Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1870:884e898b9fe7
Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL.
Do not clobber a stream object in test_tls13().
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 23 May 2023 16:30:01 +0400 |
parents | 0e1865aa9b33 |
children | 0b5ec15c62ed |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1570 | 21 |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
28 ->has_daemon('openssl'); |
1570 | 29 |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
30 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
31 if $t->has_module('BoringSSL'); |
1570 | 32 |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_ocsp leaf; | |
46 ssl_verify_client on; | |
47 ssl_verify_depth 2; | |
48 ssl_client_certificate trusted.crt; | |
49 | |
50 ssl_certificate_key rsa.key; | |
51 ssl_certificate rsa.crt; | |
52 | |
53 ssl_session_cache shared:SSL:1m; | |
54 ssl_session_tickets off; | |
55 | |
56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
57 add_header X-SSL-Protocol $ssl_protocol always; |
1570 | 58 |
59 server { | |
60 listen 127.0.0.1:8443 ssl; | |
61 server_name localhost; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl; | |
66 server_name sni; | |
67 | |
68 ssl_ocsp_responder http://127.0.0.1:8082; | |
69 } | |
70 | |
71 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
72 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
73 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
74 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
75 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
76 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
77 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
78 server { |
1570 | 79 listen 127.0.0.1:8444 ssl; |
80 server_name localhost; | |
81 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
82 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 83 ssl_ocsp on; |
84 } | |
85 | |
86 server { | |
87 listen 127.0.0.1:8445 ssl; | |
88 server_name localhost; | |
89 | |
90 ssl_ocsp_responder http://127.0.0.1:8082; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:8446 ssl; | |
95 server_name localhost; | |
96 | |
97 ssl_ocsp_cache shared:OCSP:1m; | |
98 } | |
99 | |
100 server { | |
101 listen 127.0.0.1:8447 ssl; | |
102 server_name localhost; | |
103 | |
104 ssl_ocsp_responder http://127.0.0.1:8082; | |
105 ssl_client_certificate root.crt; | |
106 } | |
107 } | |
108 | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 my $p = port(8081); | |
113 | |
114 $t->write_file('openssl.conf', <<EOF); | |
115 [ req ] | |
116 default_bits = 2048 | |
117 encrypt_key = no | |
118 distinguished_name = req_distinguished_name | |
119 [ req_distinguished_name ] | |
120 EOF | |
121 | |
122 $t->write_file('ca.conf', <<EOF); | |
123 [ ca ] | |
124 default_ca = myca | |
125 | |
126 [ myca ] | |
127 new_certs_dir = $d | |
128 database = $d/certindex | |
129 default_md = sha256 | |
130 policy = myca_policy | |
131 serial = $d/certserial | |
132 default_days = 1 | |
133 x509_extensions = myca_extensions | |
134 | |
135 [ myca_policy ] | |
136 commonName = supplied | |
137 | |
138 [ myca_extensions ] | |
139 basicConstraints = critical,CA:TRUE | |
140 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
141 EOF | |
142 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
143 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
144 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
145 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
146 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
147 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
148 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
149 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
150 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
151 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
152 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
153 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
154 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
155 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
156 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
157 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 |
1570 | 166 foreach my $name ('root') { |
167 system('openssl req -x509 -new ' | |
168 . "-config $d/openssl.conf -subj /CN=$name/ " | |
169 . "-out $d/$name.crt -keyout $d/$name.key " | |
170 . ">>$d/openssl.out 2>&1") == 0 | |
171 or die "Can't create certificate for $name: $!\n"; | |
172 } | |
173 | |
174 foreach my $name ('int', 'end') { | |
175 system("openssl req -new " | |
176 . "-config $d/openssl.conf -subj /CN=$name/ " | |
177 . "-out $d/$name.csr -keyout $d/$name.key " | |
178 . ">>$d/openssl.out 2>&1") == 0 | |
179 or die "Can't create certificate for $name: $!\n"; | |
180 } | |
181 | |
182 foreach my $name ('ec-end') { | |
183 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
184 . ">>$d/openssl.out 2>&1") == 0 | |
185 or die "Can't create EC param: $!\n"; | |
186 system("openssl req -new -key $d/$name.key " | |
187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
188 . "-out $d/$name.csr " | |
189 . ">>$d/openssl.out 2>&1") == 0 | |
190 or die "Can't create certificate for $name: $!\n"; | |
191 } | |
192 | |
193 $t->write_file('certserial', '1000'); | |
194 $t->write_file('certindex', ''); | |
195 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
196 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 197 . "-keyfile $d/root.key -cert $d/root.crt " |
198 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
199 . ">>$d/openssl.out 2>&1") == 0 | |
200 or die "Can't sign certificate for int: $!\n"; | |
201 | |
202 system("openssl ca -batch -config $d/ca.conf " | |
203 . "-keyfile $d/int.key -cert $d/int.crt " | |
204 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
205 . ">>$d/openssl.out 2>&1") == 0 | |
206 or die "Can't sign certificate for ec-end: $!\n"; | |
207 | |
208 system("openssl ca -batch -config $d/ca.conf " | |
209 . "-keyfile $d/int.key -cert $d/int.crt " | |
210 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
211 . ">>$d/openssl.out 2>&1") == 0 | |
212 or die "Can't sign certificate for end: $!\n"; | |
213 | |
214 # RFC 6960, serialNumber | |
215 | |
216 system("openssl x509 -in $d/int.crt -serial -noout " | |
217 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
218 or die "Can't obtain serial for end: $!\n"; | |
