Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1960:e44ee916b959
Tests: adjusted http_headers_multi.t for $content_length changes.
The $content_length variable is going to be not available after discarding
the request body. As such, the relevant location is now proxied, so the
request body is not discarded.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 27 Apr 2024 18:55:21 +0300 |
parents | 0b5ec15c62ed |
children | c924ae8d7104 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1570 | 21 |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
28 ->has_daemon('openssl'); |
1570 | 29 |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
30 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
31 if $t->has_module('BoringSSL'); |
1570 | 32 |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_ocsp leaf; | |
46 ssl_verify_client on; | |
47 ssl_verify_depth 2; | |
48 ssl_client_certificate trusted.crt; | |
49 | |
50 ssl_certificate_key rsa.key; | |
51 ssl_certificate rsa.crt; | |
52 | |
53 ssl_session_cache shared:SSL:1m; | |
54 ssl_session_tickets off; | |
55 | |
56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
57 add_header X-SSL-Protocol $ssl_protocol always; |
1570 | 58 |
59 server { | |
60 listen 127.0.0.1:8443 ssl; | |
61 server_name localhost; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl; | |
66 server_name sni; | |
67 | |
68 ssl_ocsp_responder http://127.0.0.1:8082; | |
69 } | |
70 | |
71 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
72 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
73 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
74 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
75 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
76 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
77 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
78 server { |
1570 | 79 listen 127.0.0.1:8444 ssl; |
80 server_name localhost; | |
81 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
82 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 83 ssl_ocsp on; |
84 } | |
85 | |
86 server { | |
87 listen 127.0.0.1:8445 ssl; | |
88 server_name localhost; | |
89 | |
90 ssl_ocsp_responder http://127.0.0.1:8082; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:8446 ssl; | |
95 server_name localhost; | |
96 | |
97 ssl_ocsp_cache shared:OCSP:1m; | |
98 } | |
99 | |
100 server { | |
101 listen 127.0.0.1:8447 ssl; | |
102 server_name localhost; | |
103 | |
104 ssl_ocsp_responder http://127.0.0.1:8082; | |
105 ssl_client_certificate root.crt; | |
106 } | |
107 } | |
108 | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 my $p = port(8081); | |
113 | |
114 $t->write_file('openssl.conf', <<EOF); | |
115 [ req ] | |
116 default_bits = 2048 | |
117 encrypt_key = no | |
118 distinguished_name = req_distinguished_name | |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
119 x509_extensions = myca_extensions |
1570 | 120 [ req_distinguished_name ] |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
121 [ myca_extensions ] |
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
122 basicConstraints = critical,CA:TRUE |
1570 | 123 EOF |
124 | |
125 $t->write_file('ca.conf', <<EOF); | |
126 [ ca ] | |
127 default_ca = myca | |
128 | |
129 [ myca ] | |
130 new_certs_dir = $d | |
131 database = $d/certindex | |
132 default_md = sha256 | |
133 policy = myca_policy | |
134 serial = $d/certserial | |
135 default_days = 1 | |
136 x509_extensions = myca_extensions | |
137 | |
138 [ myca_policy ] | |
139 commonName = supplied | |
140 | |
141 [ myca_extensions ] | |
142 basicConstraints = critical,CA:TRUE | |
143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
144 EOF | |
145 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
146 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
147 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
148 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
149 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
150 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
151 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
152 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
153 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
154 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
155 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
156 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
157 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 |
1570 | 169 foreach my $name ('root') { |
170 system('openssl req -x509 -new ' | |
171 . "-config $d/openssl.conf -subj /CN=$name/ " | |
172 . "-out $d/$name.crt -keyout $d/$name.key " | |
173 . ">>$d/openssl.out 2>&1") == 0 | |
174 or die "Can't create certificate for $name: $!\n"; | |
175 } | |
176 | |
177 foreach my $name ('int', 'end') { | |
178 system("openssl req -new " | |
179 . "-config $d/openssl.conf -subj /CN=$name/ " | |
180 . "-out $d/$name.csr -keyout $d/$name.key " | |
181 . ">>$d/openssl.out 2>&1") == 0 | |
182 or die "Can't create certificate for $name: $!\n"; | |
183 } | |
184 | |
185 foreach my $name ('ec-end') { | |
186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
187 . ">>$d/openssl.out 2>&1") == 0 | |
188 or die "Can't create EC param: $!\n"; | |
189 system("openssl req -new -key $d/$name.key " | |
190 . "-config $d/openssl.conf -subj /CN=$name/ " | |
191 . "-out $d/$name.csr " | |
192 . ">>$d/openssl.out 2>&1") == 0 | |
193 or die "Can't create certificate for $name: $!\n"; | |
194 } | |
195 | |
196 $t->write_file('certserial', '1000'); | |
197 $t->write_file('certindex', ''); | |
198 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
199 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 200 . "-keyfile $d/root.key -cert $d/root.crt " |
201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
202 . ">>$d/openssl.out 2>&1") == 0 | |
203 or die "Can't sign certificate for int: $!\n"; | |
204 | |
205 system("openssl ca -batch -config $d/ca.conf " | |
206 . "-keyfile $d/int.key -cert $d/int.crt " | |
207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
208 . ">>$d/openssl.out 2>&1") == 0 | |
209 or die "Can't sign certificate for ec-end: $!\n"; | |
210 | |
