nginx-tests: ssl_ocsp.t annotate

annotate ssl_ocsp.t @ 1976:4e79bd25642f default tip

Tests: added test for headers without a colon.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Sat, 11 May 2024 18:56:23 +0300
parents	c924ae8d7104
children

rev	line source
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for OCSP with client certificates.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use MIME::Base64 qw/ decode_base64 /;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 BEGIN { use FindBin; chdir($FindBin::Bin); }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use lib 'lib';
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	20 use Test::Nginx qw/ :DEFAULT http_end /;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDERR; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDOUT; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	28 ->has_daemon('openssl');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	30 plan(skip_all => 'no OCSP support in BoringSSL')
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	31 if $t->has_module('BoringSSL');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->write_file_expand('nginx.conf', <<'EOF');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 %%TEST_GLOBALS%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 daemon off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 events {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 http {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 %%TEST_GLOBALS_HTTP%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 ssl_ocsp leaf;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 ssl_verify_client on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47 ssl_verify_depth 2;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 ssl_client_certificate trusted.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50 ssl_certificate_key rsa.key;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 ssl_certificate rsa.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 ssl_session_cache shared:SSL:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 ssl_session_tickets off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	57 add_header X-SSL-Protocol $ssl_protocol always;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 server_name sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71 server {
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	72 listen 127.0.0.1:8443 ssl;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	73 server_name resolver;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	74
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	75 ssl_ocsp on;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	76 }
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	77
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	78 server {
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 listen 127.0.0.1:8444 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	82 ssl_ocsp_responder http://127.0.0.1:8081;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ssl_ocsp on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87 listen 127.0.0.1:8445 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 listen 127.0.0.1:8446 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97 ssl_ocsp_cache shared:OCSP:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 listen 127.0.0.1:8447 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 ssl_client_certificate root.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 my $d = $t->testdir();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 my $p = port(8081);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 $t->write_file('openssl.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 [ req ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 default_bits = 2048
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 encrypt_key = no
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 distinguished_name = req_distinguished_name
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	119 x509_extensions = myca_extensions
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 [ req_distinguished_name ]
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	121 [ myca_extensions ]
0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	122 basicConstraints = critical,CA:TRUE
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125 $t->write_file('ca.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 [ ca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 default_ca = myca
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	128
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129 [ myca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 new_certs_dir = $d
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131 database = $d/certindex
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 default_md = sha256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133 policy = myca_policy
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134 serial = $d/certserial
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135 default_days = 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	136 x509_extensions = myca_extensions
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	137
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138 [ myca_policy ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 commonName = supplied
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	140
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	141 [ myca_extensions ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	142 basicConstraints = critical,CA:TRUE
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	144 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	145
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	146 # variant for int.crt to trigger missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	147
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	148 $t->write_file('ca2.conf', <<EOF);
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	149 [ ca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	150 default_ca = myca
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	151
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	152 [ myca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	153 new_certs_dir = $d
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	154 database = $d/certindex
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	155 default_md = sha256
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	156 policy = myca_policy
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	157 serial = $d/certserial
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	158 default_days = 1
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	159 x509_extensions = myca_extensions
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	160
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	161 [ myca_policy ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	162 commonName = supplied
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	163
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	164 [ myca_extensions ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	165 basicConstraints = critical,CA:TRUE
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	166 authorityInfoAccess = OCSP;URI:http://localhost:$p
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	167 EOF
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	168
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	169 foreach my $name ('root') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	170 system('openssl req -x509 -new '
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	171 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	172 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	173 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	174 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	175 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	176
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	177 foreach my $name ('int', 'end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	178 system("openssl req -new "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	179 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	180 . "-out $d/$name.csr -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	181 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	182 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	183 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	184
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	185 foreach my $name ('ec-end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	187 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	188 or die "Can't create EC param: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	189 system("openssl req -new -key $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	190 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	191 . "-out $d/$name.csr "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	192 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	193 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	194 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	195
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	196 $t->write_file('certserial', '1000');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	197 $t->write_file('certindex', '');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	198
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	199 system("openssl ca -batch -config $d/ca2.conf "
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	200 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	202 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	203 or die "Can't sign certificate for int: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	204
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	205 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	206 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	208 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	209 or die "Can't sign certificate for ec-end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	210
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	211 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	212 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	214 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	215 or die "Can't sign certificate for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	216
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	217 # RFC 6960, serialNumber
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	218
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	219 system("openssl x509 -in $d/int.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	220 . ">>$d/serial_int 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	221 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	222
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	223 my $serial_int = pack("n2", 0x0202, hex $1)
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	224 if $t->read_file('serial_int') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	225
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	226 system("openssl x509 -in $d/end.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	227 . ">>$d/serial 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	228 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	229
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	231
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	232 # ocsp end
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	233
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	236 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	237
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	238 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	239 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	241 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	242 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	243
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	246 or die "Can't create EC OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	247
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	248 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	249 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	251 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	252 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	253
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	254 $t->write_file('trusted.crt',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	255 $t->read_file('int.crt') . $t->read_file('root.crt'));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	257 # server cert/key
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	258
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	259 foreach my $name ('rsa') {
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	260 system('openssl req -x509 -new '
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	261 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	262 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	263 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	264 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	265 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	266
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	267 $t->run_daemon(\&http_daemon, $t, port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	268 $t->run_daemon(\&http_daemon, $t, port(8082));
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	269 $t->run()->plan(15);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	270
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	271 $t->waitforsocket("127.0.0.1:" . port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	272 $t->waitforsocket("127.0.0.1:" . port(8082));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	273
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	274 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	275
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	277
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	278 # demonstrate that ocsp int request is failed due to missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	279
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	280 like(get('end', sni => 'resolver'),
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	281 qr/400 Bad.*FAILED:certificate status request failed/s,
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	282 'ocsp many failed request');
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	283
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	284 # demonstrate that ocsp int request is actually made by failing ocsp response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	285
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	286 like(get('end', port => 8444),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	287 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	288 'ocsp many failed');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	289