219 | |
220 my $serial_int = pack("n2", 0x0202, hex $1) | |
221 if $t->read_file('serial_int') =~ /(\d+)/; | |
222 | |
223 system("openssl x509 -in $d/end.crt -serial -noout " | |
224 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
225 or die "Can't obtain serial for end: $!\n"; | |
226 | |
227 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
228 | |
229 # ocsp end | |
230 | |
231 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
232 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
233 or die "Can't create OCSP request: $!\n"; | |
234 | |
235 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
236 . "-rsigner $d/int.crt -rkey $d/int.key " | |
237 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
238 . ">>$d/openssl.out 2>&1") == 0 | |
239 or die "Can't create OCSP response: $!\n"; | |
240 | |
241 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
242 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
243 or die "Can't create EC OCSP request: $!\n"; | |
244 | |
245 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
246 . "-rsigner $d/root.crt -rkey $d/root.key " | |
247 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
248 . ">>$d/openssl.out 2>&1") == 0 | |
249 or die "Can't create EC OCSP response: $!\n"; | |
250 | |
251 $t->write_file('trusted.crt', | |
252 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
253 | |
254 # server cert/key | |
255 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
256 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
257 system('openssl req -x509 -new ' |
1570 | 258 . "-config $d/openssl.conf -subj /CN=$name/ " |
259 . "-out $d/$name.crt -keyout $d/$name.key " | |
260 . ">>$d/openssl.out 2>&1") == 0 | |
261 or die "Can't create certificate for $name: $!\n"; | |
262 } | |
263 | |
264 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
265 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
266 $t->run()->plan(15); |
1570 | 267 |
268 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
269 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
270 | |
271 ############################################################################### | |
272 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
273 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 274 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
275 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
276 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
277 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
278 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
279 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
280 |
1570 | 281 # demonstrate that ocsp int request is actually made by failing ocsp response |
282 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
283 like(get('end', port => 8444), |
1570 | 284 qr/400 Bad.*FAILED:certificate status request failed/s, |
285 'ocsp many failed'); | |
286 | |
287 # now prepare valid ocsp int response | |
288 | |
289 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
290 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
291 or die "Can't create OCSP request: $!\n"; | |
292 | |
293 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
294 . "-rsigner $d/root.crt -rkey $d/root.key " | |
295 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
296 . ">>$d/openssl.out 2>&1") == 0 | |
297 or die "Can't create OCSP response: $!\n"; | |
298 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
299 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 300 |
301 # store into ssl_ocsp_cache | |
302 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
303 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 304 |
305 # revoke | |
306 | |
307 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
308 . "-keyfile $d/root.key -cert $d/root.crt " | |
309 . ">>$d/openssl.out 2>&1") == 0 | |
310 or die "Can't revoke end.crt: $!\n"; | |
311 | |
312 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
313 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
314 or die "Can't create OCSP request: $!\n"; | |
315 | |
316 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
317 . "-rsigner $d/int.crt -rkey $d/int.key " | |
318 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
319 . ">>$d/openssl.out 2>&1") == 0 | |
320 or die "Can't create OCSP response: $!\n"; | |
321 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
322 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 323 |
324 # with different responder where it's still valid | |
325 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
326 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 327 |
328 # with different context to responder where it's still valid | |
329 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
330 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 331 |
332 # with cached ocsp response it's still valid | |
333 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
334 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 335 |
336 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
337 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
338 like(get('ec-end'), |
1570 | 339 qr/400 Bad.*FAILED:certificate status request failed/s, |
340 'root ca not trusted'); | |
341 | |
342 # now sign ocsp end response with valid int cert | |
343 | |
344 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
345 . "-rsigner $d/int.crt -rkey $d/int.key " | |
346 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
347 . ">>$d/openssl.out 2>&1") == 0 | |
348 or die "Can't create EC OCSP response: $!\n"; | |
349 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
350 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 351 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
352 my $s = session('ec-end'); |
1570 | 353 |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
354 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
355 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
356 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
357 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
358 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
359 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
360 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
361 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
362 like(get('ec-end', ses => $s), |
