forked from nginx/nginx-tests
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssl_certificates.t
124 lines (89 loc) · 2.83 KB
/
ssl_certificates.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/perl
# (C) Sergey Kandaurov
# (C) Nginx, Inc.
# Tests for http ssl module with multiple certificates.
###############################################################################
use warnings;
use strict;
use Test::More;
BEGIN { use FindBin; chdir($FindBin::Bin); }
use lib 'lib';
use Test::Nginx;
###############################################################################
select STDERR; $| = 1;
select STDOUT; $| = 1;
my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
->has_daemon('openssl');
plan(skip_all => 'no multiple certificates') if $t->has_module('BoringSSL');
$t->write_file_expand('nginx.conf', <<'EOF');
%%TEST_GLOBALS%%
daemon off;
events {
}
http {
%%TEST_GLOBALS_HTTP%%
ssl_certificate_key rsa.key;
ssl_certificate rsa.crt;
ssl_ciphers DEFAULT:ECCdraft;
server {
listen 127.0.0.1:8443 ssl;
server_name localhost;
ssl_certificate_key ec.key;
ssl_certificate ec.crt;
ssl_certificate_key rsa.key;
ssl_certificate rsa.crt;
ssl_certificate_key rsa.key;
ssl_certificate rsa.crt;
}
}
EOF
$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF
my $d = $t->testdir();
system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
or die "Can't create RSA pem: $!\n";
foreach my $name ('ec', 'rsa') {
system("openssl req -x509 -new -key $d/$name.key "
. "-config $d/openssl.conf -subj /CN=$name/ "
. "-out $d/$name.crt -keyout $d/$name.key "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for $name: $!\n";
}
$t->run()->plan(2);
###############################################################################
like(cert('RSA'), qr/CN=rsa/, 'ssl cert RSA');
like(cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');
###############################################################################
sub cert {
my $s = get_socket(@_) || return;
return $s->dump_peer_certificate();
}
sub get_socket {
my ($type) = @_;
my $ctx_cb = sub {
my $ctx = shift;
return unless defined $type;
my $ssleay = Net::SSLeay::SSLeay();
return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256');
@sigalgs = ($type . '+SHA256') unless $type eq 'RSA';
# SSL_CTRL_SET_SIGALGS_LIST
Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0])
or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1])
or die("Failed to set sigalgs");
};
return http(
'', start => 1,
SSL => 1,
SSL_cipher_list => $type,
SSL_create_ctx_callback => $ctx_cb
);
}
###############################################################################