | |
| 27 eval { | |
| 28 require Net::SSLeay; | |
| 29 Net::SSLeay::load_error_strings(); | |
| 30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 31 Net::SSLeay::randomize(); | |
| 32 Net::SSLeay::SSLeay(); | |
| 33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
| 34 }; | |
| 35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
| 36 | |
| 37 eval { | |
| 38 my $ctx = Net::SSLeay::CTX_new() or die; | |
| 39 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 41 }; | |
| 42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 43 | |
| 44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
| 45 | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
46 plan(skip_all => 'no OCSP support in BoringSSL') |
|
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
47 if $t->has_module('BoringSSL'); |
| 1570 | 48 |
| 49 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 50 | |
| 51 %%TEST_GLOBALS%% | |
| 52 | |
| 53 daemon off; | |
| 54 | |
| 55 events { | |
| 56 } | |
| 57 | |
| 58 http { | |
| 59 %%TEST_GLOBALS_HTTP%% | |
| 60 | |
| 61 ssl_ocsp leaf; | |
| 62 ssl_verify_client on; | |
| 63 ssl_verify_depth 2; | |
| 64 ssl_client_certificate trusted.crt; | |
| 65 | |
| 66 ssl_ciphers DEFAULT:ECCdraft; | |
| 67 | |
| 68 ssl_certificate_key ec.key; | |
| 69 ssl_certificate ec.crt; | |
| 70 | |
| 71 ssl_certificate_key rsa.key; | |
| 72 ssl_certificate rsa.crt; | |
| 73 | |
| 74 ssl_session_cache shared:SSL:1m; | |
| 75 ssl_session_tickets off; | |
| 76 | |
| 77 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
| 78 | |
| 79 server { | |
| 80 listen 127.0.0.1:8443 ssl; | |
| 81 server_name localhost; | |
| 82 } | |
| 83 | |
| 84 server { | |
| 85 listen 127.0.0.1:8443 ssl; | |
| 86 server_name sni; | |
| 87 | |
| 88 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 89 } | |
| 90 | |
| 91 server { | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 listen 127.0.0.1:8443 ssl; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 server_name resolver; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 ssl_ocsp on; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 } |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
98 server { |
| 1570 | 99 listen 127.0.0.1:8444 ssl; |
| 100 server_name localhost; | |
| 101 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
102 ssl_ocsp_responder http://127.0.0.1:8081; |
| 1570 | 103 ssl_ocsp on; |
| 104 } | |
| 105 | |
| 106 server { | |
| 107 listen 127.0.0.1:8445 ssl; | |
| 108 server_name localhost; | |
| 109 | |
| 110 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 111 } | |
| 112 | |
| 113 server { | |
| 114 listen 127.0.0.1:8446 ssl; | |
| 115 server_name localhost; | |
| 116 | |
| 117 ssl_ocsp_cache shared:OCSP:1m; | |
| 118 } | |
| 119 | |
| 120 server { | |
| 121 listen 127.0.0.1:8447 ssl; | |
| 122 server_name localhost; | |
| 123 | |
| 124 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 125 ssl_client_certificate root.crt; | |
| 126 } | |
| 127 } | |
| 128 | |
| 129 EOF | |
| 130 | |
| 131 my $d = $t->testdir(); | |
| 132 my $p = port(8081); | |
| 133 | |
| 134 $t->write_file('openssl.conf', <<EOF); | |
| 135 [ req ] | |
| 136 default_bits = 2048 | |
| 137 encrypt_key = no | |
| 138 distinguished_name = req_distinguished_name | |
| 139 [ req_distinguished_name ] | |
| 140 EOF | |
| 141 | |
| 142 $t->write_file('ca.conf', <<EOF); | |
| 143 [ ca ] | |
| 144 default_ca = myca | |
| 145 | |
| 146 [ myca ] | |
| 147 new_certs_dir = $d | |
| 148 database = $d/certindex | |
| 149 default_md = sha256 | |
| 150 policy = myca_policy | |
| 151 serial = $d/certserial | |
| 152 default_days = 1 | |
| 153 x509_extensions = myca_extensions | |
| 154 | |
| 155 [ myca_policy ] | |
| 156 commonName = supplied | |
| 157 | |
| 158 [ myca_extensions ] | |
| 159 basicConstraints = critical,CA:TRUE | |
| 160 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
| 161 EOF | |
| 162 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 # variant for int.crt to trigger missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 $t->write_file('ca2.conf', <<EOF); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 [ ca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 default_ca = myca |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 [ myca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 new_certs_dir = $d |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 database = $d/certindex |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 default_md = sha256 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 policy = myca_policy |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 serial = $d/certserial |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 default_days = 1 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 x509_extensions = myca_extensions |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 [ myca_policy ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 commonName = supplied |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 [ myca_extensions ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 basicConstraints = critical,CA:TRUE |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 authorityInfoAccess = OCSP;URI:http://localhost:$p |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 EOF |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
