Mercurial > hg > nginx-tests
annotate ssl_engine_keys.t @ 1328:a682c219af45
Tests: updated ssl_engine_keys.t test.
After merge with libp11, pkcs11 engine shared object was renamed
from "engine_pkcs11.so" to "pkcs11.so". Changed configuration
accordingly.
Additionally, changed "init" to "1" in the engine configuration. This
keeps pkcs11 engine loaded and prevents segmentation faults observed
during nginx shutdown.
While here, restored correct order of ssl_certificate and ssl_certificate_key.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 22 May 2018 17:46:59 +0300 |
parents | 0af58b78df35 |
children | 44973a23b031 |
rev | line source |
---|---|
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, loading "engine:..." keys. |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 plan(skip_all => 'win32') if $^O eq 'MSWin32'; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 plan(skip_all => 'may not work, leaves coredump') |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 unless $ENV{TEST_NGINX_UNSAFE}; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
914
3ac4036b139d
Tests: fixed proxy prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents:
568
diff
changeset
|
30 my $t = Test::Nginx->new()->has(qw/http proxy http_ssl/)->has_daemon('openssl') |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 ->has_daemon('softhsm')->has_daemon('pkcs11-tool')->plan(1); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 $t->write_file_expand('nginx.conf', <<'EOF'); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 %%TEST_GLOBALS%% |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 daemon off; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 events { |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 http { |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 %%TEST_GLOBALS_HTTP%% |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 server { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
46 listen 127.0.0.1:8081 ssl; |
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
47 listen 127.0.0.1:8080; |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 server_name localhost; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 |
1328
a682c219af45
Tests: updated ssl_engine_keys.t test.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1220
diff
changeset
|
50 ssl_certificate localhost.crt; |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 ssl_certificate_key engine:pkcs11:slot_0-id_00; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 location / { |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 # index index.html by default |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 location /proxy { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
57 proxy_pass https://127.0.0.1:8081/; |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 EOF |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 # Create a SoftHSM token with a secret key, and configure OpenSSL |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 # to access it using the pkcs11 engine, see detailed example |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 # posted by Dmitrii Pichulin here: |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 # |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 # |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 # Note that library paths may differ on different systems, |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 # and may need to be adjusted. |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 $t->write_file('openssl.conf', <<EOF); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 openssl_conf = openssl_def |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 [openssl_def] |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 engines = engine_section |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 [engine_section] |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 pkcs11 = pkcs11_section |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 [pkcs11_section] |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 engine_id = pkcs11 |
1328
a682c219af45
Tests: updated ssl_engine_keys.t test.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1220
diff
changeset
|
84 dynamic_path = /usr/local/lib/engines/pkcs11.so |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 MODULE_PATH = /usr/local/lib/softhsm/libsofthsm.so |
1328
a682c219af45
Tests: updated ssl_engine_keys.t test.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1220
diff
changeset
|
86 init = 1 |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 PIN = 1234 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 [ req ] |
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
90 default_bits = 1024 |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 encrypt_key = no |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 distinguished_name = req_distinguished_name |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 [ req_distinguished_name ] |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 EOF |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 my $d = $t->testdir(); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 $t->write_file('softhsm.conf', <<EOF); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 0:$d/slot0.db |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 EOF |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 $ENV{SOFTHSM_CONF} = "$d/softhsm.conf"; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 $ENV{OPENSSL_CONF} = "$d/openssl.conf"; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 foreach my $name ('localhost') { |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 system('softhsm --init-token --slot 0 --label "NginxZero" ' |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 . '--pin 1234 --so-pin 1234 ' |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 . ">>$d/openssl.out 2>&1"); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so ' |
1140
778eae8230e4
Tests: reduced OpenSSL default key length to 1024.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
1116
diff
changeset
|
111 . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:1024 ' |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 . ">>$d/openssl.out 2>&1"); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 system('openssl req -x509 -new -engine pkcs11 ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1140
diff
changeset
|
115 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1140
diff
changeset
|
116 . "-out $d/$name.crt -keyform engine -text -key id_00 " |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 . ">>$d/openssl.out 2>&1") == 0 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 or die "Can't create certificate for $name: $!\n"; |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 } |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 |
568
907e89fba9c3
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
516
diff
changeset
|
121 $t->run(); |
516
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 $t->write_file('index.html', ''); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 ############################################################################### |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys'); |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 |
2bc470a58621
Tests: test for loading "engine:..." keys.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 ############################################################################### |