Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1773:3f9b25f36e19
Tests: added js headers tests when value is absent.
author | Dmitry Volyntsev <xeioex@nginx.com> |
---|---|
date | Tue, 07 Jun 2022 21:28:14 -0700 |
parents | 5ac6efbe5552 |
children | 9d98c2ad3126 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { | |
28 require Net::SSLeay; | |
29 Net::SSLeay::load_error_strings(); | |
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
36 | |
37 eval { | |
38 my $ctx = Net::SSLeay::CTX_new() or die; | |
39 my $ssl = Net::SSLeay::new($ctx) or die; | |
40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
41 }; | |
42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
43 | |
44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
45 | |
46 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | |
47 | |
48 $t->write_file_expand('nginx.conf', <<'EOF'); | |
49 | |
50 %%TEST_GLOBALS%% | |
51 | |
52 daemon off; | |
53 | |
54 events { | |
55 } | |
56 | |
57 http { | |
58 %%TEST_GLOBALS_HTTP%% | |
59 | |
60 ssl_ocsp leaf; | |
61 ssl_verify_client on; | |
62 ssl_verify_depth 2; | |
63 ssl_client_certificate trusted.crt; | |
64 | |
65 ssl_ciphers DEFAULT:ECCdraft; | |
66 | |
67 ssl_certificate_key ec.key; | |
68 ssl_certificate ec.crt; | |
69 | |
70 ssl_certificate_key rsa.key; | |
71 ssl_certificate rsa.crt; | |
72 | |
73 ssl_session_cache shared:SSL:1m; | |
74 ssl_session_tickets off; | |
75 | |
76 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
77 | |
78 server { | |
79 listen 127.0.0.1:8443 ssl; | |
80 server_name localhost; | |
81 } | |
82 | |
83 server { | |
84 listen 127.0.0.1:8443 ssl; | |
85 server_name sni; | |
86 | |
87 ssl_ocsp_responder http://127.0.0.1:8082; | |
88 } | |
89 | |
90 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 server { |
1570 | 98 listen 127.0.0.1:8444 ssl; |
99 server_name localhost; | |
100 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
101 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 102 ssl_ocsp on; |
103 } | |
104 | |
105 server { | |
106 listen 127.0.0.1:8445 ssl; | |
107 server_name localhost; | |
108 | |
109 ssl_ocsp_responder http://127.0.0.1:8082; | |
110 } | |
111 | |
112 server { | |
113 listen 127.0.0.1:8446 ssl; | |
114 server_name localhost; | |
115 | |
116 ssl_ocsp_cache shared:OCSP:1m; | |
117 } | |
118 | |
119 server { | |
120 listen 127.0.0.1:8447 ssl; | |
121 server_name localhost; | |
122 | |
123 ssl_ocsp_responder http://127.0.0.1:8082; | |
124 ssl_client_certificate root.crt; | |
125 } | |
126 } | |
127 | |
128 EOF | |
129 | |
130 my $d = $t->testdir(); | |
131 my $p = port(8081); | |
132 | |
133 $t->write_file('openssl.conf', <<EOF); | |
134 [ req ] | |
135 default_bits = 2048 | |
136 encrypt_key = no | |
137 distinguished_name = req_distinguished_name | |
138 [ req_distinguished_name ] | |
139 EOF | |
140 | |
141 $t->write_file('ca.conf', <<EOF); | |
142 [ ca ] | |
143 default_ca = myca | |
144 | |
145 [ myca ] | |
146 new_certs_dir = $d | |
147 database = $d/certindex | |
148 default_md = sha256 | |
149 policy = myca_policy | |
150 serial = $d/certserial | |
151 default_days = 1 | |
152 x509_extensions = myca_extensions | |
153 | |
154 [ myca_policy ] | |
155 commonName = supplied | |
156 | |
157 [ myca_extensions ] | |
158 basicConstraints = critical,CA:TRUE | |
159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
160 EOF | |
161 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 |
1570 | 185 foreach my $name ('root') { |
186 system('openssl req -x509 -new ' | |
187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
188 . "-out $d/$name.crt -keyout $d/$name.key " | |
189 . ">>$d/openssl.out 2>&1") == 0 | |
190 or die "Can't create certificate for $name: $!\n"; | |
191 } | |
192 | |
193 foreach my $name ('int', 'end') { | |
194 system("openssl req -new " | |
195 . "-config $d/openssl.conf -subj /CN=$name/ " | |
196 . "-out $d/$name.csr -keyout $d/$name.key " | |
197 . ">>$d/openssl.out 2>&1") == 0 | |
198 or die "Can't create certificate for $name: $!\n"; | |
199 } | |
200 | |
201 foreach my $name ('ec-end') { | |
202 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