185 |
| 1570 | 186 foreach my $name ('root') { |
| 187 system('openssl req -x509 -new ' | |
| 188 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 189 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 190 . ">>$d/openssl.out 2>&1") == 0 | |
| 191 or die "Can't create certificate for $name: $!\n"; | |
| 192 } | |
| 193 | |
| 194 foreach my $name ('int', 'end') { | |
| 195 system("openssl req -new " | |
| 196 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 197 . "-out $d/$name.csr -keyout $d/$name.key " | |
| 198 . ">>$d/openssl.out 2>&1") == 0 | |
| 199 or die "Can't create certificate for $name: $!\n"; | |
| 200 } | |
| 201 | |
| 202 foreach my $name ('ec-end') { | |
| 203 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
| 204 . ">>$d/openssl.out 2>&1") == 0 | |
| 205 or die "Can't create EC param: $!\n"; | |
| 206 system("openssl req -new -key $d/$name.key " | |
| 207 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 208 . "-out $d/$name.csr " | |
| 209 . ">>$d/openssl.out 2>&1") == 0 | |
| 210 or die "Can't create certificate for $name: $!\n"; | |
| 211 } | |
| 212 | |
| 213 $t->write_file('certserial', '1000'); | |
| 214 $t->write_file('certindex', ''); | |
| 215 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
216 system("openssl ca -batch -config $d/ca2.conf " |
| 1570 | 217 . "-keyfile $d/root.key -cert $d/root.crt " |
| 218 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
| 219 . ">>$d/openssl.out 2>&1") == 0 | |
| 220 or die "Can't sign certificate for int: $!\n"; | |
| 221 | |
| 222 system("openssl ca -batch -config $d/ca.conf " | |
| 223 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 224 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
| 225 . ">>$d/openssl.out 2>&1") == 0 | |
| 226 or die "Can't sign certificate for ec-end: $!\n"; | |
| 227 | |
| 228 system("openssl ca -batch -config $d/ca.conf " | |
| 229 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 230 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
| 231 . ">>$d/openssl.out 2>&1") == 0 | |
| 232 or die "Can't sign certificate for end: $!\n"; | |
| 233 | |
| 234 # RFC 6960, serialNumber | |
| 235 | |
| 236 system("openssl x509 -in $d/int.crt -serial -noout " | |
| 237 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
| 238 or die "Can't obtain serial for end: $!\n"; | |
| 239 | |
| 240 my $serial_int = pack("n2", 0x0202, hex $1) | |
| 241 if $t->read_file('serial_int') =~ /(\d+)/; | |
| 242 | |
| 243 system("openssl x509 -in $d/end.crt -serial -noout " | |
| 244 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
| 245 or die "Can't obtain serial for end: $!\n"; | |
| 246 | |
| 247 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
| 248 | |
| 249 # ocsp end | |
| 250 | |
| 251 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 252 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 253 or die "Can't create OCSP request: $!\n"; | |
| 254 | |
| 255 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 256 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 257 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
| 258 . ">>$d/openssl.out 2>&1") == 0 | |
| 259 or die "Can't create OCSP response: $!\n"; | |
| 260 | |
| 261 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 262 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 263 or die "Can't create EC OCSP request: $!\n"; | |
| 264 | |
| 265 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 266 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 267 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 268 . ">>$d/openssl.out 2>&1") == 0 | |
| 269 or die "Can't create EC OCSP response: $!\n"; | |
| 270 | |
| 271 $t->write_file('trusted.crt', | |
| 272 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
| 273 | |
| 274 # server cert/key | |
| 275 | |
| 276 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
| 277 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
| 278 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
| 279 or die "Can't create RSA pem: $!\n"; | |
| 280 | |
| 281 foreach my $name ('ec', 'rsa') { | |
| 282 system("openssl req -x509 -new -key $d/$name.key " | |
| 283 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 284 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 285 . ">>$d/openssl.out 2>&1") == 0 | |
| 286 or die "Can't create certificate for $name: $!\n"; | |
| 287 } | |
| 288 | |
| 289 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
| 290 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
|
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1636
