Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1606:e4e0695552ed
Tests: fixed stream_proxy_ssl_conf_command.t.
The stream_proxy_ssl_conf_command.t test used stream return module
to return the response. Since this ignores actual request, but the
perl test code used http_get(). This might result in the request being
sent after the response is returned and the connection closed by the server,
resulting in RST being generated and no response seen by the client at all.
Fix is to use "stream(...)->read()" instead of http_get(), so
no request is sent at all, eliminating possibility of RST being
generated.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 10 Nov 2020 05:03:29 +0300 |
| parents | 804a7409bc63 |
| children | 2d371452658c |
| rev | line source |
|---|---|
| 1570 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Nginx, Inc. | |
| 5 | |
| 6 # Tests for OCSP with client certificates. | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 use MIME::Base64 qw/ decode_base64 /; | |
| 16 | |
| 17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 18 | |
| 19 use lib 'lib'; | |
| 20 use Test::Nginx; | |
| 21 | |
| 22 ############################################################################### | |
| 23 | |
| 24 select STDERR; $| = 1; | |
| 25 select STDOUT; $| = 1; | |
| 26 | |
| 27 eval { | |
| 28 require Net::SSLeay; | |
| 29 Net::SSLeay::load_error_strings(); | |
| 30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 31 Net::SSLeay::randomize(); | |
| 32 Net::SSLeay::SSLeay(); | |
| 33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
| 34 }; | |
| 35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
| 36 | |
| 37 eval { | |
| 38 my $ctx = Net::SSLeay::CTX_new() or die; | |
| 39 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 41 }; | |
| 42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 43 | |
| 44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
| 45 | |
| 46 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | |
| 47 | |
| 48 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 49 | |
| 50 %%TEST_GLOBALS%% | |
| 51 | |
| 52 daemon off; | |
| 53 | |
| 54 events { | |
| 55 } | |
| 56 | |
| 57 http { | |
| 58 %%TEST_GLOBALS_HTTP%% | |
| 59 | |
| 60 ssl_ocsp leaf; | |
| 61 ssl_verify_client on; | |
| 62 ssl_verify_depth 2; | |
| 63 ssl_client_certificate trusted.crt; | |
| 64 | |
| 65 ssl_ciphers DEFAULT:ECCdraft; | |
| 66 | |
| 67 ssl_certificate_key ec.key; | |
| 68 ssl_certificate ec.crt; | |
| 69 | |
| 70 ssl_certificate_key rsa.key; | |
| 71 ssl_certificate rsa.crt; | |
| 72 | |
| 73 ssl_session_cache shared:SSL:1m; | |
| 74 ssl_session_tickets off; | |
| 75 | |
| 76 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
| 77 | |
| 78 server { | |
| 79 listen 127.0.0.1:8443 ssl; | |
| 80 server_name localhost; | |
| 81 } | |
| 82 | |
| 83 server { | |
| 84 listen 127.0.0.1:8443 ssl; | |
| 85 server_name sni; | |
| 86 | |
| 87 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 88 } | |
| 89 | |
| 90 server { | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 listen 127.0.0.1:8443 ssl; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 server_name resolver; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 ssl_ocsp on; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 } |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 server { |
| 1570 | 98 listen 127.0.0.1:8444 ssl; |
| 99 server_name localhost; | |
| 100 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
101 ssl_ocsp_responder http://127.0.0.1:8081; |
| 1570 | 102 ssl_ocsp on; |
| 103 } | |
| 104 | |
| 105 server { | |
| 106 listen 127.0.0.1:8445 ssl; | |
| 107 server_name localhost; | |
| 108 | |
| 109 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 110 } | |
| 111 | |
| 112 server { | |
| 113 listen 127.0.0.1:8446 ssl; | |
| 114 server_name localhost; | |
| 115 | |
| 116 ssl_ocsp_cache shared:OCSP:1m; | |
| 117 } | |
| 118 | |
| 119 server { | |
| 120 listen 127.0.0.1:8447 ssl; | |
| 121 server_name localhost; | |
| 122 | |
| 123 ssl_ocsp_responder http://127.0.0.1:8082; | |
| 124 ssl_client_certificate root.crt; | |
| 125 } | |
| 126 } | |
| 127 | |
| 128 EOF | |
| 129 | |
| 130 my $d = $t->testdir(); | |
| 131 my $p = port(8081); | |
| 132 | |
| 133 $t->write_file('openssl.conf', <<EOF); | |
| 134 [ req ] | |
| 135 default_bits = 2048 | |
| 136 encrypt_key = no | |
| 137 distinguished_name = req_distinguished_name | |
| 138 [ req_distinguished_name ] | |
| 139 EOF | |
| 140 | |
| 141 $t->write_file('ca.conf', <<EOF); | |
| 142 [ ca ] | |
| 143 default_ca = myca | |
| 144 | |
| 145 [ myca ] | |
| 146 new_certs_dir = $d | |
| 147 database = $d/certindex | |
| 148 default_md = sha256 | |
| 149 policy = myca_policy | |
| 150 serial = $d/certserial | |
| 151 default_days = 1 | |
| 152 x509_extensions = myca_extensions | |
| 153 | |
| 154 [ myca_policy ] | |
| 155 commonName = supplied | |
| 156 | |
| 157 [ myca_extensions ] | |
| 158 basicConstraints = critical,CA:TRUE | |
| 159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
| 160 EOF | |