203 . ">>$d/openssl.out 2>&1") == 0 | |
204 or die "Can't create EC param: $!\n"; | |
205 system("openssl req -new -key $d/$name.key " | |
206 . "-config $d/openssl.conf -subj /CN=$name/ " | |
207 . "-out $d/$name.csr " | |
208 . ">>$d/openssl.out 2>&1") == 0 | |
209 or die "Can't create certificate for $name: $!\n"; | |
210 } | |
211 | |
212 $t->write_file('certserial', '1000'); | |
213 $t->write_file('certindex', ''); | |
214 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
215 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 216 . "-keyfile $d/root.key -cert $d/root.crt " |
217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
218 . ">>$d/openssl.out 2>&1") == 0 | |
219 or die "Can't sign certificate for int: $!\n"; | |
220 | |
221 system("openssl ca -batch -config $d/ca.conf " | |
222 . "-keyfile $d/int.key -cert $d/int.crt " | |
223 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
224 . ">>$d/openssl.out 2>&1") == 0 | |
225 or die "Can't sign certificate for ec-end: $!\n"; | |
226 | |
227 system("openssl ca -batch -config $d/ca.conf " | |
228 . "-keyfile $d/int.key -cert $d/int.crt " | |
229 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
230 . ">>$d/openssl.out 2>&1") == 0 | |
231 or die "Can't sign certificate for end: $!\n"; | |
232 | |
233 # RFC 6960, serialNumber | |
234 | |
235 system("openssl x509 -in $d/int.crt -serial -noout " | |
236 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
237 or die "Can't obtain serial for end: $!\n"; | |
238 | |
239 my $serial_int = pack("n2", 0x0202, hex $1) | |
240 if $t->read_file('serial_int') =~ /(\d+)/; | |
241 | |
242 system("openssl x509 -in $d/end.crt -serial -noout " | |
243 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
244 or die "Can't obtain serial for end: $!\n"; | |
245 | |
246 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
247 | |
248 # ocsp end | |
249 | |
250 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
251 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
252 or die "Can't create OCSP request: $!\n"; | |
253 | |
254 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
255 . "-rsigner $d/int.crt -rkey $d/int.key " | |
256 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
257 . ">>$d/openssl.out 2>&1") == 0 | |
258 or die "Can't create OCSP response: $!\n"; | |
259 | |
260 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
261 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
262 or die "Can't create EC OCSP request: $!\n"; | |
263 | |
264 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
265 . "-rsigner $d/root.crt -rkey $d/root.key " | |
266 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
267 . ">>$d/openssl.out 2>&1") == 0 | |
268 or die "Can't create EC OCSP response: $!\n"; | |
269 | |
270 $t->write_file('trusted.crt', | |
271 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
272 | |
273 # server cert/key | |
274 | |
275 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
276 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
277 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
278 or die "Can't create RSA pem: $!\n"; | |
279 | |
280 foreach my $name ('ec', 'rsa') { | |
281 system("openssl req -x509 -new -key $d/$name.key " | |
282 . "-config $d/openssl.conf -subj /CN=$name/ " | |
283 . "-out $d/$name.crt -keyout $d/$name.key " | |
284 . ">>$d/openssl.out 2>&1") == 0 | |
285 or die "Can't create certificate for $name: $!\n"; | |
286 } | |
287 | |
288 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
289 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1636
diff
changeset
|
290 $t->run()->plan(14); |
1570 | 291 |
292 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
293 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
294 | |
295 my $version = get_version(); | |
296 | |
297 ############################################################################### | |
298 | |
299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
300 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
301 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 like(get('RSA', 'end', sni => 'resolver'), |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 |