diff
changeset
|
291 $t->run()->plan(14); |
| 1570 | 292 |
| 293 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
| 294 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
| 295 | |
| 296 my $version = get_version(); | |
| 297 | |
| 298 ############################################################################### | |
| 299 | |
| 300 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
| 301 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 # demonstrate that ocsp int request is failed due to missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 like(get('RSA', 'end', sni => 'resolver'), |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 qr/400 Bad.*FAILED:certificate status request failed/s, |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 'ocsp many failed request'); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
307 |
| 1570 | 308 # demonstrate that ocsp int request is actually made by failing ocsp response |
| 309 | |
| 310 like(get('RSA', 'end', port => 8444), | |
| 311 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 312 'ocsp many failed'); | |
| 313 | |
| 314 # now prepare valid ocsp int response | |
| 315 | |
| 316 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
| 317 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
| 318 or die "Can't create OCSP request: $!\n"; | |
| 319 | |
| 320 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
| 321 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 322 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
| 323 . ">>$d/openssl.out 2>&1") == 0 | |
| 324 or die "Can't create OCSP response: $!\n"; | |
| 325 | |
| 326 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
| 327 | |
| 328 # store into ssl_ocsp_cache | |
| 329 | |
| 330 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
| 331 | |
| 332 # revoke | |
| 333 | |
| 334 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
| 335 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 336 . ">>$d/openssl.out 2>&1") == 0 | |
| 337 or die "Can't revoke end.crt: $!\n"; | |
| 338 | |
| 339 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 340 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 341 or die "Can't create OCSP request: $!\n"; | |
| 342 | |
| 343 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 344 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 345 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
| 346 . ">>$d/openssl.out 2>&1") == 0 | |
| 347 or die "Can't create OCSP response: $!\n"; | |
| 348 | |
| 349 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
| 350 | |
| 351 # with different responder where it's still valid | |
| 352 | |
| 353 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
| 354 | |
| 355 # with different context to responder where it's still valid | |
| 356 | |
| 357 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
| 358 | |
| 359 # with cached ocsp response it's still valid | |
| 360 | |
| 361 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
| 362 | |
| 363 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
| 364 | |
| 365 like(get('ECDSA', 'ec-end'), | |
| 366 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 367 'root ca not trusted'); | |
| 368 | |
| 369 # now sign ocsp end response with valid int cert | |
| 370 | |
| 371 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 372 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 373 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 374 . ">>$d/openssl.out 2>&1") == 0 | |
| 375 or die "Can't create EC OCSP response: $!\n"; | |
| 376 | |
| 377 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
| 378 | |
| 379 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
| 380 my $ses = Net::SSLeay::get_session($ssl); | |
| 381 | |
| 382 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 383 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
| 384 | |
| 385 # revoke with saved session | |
| 386 | |
| 387 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
| 388 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 389 . ">>$d/openssl.out 2>&1") == 0 | |
| 390 or die "Can't revoke end.crt: $!\n"; | |
| 391 | |
| 392 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 393 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 394 or die "Can't create OCSP request: $!\n"; | |
| 395 | |
| 396 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 397 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 398 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 399 . ">>$d/openssl.out 2>&1") == 0 | |
| 400 or die "Can't create OCSP response: $!\n"; | |
| 401 | |
| 402 # reusing session with revoked certificate | |
| 403 | |
| 404 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 405 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
| 406 | |
| 407 # regression test for self-signed | |
| 408 | |
| 409 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
| 410 | |
