Mercurial > hg > nginx-tests
comparison ssl_verify_depth.t @ 1605:aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
This reverts 5b22e2014f76. Two basic cases are now provided for a full chain:
when the verification depth is big enough and when it is insufficient.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 06 Nov 2020 14:32:13 +0000 |
| parents | dbce8fb5f5f8 |
| children | bad6aa24ec10 |
comparison
equal
deleted
inserted
replaced
| 1604:4be791074207 | 1605:aa5a61d1254b |
|---|---|
| 44 | 44 |
| 45 ssl_certificate_key localhost.key; | 45 ssl_certificate_key localhost.key; |
| 46 ssl_certificate localhost.crt; | 46 ssl_certificate localhost.crt; |
| 47 | 47 |
| 48 ssl_verify_client on; | 48 ssl_verify_client on; |
| 49 ssl_client_certificate int-root.crt; | 49 ssl_client_certificate root.crt; |
| 50 | 50 |
| 51 add_header X-Verify $ssl_client_verify; | 51 add_header X-Verify $ssl_client_verify always; |
| 52 | 52 |
| 53 server { | 53 server { |
| 54 listen 127.0.0.1:8080 ssl; | 54 listen 127.0.0.1:8080 ssl; |
| 55 server_name localhost; | 55 server_name localhost; |
| 56 ssl_verify_depth 0; | 56 ssl_verify_depth 3; |
| 57 } | |
| 58 | |
| 59 server { | |
| 60 listen 127.0.0.1:8081 ssl; | |
| 61 server_name localhost; | |
| 57 } | 62 } |
| 58 } | 63 } |
| 59 | 64 |
| 60 EOF | 65 EOF |
| 61 | 66 |
| 78 database = $d/certindex | 83 database = $d/certindex |
| 79 default_md = sha256 | 84 default_md = sha256 |
| 80 policy = myca_policy | 85 policy = myca_policy |
| 81 serial = $d/certserial | 86 serial = $d/certserial |
| 82 default_days = 1 | 87 default_days = 1 |
| 88 x509_extensions = myca_extensions | |
| 83 | 89 |
| 84 [ myca_policy ] | 90 [ myca_policy ] |
| 85 commonName = supplied | 91 commonName = supplied |
| 92 | |
| 93 [ myca_extensions ] | |
| 94 basicConstraints = critical,CA:TRUE | |
| 86 EOF | 95 EOF |
| 87 | 96 |
| 88 foreach my $name ('root', 'localhost') { | 97 foreach my $name ('root', 'localhost') { |
| 89 system('openssl req -x509 -new ' | 98 system('openssl req -x509 -new ' |
| 90 . "-config $d/openssl.conf -subj /CN=$name/ " | 99 . "-config $d/openssl.conf -subj /CN=$name/ " |
| 91 . "-out $d/$name.crt -keyout $d/$name.key " | 100 . "-out $d/$name.crt -keyout $d/$name.key " |
| 92 . ">>$d/openssl.out 2>&1") == 0 | 101 . ">>$d/openssl.out 2>&1") == 0 |
| 93 or die "Can't create certificate for $name: $!\n"; | 102 or die "Can't create certificate for $name: $!\n"; |
| 94 } | 103 } |
| 95 | 104 |
| 96 foreach my $name ('int', 'end') { | 105 foreach my $name ('int', 'int2', 'end') { |
| 97 system("openssl req -new " | 106 system("openssl req -new " |
| 98 . "-config $d/openssl.conf -subj /CN=$name/ " | 107 . "-config $d/openssl.conf -subj /CN=$name/ " |
| 99 . "-out $d/$name.csr -keyout $d/$name.key " | 108 . "-out $d/$name.csr -keyout $d/$name.key " |
| 100 . ">>$d/openssl.out 2>&1") == 0 | 109 . ">>$d/openssl.out 2>&1") == 0 |
| 101 or die "Can't create certificate for $name: $!\n"; | 110 or die "Can't create certificate for $name: $!\n"; |
| 110 . ">>$d/openssl.out 2>&1") == 0 | 119 . ">>$d/openssl.out 2>&1") == 0 |
| 111 or die "Can't sign certificate for int: $!\n"; | 120 or die "Can't sign certificate for int: $!\n"; |
| 112 | 121 |
| 113 system("openssl ca -batch -config $d/ca.conf " | 122 system("openssl ca -batch -config $d/ca.conf " |
| 114 . "-keyfile $d/int.key -cert $d/int.crt " | 123 . "-keyfile $d/int.key -cert $d/int.crt " |
| 124 . "-subj /CN=int2/ -in $d/int2.csr -out $d/int2.crt " | |
| 125 . ">>$d/openssl.out 2>&1") == 0 | |
| 126 or die "Can't sign certificate for int2: $!\n"; | |
| 127 | |
| 128 system("openssl ca -batch -config $d/ca.conf " | |
| 129 . "-keyfile $d/int2.key -cert $d/int2.crt " | |
| 115 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | 130 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
| 116 . ">>$d/openssl.out 2>&1") == 0 | 131 . ">>$d/openssl.out 2>&1") == 0 |
| 117 or die "Can't sign certificate for end: $!\n"; | 132 or die "Can't sign certificate for end: $!\n"; |
| 118 | 133 |
| 119 $t->write_file('int-root.crt', | 134 $t->write_file('client.key', $t->read_file('end.key') . |
| 120 $t->read_file('int.crt') . $t->read_file('root.crt')); | 135 $t->read_file('int.key') . $t->read_file('int2.key')); |
| 136 $t->write_file('client.crt', $t->read_file('end.crt') . | |
| 137 $t->read_file('int.crt') . $t->read_file('int2.crt')); | |
| 121 | 138 |
| 122 $t->write_file('t', ''); | 139 $t->write_file('t', ''); |
| 123 $t->run(); | 140 $t->run(); |
| 124 | 141 |
| 125 ############################################################################### | 142 ############################################################################### |
| 126 | 143 |
| 127 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth'); | 144 like(get(8080, 'client'), qr/SUCCESS/, 'verify depth'); |
| 128 like(get(8080, 'end'), qr/400 Bad Request/, 'verify depth limited'); | 145 like(get(8081, 'client'), qr/FAILED/, 'verify depth limited'); |
| 129 | 146 |
| 130 ############################################################################### | 147 ############################################################################### |
| 131 | 148 |
| 132 sub get { | 149 sub get { |
| 133 my ($port, $cert) = @_; | 150 my ($port, $cert) = @_; |