[patch] regression test for httpd tls client authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[patch] regression test for httpd tls client authentication

Jack Burton
Adds a regression test for the tls client authentication diff from my
last post.

Index: tests/Client.pm
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Client.pm,v
retrieving revision 1.1
diff -u -p -r1.1 Client.pm
--- tests/Client.pm 16 Jul 2015 16:35:57 -0000 1.1
+++ tests/Client.pm 16 May 2018 08:04:54 -0000
@@ -59,6 +59,11 @@ sub child {
     PeerAddr => $self->{connectaddr},
     PeerPort => $self->{connectport},
     SSL_verify_mode => SSL_VERIFY_NONE,
+    SSL_use_cert => $self->{offertlscert} ? 1 : 0,
+    SSL_cert_file => $self->{offertlscert} ?
+ $self->{chroot}."/client.crt" : "",
+    SSL_key_file => $self->{offertlscert} ?
+ $self->{chroot}."/client.key" : "",
  ) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
  print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n";
  print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n";
Index: tests/Httpd.pm
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Httpd.pm,v
retrieving revision 1.2
diff -u -p -r1.2 Httpd.pm
--- tests/Httpd.pm 30 Jan 2017 21:18:24 -0000 1.2
+++ tests/Httpd.pm 16 May 2018 08:04:54 -0000
@@ -72,6 +72,8 @@ sub new {
     print $fh "\n";
     print $fh "\ttls certificate \"".$args{chroot}."/server.crt\"\n";
     print $fh "\ttls key \"".$args{chroot}."/server.key\"";
+    $self->{verifytls}
+ and print $fh "\n\ttls client ca \"".$args{chroot}."/ca.crt\"";
  }
  print $fh "\n\troot \"/\"";
  print $fh "\n\tlog style combined";
Index: tests/Makefile
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Makefile,v
retrieving revision 1.9
diff -u -p -r1.9 Makefile
--- tests/Makefile 10 Nov 2017 23:29:09 -0000 1.9
+++ tests/Makefile 16 May 2018 08:04:54 -0000
@@ -77,10 +77,16 @@ ca.crt:
 server.req:
  openssl req -batch -new -subj /L=OpenBSD/O=httpd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout server.key -out server.req
 
+client.req:
+ openssl req -batch -new -subj /L=OpenBSD/O=httpd-regress/OU=client/CN=localhost/ -nodes -newkey rsa -keyout client.key -out $@
+
 server.crt: ca.crt server.req
  openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req -out server.crt
 
-${REGRESS_TARGETS:M*tls*} ${REGRESS_TARGETS:M*https*}: server.crt
+client.crt: ca.crt client.req
+ openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in client.req -out $@
+
+${REGRESS_TARGETS:M*tls*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt
 
 # make perl syntax check for all args files
 
Index: tests/args-tls-verify.pl
===================================================================
RCS file: tests/args-tls-verify.pl
diff -N tests/args-tls-verify.pl
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/args-tls-verify.pl 16 May 2018 08:04:54 -0000
@@ -0,0 +1,20 @@
+# test https connection, verifying client cert
+
+use strict;
+use warnings;
+
+our %args = (
+    client => {
+ tls => 1,
+ offertlscert => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+    },
+    httpd => {
+ listentls => 1,
+ verifytls => 1,
+    },
+    len => 512,
+    md5 => path_md5("512")
+);
+
+1;