| 411 ############################################################################### | |
| 412 | |
| 413 sub get { | |
| 414 my ($type, $cert, %extra) = @_; | |
| 415 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
| 416 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
| 417 my $cipher = Net::SSLeay::get_cipher($ssl); | |
| 418 Test::Nginx::log_core('||', "cipher: $cipher"); | |
| 419 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
420 local $SIG{PIPE} = 'IGNORE'; |
|
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
421 log_out("GET /serial HTTP/1.0\nHost: $host\n\n"); |
| 1570 | 422 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); |
| 423 my $r = Net::SSLeay::read($ssl); | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
424 log_in($r); |
| 1570 | 425 $s->close(); |
| 426 return $r unless wantarray(); | |
| 427 return ($s, $ssl); | |
| 428 } | |
| 429 | |
| 430 sub get_ssl_socket { | |
| 431 my ($type, $cert, %extra) = @_; | |
| 432 my $ses = $extra{ses}; | |
| 433 my $sni = $extra{sni}; | |
| 434 my $port = $extra{port} || 8443; | |
| 435 my $s; | |
| 436 | |
| 437 eval { | |
| 438 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 439 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 440 alarm(8); | |
| 441 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
| 442 alarm(0); | |
| 443 }; | |
| 444 alarm(0); | |
| 445 | |
| 446 if ($@) { | |
| 447 log_in("died: $@"); | |
| 448 return undef; | |
| 449 } | |
| 450 | |
| 451 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 452 | |
| 453 if (defined $type) { | |
| 454 my $ssleay = Net::SSLeay::SSLeay(); | |
| 455 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
| 456 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
| 457 or die("Failed to set cipher list"); | |
| 458 } else { | |
| 459 # SSL_CTRL_SET_SIGALGS_LIST | |
| 460 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
| 461 or die("Failed to set sigalgs"); | |
| 462 } | |
| 463 } | |
| 464 | |
| 465 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
| 466 or die if $cert; | |
| 467 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
| 468 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
| 469 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
| 470 Net::SSLeay::set_fd($ssl, fileno($s)); | |
| 471 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 472 return ($s, $ssl); | |
| 473 } | |
| 474 | |
| 475 sub get_version { | |
| 476 my ($s, $ssl) = get_ssl_socket(); | |
| 477 return Net::SSLeay::version($ssl); | |
| 478 } | |
| 479 | |
| 480 ############################################################################### | |
| 481 | |
| 482 sub http_daemon { | |
| 483 my ($t, $port) = @_; | |
| 484 my $server = IO::Socket::INET->new( | |
| 485 Proto => 'tcp', | |
| 486 LocalHost => "127.0.0.1:$port", | |
| 487 Listen => 5, | |
| 488 Reuse => 1 | |
| 489 ) | |
| 490 or die "Can't create listening socket: $!\n"; | |
| 491 | |
| 492 local $SIG{PIPE} = 'IGNORE'; | |
| 493 | |
| 494 while (my $client = $server->accept()) { | |
| 495 $client->autoflush(1); | |
| 496 | |
| 497 my $headers = ''; | |
| 498 my $uri = ''; | |
| 499 my $resp; | |
| 500 | |
| 501 while (<$client>) { | |
|
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
502 Test::Nginx::log_core('||', $_); |
| 1570 | 503 $headers .= $_; |
| 504 last if (/^\x0d?\x0a?$/); | |
| 505 } | |
| 506 | |
| 507 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
| 508 next unless $uri; | |
| 509 | |
| 510 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
| 511 my $req = decode_base64($uri); | |
| 512 | |
| 513 if (index($req, $serial_int) > 0) { | |
| 514 $resp = 'int-resp'; | |
| 515 | |
| 516 } elsif (index($req, $serial) > 0) { | |
| 517 $resp = 'resp'; | |
| 518 | |
| 519 # used to differentiate ssl_ocsp_responder | |
| 520 | |
| 521 if ($port == port(8081) && -e "$d/revoked.der") { | |
| 522 $resp = 'revoked'; | |
| 523 } | |
| 524 | |
| 525 } else { | |
| 526 $resp = 'ec-resp'; | |
| 527 } | |
| 528 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
529 next unless -s "$d/$resp.der"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
530 |
| 1570 | 531 # ocsp dummy handler |
| 532 | |
| 533 select undef, undef, undef, 0.02; | |
| 534 | |
| 535 $headers = <<"EOF"; | |
| 536 HTTP/1.1 200 OK | |
| 537 Connection: close | |
| 538 Content-Type: application/ocsp-response | |
| 539 | |
| 540 EOF | |
| 541 | |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
543 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
544 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
545 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
546 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
547 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
548 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
549 print $client $headers . $content; |
| 1570 | 550 } |
| 551 } | |
| 552 | |
| 553 ############################################################################### |