| 161 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 # variant for int.crt to trigger missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 $t->write_file('ca2.conf', <<EOF); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 [ ca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 default_ca = myca |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 [ myca ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 new_certs_dir = $d |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 database = $d/certindex |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 default_md = sha256 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 policy = myca_policy |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 serial = $d/certserial |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 default_days = 1 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 x509_extensions = myca_extensions |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 [ myca_policy ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 commonName = supplied |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 [ myca_extensions ] |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 basicConstraints = critical,CA:TRUE |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 authorityInfoAccess = OCSP;URI:http://localhost:$p |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 EOF |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 |
| 1570 | 185 foreach my $name ('root') { |
| 186 system('openssl req -x509 -new ' | |
| 187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 188 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 189 . ">>$d/openssl.out 2>&1") == 0 | |
| 190 or die "Can't create certificate for $name: $!\n"; | |
| 191 } | |
| 192 | |
| 193 foreach my $name ('int', 'end') { | |
| 194 system("openssl req -new " | |
| 195 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 196 . "-out $d/$name.csr -keyout $d/$name.key " | |
| 197 . ">>$d/openssl.out 2>&1") == 0 | |
| 198 or die "Can't create certificate for $name: $!\n"; | |
| 199 } | |
| 200 | |
| 201 foreach my $name ('ec-end') { | |
| 202 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
| 203 . ">>$d/openssl.out 2>&1") == 0 | |
| 204 or die "Can't create EC param: $!\n"; | |
| 205 system("openssl req -new -key $d/$name.key " | |
| 206 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 207 . "-out $d/$name.csr " | |
| 208 . ">>$d/openssl.out 2>&1") == 0 | |
| 209 or die "Can't create certificate for $name: $!\n"; | |
| 210 } | |
| 211 | |
| 212 $t->write_file('certserial', '1000'); | |
| 213 $t->write_file('certindex', ''); | |
| 214 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
215 system("openssl ca -batch -config $d/ca2.conf " |
| 1570 | 216 . "-keyfile $d/root.key -cert $d/root.crt " |
| 217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
| 218 . ">>$d/openssl.out 2>&1") == 0 | |
| 219 or die "Can't sign certificate for int: $!\n"; | |
| 220 | |
| 221 system("openssl ca -batch -config $d/ca.conf " | |
| 222 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 223 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
| 224 . ">>$d/openssl.out 2>&1") == 0 | |
| 225 or die "Can't sign certificate for ec-end: $!\n"; | |
| 226 | |
| 227 system("openssl ca -batch -config $d/ca.conf " | |
| 228 . "-keyfile $d/int.key -cert $d/int.crt " | |
| 229 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
| 230 . ">>$d/openssl.out 2>&1") == 0 | |
| 231 or die "Can't sign certificate for end: $!\n"; | |
| 232 | |
| 233 # RFC 6960, serialNumber | |
| 234 | |
| 235 system("openssl x509 -in $d/int.crt -serial -noout " | |
| 236 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
| 237 or die "Can't obtain serial for end: $!\n"; | |
| 238 | |
| 239 my $serial_int = pack("n2", 0x0202, hex $1) | |
| 240 if $t->read_file('serial_int') =~ /(\d+)/; | |
| 241 | |
| 242 system("openssl x509 -in $d/end.crt -serial -noout " | |
| 243 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
| 244 or die "Can't obtain serial for end: $!\n"; | |
| 245 | |
| 246 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
| 247 | |
| 248 # ocsp end | |
| 249 | |
| 250 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 251 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 252 or die "Can't create OCSP request: $!\n"; | |
| 253 | |
| 254 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 255 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 256 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
| 257 . ">>$d/openssl.out 2>&1") == 0 | |
| 258 or die "Can't create OCSP response: $!\n"; | |
| 259 | |
| 260 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 261 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 262 or die "Can't create EC OCSP request: $!\n"; | |
| 263 | |
| 264 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 265 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 266 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 267 . ">>$d/openssl.out 2>&1") == 0 | |
| 268 or die "Can't create EC OCSP response: $!\n"; | |
| 269 | |
| 270 $t->write_file('trusted.crt', | |
| 271 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
| 272 | |