211 system("openssl ca -batch -config $d/ca.conf " | |
212 . "-keyfile $d/int.key -cert $d/int.crt " | |
213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
214 . ">>$d/openssl.out 2>&1") == 0 | |
215 or die "Can't sign certificate for end: $!\n"; | |
216 | |
217 # RFC 6960, serialNumber | |
218 | |
219 system("openssl x509 -in $d/int.crt -serial -noout " | |
220 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
221 or die "Can't obtain serial for end: $!\n"; | |
222 | |
223 my $serial_int = pack("n2", 0x0202, hex $1) | |
224 if $t->read_file('serial_int') =~ /(\d+)/; | |
225 | |
226 system("openssl x509 -in $d/end.crt -serial -noout " | |
227 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
228 or die "Can't obtain serial for end: $!\n"; | |
229 | |
230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
231 | |
232 # ocsp end | |
233 | |
234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
236 or die "Can't create OCSP request: $!\n"; | |
237 | |
238 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
239 . "-rsigner $d/int.crt -rkey $d/int.key " | |
240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
241 . ">>$d/openssl.out 2>&1") == 0 | |
242 or die "Can't create OCSP response: $!\n"; | |
243 | |
244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
246 or die "Can't create EC OCSP request: $!\n"; | |
247 | |
248 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
249 . "-rsigner $d/root.crt -rkey $d/root.key " | |
250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
251 . ">>$d/openssl.out 2>&1") == 0 | |
252 or die "Can't create EC OCSP response: $!\n"; | |
253 | |
254 $t->write_file('trusted.crt', | |
255 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
256 | |
257 # server cert/key | |
258 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
259 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
260 system('openssl req -x509 -new ' |
1570 | 261 . "-config $d/openssl.conf -subj /CN=$name/ " |
262 . "-out $d/$name.crt -keyout $d/$name.key " | |
263 . ">>$d/openssl.out 2>&1") == 0 | |
264 or die "Can't create certificate for $name: $!\n"; | |
265 } | |
266 | |
267 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
268 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
269 $t->run()->plan(15); |
1570 | 270 |
271 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
272 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
273 | |
274 ############################################################################### | |
275 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 277 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
278 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
279 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
280 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
281 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
282 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
283 |
1570 | 284 # demonstrate that ocsp int request is actually made by failing ocsp response |
285 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
286 like(get('end', port => 8444), |
1570 | 287 qr/400 Bad.*FAILED:certificate status request failed/s, |
288 'ocsp many failed'); | |
289 | |
290 # now prepare valid ocsp int response | |
291 | |
292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
294 or die "Can't create OCSP request: $!\n"; | |
295 | |
296 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
297 . "-rsigner $d/root.crt -rkey $d/root.key " | |
298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
299 . ">>$d/openssl.out 2>&1") == 0 | |
300 or die "Can't create OCSP response: $!\n"; | |
301 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 303 |
304 # store into ssl_ocsp_cache | |
305 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 307 |
308 # revoke | |
309 | |
310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
311 . "-keyfile $d/root.key -cert $d/root.crt " | |
312 . ">>$d/openssl.out 2>&1") == 0 | |
313 or die "Can't revoke end.crt: $!\n"; | |
314 | |
315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
317 or die "Can't create OCSP request: $!\n"; | |
318 | |
319 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
320 . "-rsigner $d/int.crt -rkey $d/int.key " | |
321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
322 . ">>$d/openssl.out 2>&1") == 0 | |
323 or die "Can't create OCSP response: $!\n"; | |
324 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 326 |
327 # with different responder where it's still valid | |
328 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 330 |
331 # with different context to responder where it's still valid | |
332 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 334 |
335 # with cached ocsp response it's still valid | |
336 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 338 |
339 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
340 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
341 like(get('ec-end'), |
1570 | 342 qr/400 Bad.*FAILED:certificate status request failed/s, |
343 'root ca not trusted'); | |
344 | |
345 # now sign ocsp end response with valid int cert | |
346 | |
347 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
348 . "-rsigner $d/int.crt -rkey $d/int.key " | |
349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
350 . ">>$d/openssl.out 2>&1") == 0 | |
351 or die "Can't create EC OCSP response: $!\n"; | |
352 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 354 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
355 my $s = session('ec-end'); |
1570 | 356 |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
357 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
359 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
362 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
363 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
364 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
365 like(get('ec-end', ses => $s), |
1570 | 366 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
367 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
368 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
369 |
1570 | 370 # revoke with saved session |