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	290 # now prepare valid ocsp int response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	291
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	294 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	295
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	296 system("openssl ocsp -index $d/certindex -CA $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	297 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	299 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	300 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	301
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	303
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	304 # store into ssl_ocsp_cache
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	305
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	307
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	308 # revoke
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	309
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	311 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	312 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	313 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	314
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	317 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	318
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	319 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	320 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	322 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	323 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	324
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	326
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	327 # with different responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	328
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	330
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	331 # with different context to responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	332
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	334
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	335 # with cached ocsp response it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	336
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	338
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	339 # ocsp end response signed with invalid (root) cert, expect HTTP 400
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	340
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	341 like(get('ec-end'),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	342 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	343 'root ca not trusted');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	344
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	345 # now sign ocsp end response with valid int cert
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	346
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	347 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	348 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	350 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	351 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	352
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	354
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	355 my $s = session('ec-end');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	356
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	357 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	359 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	362 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	363 if $t->has_module('LibreSSL') && test_tls13();
1966 c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	364 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)'
c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	365 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	366
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	367 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	368 qr/200 OK.*SUCCESS:r/s, 'session reused');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	369
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	370 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	371
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	372 # revoke with saved session
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	373
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	374 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	375 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	376 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	377 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	378
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	379 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	380 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	381 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	382
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	383 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	384 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	385 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	386 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	387 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	388
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	389 # reusing session with revoked certificate
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	390
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	391 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	392 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	393 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	394 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	395 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	396 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	397 if $t->has_module('LibreSSL') && test_tls13();
1966 c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	398 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)'
c924ae8d7104 Tests: session reuse handling with Net::SSLeay with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1945 diff changeset	399 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	400
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	401 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	402 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	403
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	404 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	405
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	406 # regression test for self-signed
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	407
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	408 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	409
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	410 # check for errors
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	411
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	412 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	413
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	414 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	415
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	416 sub get {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	417 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	418 return http_end($s);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	419 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	420
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	421 sub session {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	422 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	423 http_end($s);
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	424 return $s;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	425 }
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	426
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	427 sub get_socket {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	428 my ($cert, %extra) = @_;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	429 my $ses = $extra{ses};
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	430 my $sni = $extra{sni} \|\| 'localhost';
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	431 my $port = $extra{port} \|\| 8443;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	432
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	433 return http(
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	434 "GET /serial HTTP/1.0\nHost: $sni\n\n",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	435 start => 1, PeerAddr => '127.0.0.1:' . port($port),
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	436 SSL => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	437 SSL_hostname => $sni,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	438 SSL_session_cache_size => 100,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	439 SSL_reuse_ctx => $ses,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	440 $cert ? (
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	441 SSL_cert_file => "$d/$cert.crt",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	442 SSL_key_file => "$d/$cert.key"
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	443 ) : ()
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	444 );
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	445 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	446
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	447 sub test_tls13 {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	448 return http_get('/', SSL => 1) =~ /TLSv1.3/;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	449 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	450
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	451 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	452
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	453 sub http_daemon {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	454 my ($t, $port) = @_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	455 my $server = IO::Socket::INET->new(
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	456 Proto => 'tcp',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	457 LocalHost => "127.0.0.1:$port",
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	458 Listen => 5,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	459 Reuse => 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	460 )
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	461 or die "Can't create listening socket: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	462
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	463 local $SIG{PIPE} = 'IGNORE';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	464
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	465 while (my $client = $server->accept()) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	466 $client->autoflush(1);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	467
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	468 my $headers = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	469 my $uri = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	470 my $resp;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	471
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	472 while (<$client>) {
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	473 Test::Nginx::log_core('\|\|', $_);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	474 $headers .= $_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	475 last if (/^\x0d?\x0a?$/);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	476 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	477
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	478 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	479 next unless $uri;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	480
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	481 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	482 my $req = decode_base64($uri);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	483
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	484 if (index($req, $serial_int) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	485 $resp = 'int-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	486
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	487 } elsif (index($req, $serial) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	488 $resp = 'resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	489
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	490 # used to differentiate ssl_ocsp_responder
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	491
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	492 if ($port == port(8081) && -e "$d/revoked.der") {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	493 $resp = 'revoked';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	494 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	495
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	496 } else {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	497 $resp = 'ec-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	498 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	499
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	500 next unless -s "$d/$resp.der";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	501
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	502 # ocsp dummy handler
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	503
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	504 select undef, undef, undef, 0.02;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	505
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	506 $headers = <<"EOF";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	507 HTTP/1.1 200 OK
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	508 Connection: close
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	509 Content-Type: application/ocsp-response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	510
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	511 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	512
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	513 local $/;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	514 open my $fh, '<', "$d/$resp.der"
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	515 or die "Can't open $resp.der: $!";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	516 binmode $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	517 my $content = <$fh>;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	518 close $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	519
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	520 print $client $headers . $content;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	521 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	522 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	523
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	524 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_ocsp.t @ 1976:4e79bd25642f default tip