| 273 # server cert/key | |
| 274 | |
| 275 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
| 276 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
| 277 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
| 278 or die "Can't create RSA pem: $!\n"; | |
| 279 | |
| 280 foreach my $name ('ec', 'rsa') { | |
| 281 system("openssl req -x509 -new -key $d/$name.key " | |
| 282 . "-config $d/openssl.conf -subj /CN=$name/ " | |
| 283 . "-out $d/$name.crt -keyout $d/$name.key " | |
| 284 . ">>$d/openssl.out 2>&1") == 0 | |
| 285 or die "Can't create certificate for $name: $!\n"; | |
| 286 } | |
| 287 | |
| 288 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
| 289 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
290 $t->try_run('no ssl_ocsp')->plan(14); |
| 1570 | 291 |
| 292 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
| 293 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
| 294 | |
| 295 my $version = get_version(); | |
| 296 | |
| 297 ############################################################################### | |
| 298 | |
| 299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
| 300 | |
|
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
301 # demonstrate that ocsp int request is failed due to missing resolver |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 TODO: { |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 todo_skip 'leaves coredump', 1 unless $t->has_version('1.19.1') |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 or $ENV{TEST_NGINX_UNSAFE}; |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
307 like(get('RSA', 'end', sni => 'resolver'), |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
308 qr/400 Bad.*FAILED:certificate status request failed/s, |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
309 'ocsp many failed request'); |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
310 |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
311 } |
|
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
312 |
| 1570 | 313 # demonstrate that ocsp int request is actually made by failing ocsp response |
| 314 | |
| 315 like(get('RSA', 'end', port => 8444), | |
| 316 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 317 'ocsp many failed'); | |
| 318 | |
| 319 # now prepare valid ocsp int response | |
| 320 | |
| 321 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
| 322 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
| 323 or die "Can't create OCSP request: $!\n"; | |
| 324 | |
| 325 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
| 326 . "-rsigner $d/root.crt -rkey $d/root.key " | |
| 327 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
| 328 . ">>$d/openssl.out 2>&1") == 0 | |
| 329 or die "Can't create OCSP response: $!\n"; | |
| 330 | |
| 331 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
| 332 | |
| 333 # store into ssl_ocsp_cache | |
| 334 | |
| 335 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
| 336 | |
| 337 # revoke | |
| 338 | |
| 339 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
| 340 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 341 . ">>$d/openssl.out 2>&1") == 0 | |
| 342 or die "Can't revoke end.crt: $!\n"; | |
| 343 | |
| 344 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
| 345 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
| 346 or die "Can't create OCSP request: $!\n"; | |
| 347 | |
| 348 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 349 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 350 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
| 351 . ">>$d/openssl.out 2>&1") == 0 | |
| 352 or die "Can't create OCSP response: $!\n"; | |
| 353 | |
| 354 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
| 355 | |
| 356 # with different responder where it's still valid | |
| 357 | |
| 358 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
| 359 | |
| 360 # with different context to responder where it's still valid | |
| 361 | |
| 362 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
| 363 | |
| 364 # with cached ocsp response it's still valid | |
| 365 | |
| 366 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
| 367 | |
| 368 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
| 369 | |
| 370 like(get('ECDSA', 'ec-end'), | |
| 371 qr/400 Bad.*FAILED:certificate status request failed/s, | |
| 372 'root ca not trusted'); | |
| 373 | |
| 374 # now sign ocsp end response with valid int cert | |
| 375 | |
| 376 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 377 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 378 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 379 . ">>$d/openssl.out 2>&1") == 0 | |
| 380 or die "Can't create EC OCSP response: $!\n"; | |
| 381 | |
| 382 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
| 383 | |
| 384 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
| 385 my $ses = Net::SSLeay::get_session($ssl); | |
| 386 | |
| 387 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 388 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
| 389 | |
| 390 # revoke with saved session | |
| 391 | |
| 392 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