1570 | 363 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
364 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
365 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
366 |
1570 | 367 # revoke with saved session |
368 | |
369 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
370 . "-keyfile $d/root.key -cert $d/root.crt " | |
371 . ">>$d/openssl.out 2>&1") == 0 | |
372 or die "Can't revoke end.crt: $!\n"; | |
373 | |
374 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
375 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
376 or die "Can't create OCSP request: $!\n"; | |
377 | |
378 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
379 . "-rsigner $d/int.crt -rkey $d/int.key " | |
380 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
381 . ">>$d/openssl.out 2>&1") == 0 | |
382 or die "Can't create OCSP response: $!\n"; | |
383 | |
384 # reusing session with revoked certificate | |
385 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
386 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
387 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
388 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
389 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
390 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
391 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
392 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
393 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
394 like(get('ec-end', ses => $s), |
1570 | 395 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
396 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
397 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
398 |
1570 | 399 # regression test for self-signed |
400 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
401 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
402 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
403 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
405 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 406 |
407 ############################################################################### | |
408 | |
409 sub get { | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
410 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
411 return http_end($s); |
1570 | 412 } |
413 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
414 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
415 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
416 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
417 return $s; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
418 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
419 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
420 sub get_socket { |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
421 my ($cert, %extra) = @_; |
1570 | 422 my $ses = $extra{ses}; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
423 my $sni = $extra{sni} || 'localhost'; |
1570 | 424 my $port = $extra{port} || 8443; |
425 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
426 return http( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
427 "GET /serial HTTP/1.0\nHost: $sni\n\n", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
428 start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
429 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
430 SSL_hostname => $sni, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
431 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
432 SSL_reuse_ctx => $ses, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
433 $cert ? ( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
434 SSL_cert_file => "$d/$cert.crt", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
435 SSL_key_file => "$d/$cert.key" |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
436 ) : () |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
437 ); |
1570 | 438 } |
439 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
440 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
441 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
1570 | 442 } |
443 | |
444 ############################################################################### | |
445 | |
446 sub http_daemon { | |
447 my ($t, $port) = @_; | |
448 my $server = IO::Socket::INET->new( | |
449 Proto => 'tcp', | |
450 LocalHost => "127.0.0.1:$port", | |
451 Listen => 5, | |
452 Reuse => 1 | |
453 ) | |
454 or die "Can't create listening socket: $!\n"; | |
455 | |
456 local $SIG{PIPE} = 'IGNORE'; | |
457 | |
458 while (my $client = $server->accept()) { | |
459 $client->autoflush(1); | |
460 | |
461 my $headers = ''; | |
462 my $uri = ''; | |
463 my $resp; | |
464 | |
465 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
466 Test::Nginx::log_core('||', $_); |
1570 | 467 $headers .= $_; |
468 last if (/^\x0d?\x0a?$/); | |
469 } | |
470 | |
471 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
472 next unless $uri; | |
473 | |
474 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
475 my $req = decode_base64($uri); | |
476 | |
477 if (index($req, $serial_int) > 0) { | |
478 $resp = 'int-resp'; | |
479 | |
480 } elsif (index($req, $serial) > 0) { | |
481 $resp = 'resp'; | |
482 | |
483 # used to differentiate ssl_ocsp_responder | |
484 | |
485 if ($port == port(8081) && -e "$d/revoked.der") { | |
486 $resp = 'revoked'; | |
487 } | |
488 | |
489 } else { | |
490 $resp = 'ec-resp'; | |
491 } | |
492 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
493 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
494 |
1570 | 495 # ocsp dummy handler |
496 | |
497 select undef, undef, undef, 0.02; | |
498 | |
499 $headers = <<"EOF"; | |
500 HTTP/1.1 200 OK | |
501 Connection: close | |
502 Content-Type: application/ocsp-response | |
503 | |
504 EOF | |
505 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
506 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
507 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
508 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
509 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
510 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
511 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
512 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
513 print $client $headers . $content; |
1570 | 514 } |
515 } | |
516 | |
517 ############################################################################### |