371 | |
372 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
373 . "-keyfile $d/root.key -cert $d/root.crt " | |
374 . ">>$d/openssl.out 2>&1") == 0 | |
375 or die "Can't revoke end.crt: $!\n"; | |
376 | |
377 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
378 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
379 or die "Can't create OCSP request: $!\n"; | |
380 | |
381 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
382 . "-rsigner $d/int.crt -rkey $d/int.key " | |
383 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
384 . ">>$d/openssl.out 2>&1") == 0 | |
385 or die "Can't create OCSP response: $!\n"; | |
386 | |
387 # reusing session with revoked certificate | |
388 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
389 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
390 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
391 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
392 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
393 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
394 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
395 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
396 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
397 like(get('ec-end', ses => $s), |
1570 | 398 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
399 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
400 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
401 |
1570 | 402 # regression test for self-signed |
403 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
405 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
406 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
407 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
408 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 409 |
410 ############################################################################### | |
411 | |
412 sub get { | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
413 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
414 return http_end($s); |
1570 | 415 } |
416 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
417 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
418 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
419 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
420 return $s; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
421 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
422 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
423 sub get_socket { |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
424 my ($cert, %extra) = @_; |
1570 | 425 my $ses = $extra{ses}; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
426 my $sni = $extra{sni} || 'localhost'; |
1570 | 427 my $port = $extra{port} || 8443; |
428 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
429 return http( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
430 "GET /serial HTTP/1.0\nHost: $sni\n\n", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
431 start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
432 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
433 SSL_hostname => $sni, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
434 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
435 SSL_reuse_ctx => $ses, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
436 $cert ? ( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
437 SSL_cert_file => "$d/$cert.crt", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
438 SSL_key_file => "$d/$cert.key" |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
439 ) : () |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
440 ); |
1570 | 441 } |
442 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
443 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
444 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
1570 | 445 } |
446 | |
447 ############################################################################### | |
448 | |
449 sub http_daemon { | |
450 my ($t, $port) = @_; | |
451 my $server = IO::Socket::INET->new( | |
452 Proto => 'tcp', | |
453 LocalHost => "127.0.0.1:$port", | |
454 Listen => 5, | |
455 Reuse => 1 | |
456 ) | |
457 or die "Can't create listening socket: $!\n"; | |
458 | |
459 local $SIG{PIPE} = 'IGNORE'; | |
460 | |
461 while (my $client = $server->accept()) { | |
462 $client->autoflush(1); | |
463 | |
464 my $headers = ''; | |
465 my $uri = ''; | |
466 my $resp; | |
467 | |
468 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
469 Test::Nginx::log_core('||', $_); |
1570 | 470 $headers .= $_; |
471 last if (/^\x0d?\x0a?$/); | |
472 } | |
473 | |
474 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
475 next unless $uri; | |
476 | |
477 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
478 my $req = decode_base64($uri); | |
479 | |
480 if (index($req, $serial_int) > 0) { | |
481 $resp = 'int-resp'; | |
482 | |
483 } elsif (index($req, $serial) > 0) { | |
484 $resp = 'resp'; | |
485 | |
486 # used to differentiate ssl_ocsp_responder | |
487 | |
488 if ($port == port(8081) && -e "$d/revoked.der") { | |
489 $resp = 'revoked'; | |
490 } | |
491 | |
492 } else { | |
493 $resp = 'ec-resp'; | |
494 } | |
495 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
496 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
497 |
1570 | 498 # ocsp dummy handler |
499 | |
500 select undef, undef, undef, 0.02; | |
501 | |
502 $headers = <<"EOF"; | |
503 HTTP/1.1 200 OK | |
504 Connection: close | |
505 Content-Type: application/ocsp-response | |
506 | |
507 EOF | |
508 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
509 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
510 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
511 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
512 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
513 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
514 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
515 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
516 print $client $headers . $content; |
1570 | 517 } |
518 } | |
519 | |
520 ############################################################################### |