| 393 . "-keyfile $d/root.key -cert $d/root.crt " | |
| 394 . ">>$d/openssl.out 2>&1") == 0 | |
| 395 or die "Can't revoke end.crt: $!\n"; | |
| 396 | |
| 397 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
| 398 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
| 399 or die "Can't create OCSP request: $!\n"; | |
| 400 | |
| 401 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
| 402 . "-rsigner $d/int.crt -rkey $d/int.key " | |
| 403 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
| 404 . ">>$d/openssl.out 2>&1") == 0 | |
| 405 or die "Can't create OCSP response: $!\n"; | |
| 406 | |
| 407 # reusing session with revoked certificate | |
| 408 | |
| 409 like(get('ECDSA', 'ec-end', ses => $ses), | |
| 410 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
| 411 | |
| 412 # regression test for self-signed | |
| 413 | |
| 414 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
| 415 | |
| 416 ############################################################################### | |
| 417 | |
| 418 sub get { | |
| 419 my ($type, $cert, %extra) = @_; | |
| 420 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
| 421 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
| 422 my $cipher = Net::SSLeay::get_cipher($ssl); | |
| 423 Test::Nginx::log_core('||', "cipher: $cipher"); | |
| 424 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
| 425 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); | |
| 426 my $r = Net::SSLeay::read($ssl); | |
| 427 Test::Nginx::log_core($r); | |
| 428 $s->close(); | |
| 429 return $r unless wantarray(); | |
| 430 return ($s, $ssl); | |
| 431 } | |
| 432 | |
| 433 sub get_ssl_socket { | |
| 434 my ($type, $cert, %extra) = @_; | |
| 435 my $ses = $extra{ses}; | |
| 436 my $sni = $extra{sni}; | |
| 437 my $port = $extra{port} || 8443; | |
| 438 my $s; | |
| 439 | |
| 440 eval { | |
| 441 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 442 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 443 alarm(8); | |
| 444 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
| 445 alarm(0); | |
| 446 }; | |
| 447 alarm(0); | |
| 448 | |
| 449 if ($@) { | |
| 450 log_in("died: $@"); | |
| 451 return undef; | |
| 452 } | |
| 453 | |
| 454 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 455 | |
| 456 if (defined $type) { | |
| 457 my $ssleay = Net::SSLeay::SSLeay(); | |
| 458 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
| 459 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
| 460 or die("Failed to set cipher list"); | |
| 461 } else { | |
| 462 # SSL_CTRL_SET_SIGALGS_LIST | |
| 463 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
| 464 or die("Failed to set sigalgs"); | |
| 465 } | |
| 466 } | |
| 467 | |
| 468 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
| 469 or die if $cert; | |
| 470 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
| 471 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
| 472 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
| 473 Net::SSLeay::set_fd($ssl, fileno($s)); | |
| 474 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 475 return ($s, $ssl); | |
| 476 } | |
| 477 | |
| 478 sub get_version { | |
| 479 my ($s, $ssl) = get_ssl_socket(); | |
| 480 return Net::SSLeay::version($ssl); | |
| 481 } | |
| 482 | |
| 483 ############################################################################### | |
| 484 | |
| 485 sub http_daemon { | |
| 486 my ($t, $port) = @_; | |
| 487 my $server = IO::Socket::INET->new( | |
| 488 Proto => 'tcp', | |
| 489 LocalHost => "127.0.0.1:$port", | |
| 490 Listen => 5, | |
| 491 Reuse => 1 | |
| 492 ) | |
| 493 or die "Can't create listening socket: $!\n"; | |
| 494 | |
| 495 local $SIG{PIPE} = 'IGNORE'; | |
| 496 | |
| 497 while (my $client = $server->accept()) { | |
| 498 $client->autoflush(1); | |
| 499 | |
| 500 my $headers = ''; | |
| 501 my $uri = ''; | |
| 502 my $resp; | |
| 503 | |
| 504 while (<$client>) { | |
| 505 $headers .= $_; | |
| 506 last if (/^\x0d?\x0a?$/); | |
| 507 } | |
| 508 | |
| 509 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
| 510 next unless $uri; | |
| 511 | |
| 512 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
| 513 my $req = decode_base64($uri); | |
| 514 | |
| 515 if (index($req, $serial_int) > 0) { | |
| 516 $resp = 'int-resp'; | |
| 517 | |
| 518 } elsif (index($req, $serial) > 0) { | |
| 519 $resp = 'resp'; | |
| 520 | |
| 521 # used to differentiate ssl_ocsp_responder | |
| 522 | |
| 523 if ($port == port(8081) && -e "$d/revoked.der") { | |
| 524 $resp = 'revoked'; | |
| 525 } | |
| 526 | |
| 527 } else { | |
| 528 $resp = 'ec-resp'; | |
| 529 } | |
| 530 | |
| 531 # ocsp dummy handler | |
| 532 | |
| 533 select undef, undef, undef, 0.02; | |
| 534 | |
| 535 $headers = <<"EOF"; | |
| 536 HTTP/1.1 200 OK | |
| 537 Connection: close | |
| 538 Content-Type: application/ocsp-response | |
| 539 | |
| 540 EOF | |
| 541 | |
| 542 print $client $headers . $t->read_file("$resp.der") | |
| 543 if -e "$d/$resp.der"; | |
| 544 } | |
| 545 } | |
| 546 | |
| 547 ############################################################################### |