Mercurial > hg > nginx-tests
annotate ssl_stapling.t @ 1332:fe60c3959069
Tests: adjusted binary_upgrade.t for instrumented binaries.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 04 Jun 2018 14:48:21 +0300 |
parents | b82ed2061f65 |
children | 73a9504ae6fd |
rev | line source |
---|---|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for OCSP stapling. |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 use MIME::Base64 qw/ decode_base64 /; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 eval { require IO::Socket::SSL; }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 eval { IO::Socket::SSL->can_ocsp() or die; }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 plan(skip_all => 'IO::Socket::SSL with OCSP support required') if $@; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 ->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 %%TEST_GLOBALS%% |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 daemon off; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 events { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 http { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 %%TEST_GLOBALS_HTTP%% |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 ssl_stapling on; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 ssl_trusted_certificate trusted.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 ssl_certificate ec-end-int.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 ssl_certificate_key ec-end.key; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 ssl_certificate end-int.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 ssl_certificate_key end.key; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 listen 127.0.0.1:8443 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 listen 127.0.0.1:8080; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 listen 127.0.0.1:8444 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 ssl_stapling_responder http://127.0.0.1:8081/; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 listen 127.0.0.1:8445 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 ssl_stapling_verify on; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 listen 127.0.0.1:8446 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 ssl_certificate ec-end.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 ssl_certificate_key ec-end.key; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 listen 127.0.0.1:8447 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 ssl_certificate end-int.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ssl_certificate_key end.key; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 ssl_stapling_file %%TESTDIR%%/resp.der; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 listen 127.0.0.1:8448 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 ssl_certificate ec-end-int.crt; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ssl_certificate_key ec-end.key; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 ssl_stapling_file %%TESTDIR%%/ec-resp.der; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 server { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 listen 127.0.0.1:8449 ssl; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 server_name localhost; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 ssl_stapling_responder http://127.0.0.1:8080/; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 EOF |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 my $d = $t->testdir(); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 my $p = port(8081); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 $t->write_file('openssl.conf', <<EOF); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 [ req ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 default_bits = 1024 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 encrypt_key = no |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 distinguished_name = req_distinguished_name |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 [ req_distinguished_name ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 EOF |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 $t->write_file('ca.conf', <<EOF); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 [ ca ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 default_ca = myca |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 [ myca ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 new_certs_dir = $d |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 database = $d/certindex |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 default_md = sha1 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 policy = myca_policy |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 serial = $d/certserial |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 default_days = 1 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 x509_extensions = myca_extensions |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 [ myca_policy ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 commonName = supplied |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 [ myca_extensions ] |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 basicConstraints = critical,CA:TRUE |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 EOF |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 foreach my $name ('root') { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 system('openssl req -x509 -new ' |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 . "-config $d/openssl.conf -subj /CN=$name/ " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 . "-out $d/$name.crt -keyout $d/$name.key " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 or die "Can't create certificate for $name: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 foreach my $name ('int', 'end') { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 system("openssl req -new " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 . "-config $d/openssl.conf -subj /CN=$name/ " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 . "-out $d/$name.csr -keyout $d/$name.key " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 or die "Can't create certificate for $name: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 foreach my $name ('ec-end') { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 or die "Can't create EC param: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 system("openssl req -new -key $d/$name.key " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 . "-config $d/openssl.conf -subj /CN=$name/ " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 . "-out $d/$name.csr " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 or die "Can't create certificate for $name: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 $t->write_file('certserial', '1000'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 $t->write_file('certindex', ''); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 system("openssl ca -batch -config $d/ca.conf " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 . "-keyfile $d/root.key -cert $d/root.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 or die "Can't sign certificate for int: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 system("openssl ca -batch -config $d/ca.conf " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 . "-keyfile $d/int.key -cert $d/int.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 or die "Can't sign certificate for ec-end: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 system("openssl ca -batch -config $d/ca.conf " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 . "-keyfile $d/int.key -cert $d/int.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 or die "Can't sign certificate for end: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 # RFC 6960, serialNumber |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 system("openssl x509 -in $d/end.crt -serial -noout " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 . ">>$d/serial 2>>$d/openssl.out") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 or die "Can't obtain serial for end: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 . "-keyfile $d/root.key -cert $d/root.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 or die "Can't revoke end.crt: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 or die "Can't create OCSP request: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 . "-rsigner $d/root.crt -rkey $d/root.key " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 or die "Can't create OCSP response: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
214 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
216 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