1570 | 307 # demonstrate that ocsp int request is actually made by failing ocsp response |
308 | |
309 like(get('RSA', 'end', port => 8444), | |
310 qr/400 Bad.*FAILED:certificate status request failed/s, | |
311 'ocsp many failed'); | |
312 | |
313 # now prepare valid ocsp int response | |
314 | |
315 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
316 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
317 or die "Can't create OCSP request: $!\n"; | |
318 | |
319 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
320 . "-rsigner $d/root.crt -rkey $d/root.key " | |
321 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
322 . ">>$d/openssl.out 2>&1") == 0 | |
323 or die "Can't create OCSP response: $!\n"; | |
324 | |
325 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
326 | |
327 # store into ssl_ocsp_cache | |
328 | |
329 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
330 | |
331 # revoke | |
332 | |
333 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
334 . "-keyfile $d/root.key -cert $d/root.crt " | |
335 . ">>$d/openssl.out 2>&1") == 0 | |
336 or die "Can't revoke end.crt: $!\n"; | |
337 | |
338 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
339 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
340 or die "Can't create OCSP request: $!\n"; | |
341 | |
342 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
343 . "-rsigner $d/int.crt -rkey $d/int.key " | |
344 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
345 . ">>$d/openssl.out 2>&1") == 0 | |
346 or die "Can't create OCSP response: $!\n"; | |
347 | |
348 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
349 | |
350 # with different responder where it's still valid | |
351 | |
352 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
353 | |
354 # with different context to responder where it's still valid | |
355 | |
356 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
357 | |
358 # with cached ocsp response it's still valid | |
359 | |
360 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
361 | |
362 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
363 | |
364 like(get('ECDSA', 'ec-end'), | |
365 qr/400 Bad.*FAILED:certificate status request failed/s, | |
366 'root ca not trusted'); | |
367 | |
368 # now sign ocsp end response with valid int cert | |
369 | |
370 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
371 . "-rsigner $d/int.crt -rkey $d/int.key " | |
372 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
373 . ">>$d/openssl.out 2>&1") == 0 | |
374 or die "Can't create EC OCSP response: $!\n"; | |
375 | |
376 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
377 | |
378 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
379 my $ses = Net::SSLeay::get_session($ssl); | |
380 | |
381 like(get('ECDSA', 'ec-end', ses => $ses), | |
382 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
383 | |
384 # revoke with saved session | |
385 | |
386 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
387 . "-keyfile $d/root.key -cert $d/root.crt " | |
388 . ">>$d/openssl.out 2>&1") == 0 | |
389 or die "Can't revoke end.crt: $!\n"; | |
390 | |
391 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
392 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
393 or die "Can't create OCSP request: $!\n"; | |
394 | |
395 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
396 . "-rsigner $d/int.crt -rkey $d/int.key " | |
397 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
398 . ">>$d/openssl.out 2>&1") == 0 | |
399 or die "Can't create OCSP response: $!\n"; | |
400 | |
401 # reusing session with revoked certificate | |
402 | |
403 like(get('ECDSA', 'ec-end', ses => $ses), | |
404 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
405 | |
406 # regression test for self-signed | |
407 | |
408 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
409 | |
410 ############################################################################### | |
411 | |
412 sub get { | |
413 my ($type, $cert, %extra) = @_; | |
414 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
415 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
