ssl_certificates.t - nginx-tests - Git at Google

 #!/usr/bin/perl

 # (C) Sergey Kandaurov
 # (C) Nginx, Inc.

 # Tests for http ssl module with multiple certificates.

 ###############################################################################

 use warnings;
 use strict;

 use Test::More;

 BEGIN { use FindBin; chdir($FindBin::Bin); }

 use lib 'lib';
 use Test::Nginx;

 ###############################################################################

 select STDERR; $| = 1;
 select STDOUT; $| = 1;

 eval { require IO::Socket::SSL; };
 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
 plan(skip_all => 'IO::Socket::SSL too old') if $@;

 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl');

 $t->write_file_expand('nginx.conf', <<'EOF');

 %%TEST_GLOBALS%%

 daemon off;

 events {
 }

 http {
     %%TEST_GLOBALS_HTTP%%

     ssl_certificate_key rsa.key;
     ssl_certificate rsa.crt;
     ssl_ciphers DEFAULT:ECCdraft;

     server {
         listen       127.0.0.1:8080 ssl;
         server_name  localhost;

         ssl_certificate_key ec.key;
         ssl_certificate ec.crt;

         ssl_certificate_key rsa.key;
         ssl_certificate rsa.crt;

         ssl_certificate_key rsa.key;
         ssl_certificate rsa.crt;
     }
 }

 EOF

 $t->write_file('openssl.conf', <<EOF);
 [ req ]
 default_bits = 1024
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
 EOF

 my $d = $t->testdir();

 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
 	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
 system("openssl genrsa -out $d/rsa.key 1024 >>$d/openssl.out 2>&1") == 0
         or die "Can't create RSA pem: $!\n";

 foreach my $name ('ec', 'rsa') {
 	system("openssl req -x509 -new -key $d/$name.key "
 		. "-config $d/openssl.conf -subj /CN=$name/ "
 		. "-out $d/$name.crt -keyout $d/$name.key "
 		. ">>$d/openssl.out 2>&1") == 0
 		or die "Can't create certificate for $name: $!\n";
 }

 $t->run()->plan(2);

 ###############################################################################

 like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA');
 like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');

 ###############################################################################

 sub get_cert {
 	my ($ciphers) = @_;
 	my $s;

 	eval {
 		local $SIG{ALRM} = sub { die "timeout\n" };
 		local $SIG{PIPE} = sub { die "sigpipe\n" };
 		alarm(2);
 		$s = IO::Socket::SSL->new(
 			Proto => 'tcp',
 			PeerAddr => '127.0.0.1',
 			PeerPort => port(8080),
 			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
 			SSL_cipher_list => $ciphers,
 			SSL_error_trap => sub { die $_[1] }
 		);
 		alarm(0);
 	};
 	alarm(0);

 	if ($@) {
 		log_in("died: $@");
 		return undef;
 	}

 	my $cipher = $s->get_cipher();

 	Test::Nginx::log_core('||', "cipher: $cipher");

 	return $s->dump_peer_certificate;
 }

 ###############################################################################
	#!/usr/bin/perl

	# (C) Sergey Kandaurov
	# (C) Nginx, Inc.

	# Tests for http ssl module with multiple certificates.

	###############################################################################

	use warnings;
	use strict;

	use Test::More;

	BEGIN { use FindBin; chdir($FindBin::Bin); }

	use lib 'lib';
	use Test::Nginx;

	###############################################################################

	select STDERR; $\| = 1;
	select STDOUT; $\| = 1;

	eval { require IO::Socket::SSL; };
	plan(skip_all => 'IO::Socket::SSL not installed') if $@;
	eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
	plan(skip_all => 'IO::Socket::SSL too old') if $@;

	my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl');

	$t->write_file_expand('nginx.conf', <<'EOF');

	%%TEST_GLOBALS%%

	daemon off;

	events {
	}

	http {
	%%TEST_GLOBALS_HTTP%%

	ssl_certificate_key rsa.key;
	ssl_certificate rsa.crt;
	ssl_ciphers DEFAULT:ECCdraft;

	server {
	listen 127.0.0.1:8080 ssl;
	server_name localhost;

	ssl_certificate_key ec.key;
	ssl_certificate ec.crt;

	ssl_certificate_key rsa.key;
	ssl_certificate rsa.crt;

	ssl_certificate_key rsa.key;
	ssl_certificate rsa.crt;
	}
	}

	EOF

	$t->write_file('openssl.conf', <<EOF);
	[ req ]
	default_bits = 1024
	encrypt_key = no
	distinguished_name = req_distinguished_name
	[ req_distinguished_name ]
	EOF

	my $d = $t->testdir();

	system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
	system("openssl genrsa -out $d/rsa.key 1024 >>$d/openssl.out 2>&1") == 0
	or die "Can't create RSA pem: $!\n";

	foreach my $name ('ec', 'rsa') {
	system("openssl req -x509 -new -key $d/$name.key "
	. "-config $d/openssl.conf -subj /CN=$name/ "
	. "-out $d/$name.crt -keyout $d/$name.key "
	. ">>$d/openssl.out 2>&1") == 0
	or die "Can't create certificate for $name: $!\n";
	}

	$t->run()->plan(2);

	###############################################################################

	like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA');
	like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');

	###############################################################################

	sub get_cert {
	my ($ciphers) = @_;
	my $s;

	eval {
	local $SIG{ALRM} = sub { die "timeout\n" };
	local $SIG{PIPE} = sub { die "sigpipe\n" };
	alarm(2);
	$s = IO::Socket::SSL->new(
	Proto => 'tcp',
	PeerAddr => '127.0.0.1',
	PeerPort => port(8080),
	SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
	SSL_cipher_list => $ciphers,
	SSL_error_trap => sub { die $_[1] }
	);
	alarm(0);
	};
	alarm(0);

	if ($@) {
	log_in("died: $@");
	return undef;
	}

	my $cipher = $s->get_cipher();

	Test::Nginx::log_core('\|\|', "cipher: $cipher");

	return $s->dump_peer_certificate;
	}

	###############################################################################