Mercurial > hg > nginx-tests
comparison ssl_crl.t @ 1125:97a6cb846926
Tests: basic ssl_crl tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 06 Feb 2017 19:13:49 +0300 |
parents | |
children | 0af58b78df35 |
comparison
equal
deleted
inserted
replaced
1124:5b22e2014f76 | 1125:97a6cb846926 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http ssl module, ssl_crl directive. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 eval { require IO::Socket::SSL; }; | |
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
29 | |
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/) | |
31 ->has_daemon('openssl')->plan(3); | |
32 | |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_certificate_key localhost.key; | |
46 ssl_certificate localhost.crt; | |
47 | |
48 ssl_verify_client on; | |
49 ssl_client_certificate int-root.crt; | |
50 | |
51 add_header X-Verify $ssl_client_verify always; | |
52 | |
53 server { | |
54 listen 127.0.0.1:8080 ssl; | |
55 server_name localhost; | |
56 | |
57 ssl_client_certificate root.crt; | |
58 ssl_crl empty.crl; | |
59 } | |
60 | |
61 server { | |
62 listen 127.0.0.1:8081 ssl; | |
63 server_name localhost; | |
64 | |
65 ssl_client_certificate root.crt; | |
66 ssl_crl root.crl; | |
67 } | |
68 | |
69 server { | |
70 listen 127.0.0.1:8082 ssl; | |
71 server_name localhost; | |
72 | |
73 ssl_verify_depth 2; | |
74 ssl_crl root.crl; | |
75 } | |
76 } | |
77 | |
78 EOF | |
79 | |
80 my $d = $t->testdir(); | |
81 | |
82 $t->write_file('openssl.conf', <<EOF); | |
83 [ req ] | |
84 default_bits = 1024 | |
85 encrypt_key = no | |
86 distinguished_name = req_distinguished_name | |
87 [ req_distinguished_name ] | |
88 EOF | |
89 | |
90 $t->write_file('ca.conf', <<EOF); | |
91 [ ca ] | |
92 default_ca = myca | |
93 | |
94 [ myca ] | |
95 new_certs_dir = $d | |
96 database = $d/certindex | |
97 default_md = sha1 | |
98 policy = myca_policy | |
99 serial = $d/certserial | |
100 default_days = 1 | |
101 | |
102 [ myca_policy ] | |
103 commonName = supplied | |
104 EOF | |
105 | |
106 foreach my $name ('root', 'localhost') { | |
107 system('openssl req -x509 -new ' | |
108 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
109 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
110 . ">>$d/openssl.out 2>&1") == 0 | |
111 or die "Can't create certificate for $name: $!\n"; | |
112 } | |
113 | |
114 foreach my $name ('int', 'end') { | |
115 system("openssl req -new " | |
116 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
117 . "-out '$d/$name.csr' -keyout '$d/$name.key' " | |
118 . ">>$d/openssl.out 2>&1") == 0 | |
119 or die "Can't create certificate for $name: $!\n"; | |
120 } | |
121 | |
122 $t->write_file('certserial', '1000'); | |
123 $t->write_file('certindex', ''); | |
124 | |
125 system("openssl ca -batch -config '$d/ca.conf' " | |
126 . "-keyfile '$d/root.key' -cert '$d/root.crt' " | |
127 . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' " | |
128 . ">>$d/openssl.out 2>&1") == 0 | |
129 or die "Can't sign certificate for int: $!\n"; | |
130 | |
131 system("openssl ca -batch -config '$d/ca.conf' " | |
132 . "-keyfile '$d/int.key' -cert '$d/int.crt' " | |
133 . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' " | |
134 . ">>$d/openssl.out 2>&1") == 0 | |
135 or die "Can't sign certificate for end: $!\n"; | |
136 | |
137 system("openssl ca -gencrl -config '$d/ca.conf' " | |
138 . "-keyfile '$d/root.key' -cert '$d/root.crt' " | |
139 . "-out '$d/empty.crl' -crldays 1 " | |
140 . ">>$d/openssl.out 2>&1") == 0 | |
141 or die "Can't create empty crl: $!\n"; | |
142 | |
143 system("openssl ca -config '$d/ca.conf' -revoke '$d/int.crt' " | |
144 . "-keyfile '$d/root.key' -cert '$d/root.crt' " | |
145 . ">>$d/openssl.out 2>&1") == 0 | |
146 or die "Can't revoke int.crt: $!\n"; | |
147 | |
148 system("openssl ca -gencrl -config '$d/ca.conf' " | |
149 . "-keyfile '$d/root.key' -cert '$d/root.crt' " | |
150 . "-out '$d/root.crl' -crldays 1 " | |
151 . ">>$d/openssl.out 2>&1") == 0 | |
152 or die "Can't update crl: $!\n"; | |
153 | |
154 $t->write_file('int-root.crt', | |
155 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
156 | |
157 $t->write_file('t', ''); | |
158 $t->run(); | |
159 | |
160 ############################################################################### | |
161 | |
162 like(get(8080, 'int'), qr/SUCCESS/, 'crl - no revoked certs'); | |
163 like(get(8081, 'int'), qr/FAILED/, 'crl - client cert revoked'); | |
164 like(get(8082, 'end'), qr/FAILED/, 'crl - intermediate cert revoked'); | |
165 | |
166 ############################################################################### | |
167 | |
168 sub get { | |
169 my ($port, $cert) = @_; | |
170 my $s = get_ssl_socket($port, $cert) or return; | |
171 http_get('/t', socket => $s); | |
172 } | |
173 | |
174 sub get_ssl_socket { | |
175 my ($port, $cert) = @_; | |
176 my ($s); | |
177 | |
178 eval { | |
179 local $SIG{ALRM} = sub { die "timeout\n" }; | |
180 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
181 alarm(2); | |
182 $s = IO::Socket::SSL->new( | |
183 Proto => 'tcp', | |
184 PeerAddr => '127.0.0.1', | |
185 PeerPort => port($port), | |
186 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
187 SSL_cert_file => "$d/$cert.crt", | |
188 SSL_key_file => "$d/$cert.key", | |
189 SSL_error_trap => sub { die $_[1] } | |
190 ); | |
191 alarm(0); | |
192 }; | |
193 alarm(0); | |
194 | |
195 if ($@) { | |
196 log_in("died: $@"); | |
197 return undef; | |
198 } | |
199 | |
200 return $s; | |
201 } | |
202 | |
203 ############################################################################### |