416 my $cipher = Net::SSLeay::get_cipher($ssl); | |
417 Test::Nginx::log_core('||', "cipher: $cipher"); | |
418 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
419 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); | |
420 my $r = Net::SSLeay::read($ssl); | |
421 Test::Nginx::log_core($r); | |
422 $s->close(); | |
423 return $r unless wantarray(); | |
424 return ($s, $ssl); | |
425 } | |
426 | |
427 sub get_ssl_socket { | |
428 my ($type, $cert, %extra) = @_; | |
429 my $ses = $extra{ses}; | |
430 my $sni = $extra{sni}; | |
431 my $port = $extra{port} || 8443; | |
432 my $s; | |
433 | |
434 eval { | |
435 local $SIG{ALRM} = sub { die "timeout\n" }; | |
436 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
437 alarm(8); | |
438 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
439 alarm(0); | |
440 }; | |
441 alarm(0); | |
442 | |
443 if ($@) { | |
444 log_in("died: $@"); | |
445 return undef; | |
446 } | |
447 | |
448 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
449 | |
450 if (defined $type) { | |
451 my $ssleay = Net::SSLeay::SSLeay(); | |
452 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
453 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
454 or die("Failed to set cipher list"); | |
455 } else { | |
456 # SSL_CTRL_SET_SIGALGS_LIST | |
457 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
458 or die("Failed to set sigalgs"); | |
459 } | |
460 } | |
461 | |
462 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
463 or die if $cert; | |
464 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
465 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
466 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
467 Net::SSLeay::set_fd($ssl, fileno($s)); | |
468 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
469 return ($s, $ssl); | |
470 } | |
471 | |
472 sub get_version { | |
473 my ($s, $ssl) = get_ssl_socket(); | |
474 return Net::SSLeay::version($ssl); | |
475 } | |
476 | |
477 ############################################################################### | |
478 | |
479 sub http_daemon { | |
480 my ($t, $port) = @_; | |
481 my $server = IO::Socket::INET->new( | |
482 Proto => 'tcp', | |
483 LocalHost => "127.0.0.1:$port", | |
484 Listen => 5, | |
485 Reuse => 1 | |
486 ) | |
487 or die "Can't create listening socket: $!\n"; | |
488 | |
489 local $SIG{PIPE} = 'IGNORE'; | |
490 | |
491 while (my $client = $server->accept()) { | |
492 $client->autoflush(1); | |
493 | |
494 my $headers = ''; | |
495 my $uri = ''; | |
496 my $resp; | |
497 | |
498 while (<$client>) { | |
499 $headers .= $_; | |
500 last if (/^\x0d?\x0a?$/); | |
501 } | |
502 | |
503 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
504 next unless $uri; | |
505 | |
506 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
507 my $req = decode_base64($uri); | |
508 | |
509 if (index($req, $serial_int) > 0) { | |
510 $resp = 'int-resp'; | |
511 | |
512 } elsif (index($req, $serial) > 0) { | |
513 $resp = 'resp'; | |
514 | |
515 # used to differentiate ssl_ocsp_responder | |
516 | |
517 if ($port == port(8081) && -e "$d/revoked.der") { | |
518 $resp = 'revoked'; | |
519 } | |
520 | |
521 } else { | |
522 $resp = 'ec-resp'; | |
523 } | |
524 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
525 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
526 |
1570 | 527 # ocsp dummy handler |
528 | |
529 select undef, undef, undef, 0.02; | |
530 | |
531 $headers = <<"EOF"; | |
532 HTTP/1.1 200 OK | |
533 Connection: close | |
534 Content-Type: application/ocsp-response | |
535 | |
536 EOF | |
537 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
538 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
539 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
540 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
541 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
543 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
544 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
545 print $client $headers . $content; |
1570 | 546 } |
547 } | |
548 | |
549 ############################################################################### |