217 or die "Can't create EC OCSP request: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 . "-rsigner $d/root.crt -rkey $d/root.key " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 . ">>$d/openssl.out 2>&1") == 0 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 or die "Can't create EC OCSP response: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 $t->write_file('trusted.crt', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 $t->read_file('int.crt') . $t->read_file('root.crt')); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 $t->write_file('end-int.crt', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 $t->read_file('end.crt') . $t->read_file('int.crt')); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 $t->write_file('ec-end-int.crt', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 $t->read_file('ec-end.crt') . $t->read_file('int.crt')); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 $t->run_daemon(\&http_daemon, $t); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 $t->run(); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
235 $t->waitforsocket("127.0.0.1:" . port(8081)); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 ############################################################################### |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 staple(8443, 'RSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
240 staple(8443, 'ECDSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 staple(8444, 'RSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 staple(8444, 'ECDSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 staple(8445, 'ECDSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 staple(8446, 'ECDSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 staple(8449, 'ECDSA'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 sleep 1; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
249 ok(!staple(8443, 'RSA'), 'staple revoked'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
250 ok(staple(8443, 'ECDSA'), 'staple success'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 ok(!staple(8444, 'RSA'), 'responder revoked'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 ok(staple(8444, 'ECDSA'), 'responder success'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
255 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
256 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
257 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
258 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
259 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
260 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
261 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
262 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
263 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
264 ############################################################################### |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
265 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
266 sub staple { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
267 my ($port, $ciphers, $ca) = @_; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
268 my (@resp); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
269 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
270 my $staple_cb = sub { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
271 my ($ssl, $resp) = @_; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
272 push @resp, !!$resp; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
273 return 1 unless $resp; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
274 my $obj = $ssl->_get_ssl_object; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
275 my $cert = Net::SSLeay::get_peer_certificate($obj); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
276 my $certid = eval { Net::SSLeay::OCSP_cert2ids($obj, $cert) } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
277 or do { die "no OCSP_CERTID for certificate: $@"; }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
278 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
279 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
280 push @resp, $res[0][2]->{'statusType'}; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
281 }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
282 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
283 eval { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
284 local $SIG{ALRM} = sub { die "timeout\n" }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
285 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
286 alarm(2); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
287 IO::Socket::SSL->new( |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
288 Proto => 'tcp', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
289 PeerAddr => '127.0.0.1', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
290 PeerPort => port($port), |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
291 SSL_cipher_list => $ciphers, |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
292 SSL_ca_file => $ca, |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
293 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
294 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
295 SSL_ocsp_staple_callback => $staple_cb, |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
296 SSL_error_trap => sub { die $_[1] } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
297 ); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
298 alarm(0); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
299 }; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
300 alarm(0); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
301 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
302 if ($@) { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
303 log_in("died: $@"); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
304 return undef; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
305 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
306 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
307 return join ' ', @resp; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
308 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
309 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
310 ############################################################################### |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
311 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
312 sub http_daemon { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
313 my ($t) = shift; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
314 my $server = IO::Socket::INET->new( |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
315 Proto => 'tcp', |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
316 LocalHost => "127.0.0.1:" . port(8081), |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
317 Listen => 5, |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
318 Reuse => 1 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
319 ) |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
320 or die "Can't create listening socket: $!\n"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
321 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
322 local $SIG{PIPE} = 'IGNORE'; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
323 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
324 while (my $client = $server->accept()) { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
325 $client->autoflush(1); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
326 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
327 my $headers = ''; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
328 my $uri = ''; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
329 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
330 while (<$client>) { |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
331 $headers .= $_; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
332 last if (/^\x0d?\x0a?$/); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
333 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
334 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
335 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
336 next unless $uri; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
337 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
338 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
339 my $req = decode_base64($uri); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
340 my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
341 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
342 # ocsp dummy handler |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
343 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
344 select undef, undef, undef, 0.02; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
345 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
346 $headers = <<"EOF"; |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
347 HTTP/1.1 200 OK |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
348 Connection: close |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
349 Content-Type: application/ocsp-response |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
350 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
351 EOF |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
352 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
353 print $client $headers . $t->read_file("$resp.der"); |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
354 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
355 } |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
356 |
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
357 ############################################################################### |