Skip to content

Commit 82f2253

Browse files
ArchangelSDYArchangelSDY
committed
tests: add unit tests for client certificate verification API
1 parent 978e012 commit 82f2253

File tree

2 files changed

+285
-2
lines changed

2 files changed

+285
-2
lines changed

t/ssl.t

Lines changed: 162 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ use t::TestCore;
88

99
repeat_each(2);
1010

11-
plan tests => repeat_each() * (blocks() * 6 + 1);
11+
plan tests => repeat_each() * 148;
1212

1313
no_long_string();
1414
#no_diff();
@@ -2330,3 +2330,164 @@ got TLS1 version: TLSv1.3,
23302330
[error]
23312331
[alert]
23322332
[emerg]
2333+
2334+
2335+
2336+
=== TEST 23: verify client with CA certificates
2337+
--- http_config
2338+
lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
2339+
2340+
server {
2341+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
2342+
server_name test.com;
2343+
ssl_certificate_by_lua_block {
2344+
local ssl = require "ngx.ssl"
2345+
2346+
local f = assert(io.open("t/cert/test.crt"))
2347+
local cert_data = f:read("*a")
2348+
f:close()
2349+
2350+
local cert, err = ssl.parse_pem_cert(cert_data)
2351+
if not cert then
2352+
ngx.log(ngx.ERR, "failed to parse pem cert: ", err)
2353+
return
2354+
end
2355+
2356+
local ok, err = ssl.verify_client(1, cert)
2357+
if not ok then
2358+
ngx.log(ngx.ERR, "failed to verify client: ", err)
2359+
return
2360+
end
2361+
}
2362+
2363+
ssl_certificate ../../cert/test.crt;
2364+
ssl_certificate_key ../../cert/test.key;
2365+
2366+
server_tokens off;
2367+
location / {
2368+
default_type 'text/plain';
2369+
content_by_lua_block { ngx.say(ngx.var.ssl_client_verify) }
2370+
more_clear_headers Date;
2371+
}
2372+
}
2373+
--- config
2374+
server_tokens off;
2375+
lua_ssl_trusted_certificate ../../cert/test.crt;
2376+
2377+
location /t {
2378+
proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
2379+
proxy_ssl_certificate ../../cert/test.crt;
2380+
proxy_ssl_certificate_key ../../cert/test.key;
2381+
}
2382+
2383+
--- request
2384+
GET /t
2385+
--- response_body
2386+
SUCCESS
2387+
2388+
--- error_log
2389+
2390+
--- no_error_log
2391+
[error]
2392+
[alert]
2393+
[emerg]
2394+
2395+
2396+
2397+
=== TEST 24: verify client without CA certificates
2398+
--- http_config
2399+
lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
2400+
2401+
server {
2402+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
2403+
server_name test.com;
2404+
ssl_certificate_by_lua_block {
2405+
local ssl = require "ngx.ssl"
2406+
2407+
local ok, err = ssl.verify_client(1, nil)
2408+
if not ok then
2409+
ngx.log(ngx.ERR, "failed to verify client: ", err)
2410+
return
2411+
end
2412+
}
2413+
2414+
ssl_certificate ../../cert/test.crt;
2415+
ssl_certificate_key ../../cert/test.key;
2416+
2417+
server_tokens off;
2418+
location / {
2419+
default_type 'text/plain';
2420+
content_by_lua_block { ngx.say(ngx.var.ssl_client_verify) }
2421+
more_clear_headers Date;
2422+
}
2423+
}
2424+
--- config
2425+
server_tokens off;
2426+
lua_ssl_trusted_certificate ../../cert/test.crt;
2427+
2428+
location /t {
2429+
proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
2430+
proxy_ssl_certificate ../../cert/test.crt;
2431+
proxy_ssl_certificate_key ../../cert/test.key;
2432+
}
2433+
2434+
--- request
2435+
GET /t
2436+
--- response_body
2437+
FAILED:self signed certificate
2438+
2439+
--- error_log
2440+
2441+
--- no_error_log
2442+
[error]
2443+
[alert]
2444+
[emerg]
2445+
2446+
2447+
2448+
=== TEST 25: verify client but client provides no certificate
2449+
--- http_config
2450+
lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
2451+
2452+
server {
2453+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
2454+
server_name test.com;
2455+
ssl_certificate_by_lua_block {
2456+
local ssl = require "ngx.ssl"
2457+
2458+
local ok, err = ssl.verify_client(1, nil)
2459+
if not ok then
2460+
ngx.log(ngx.ERR, "failed to verify client: ", err)
2461+
return
2462+
end
2463+
}
2464+
2465+
ssl_certificate ../../cert/test.crt;
2466+
ssl_certificate_key ../../cert/test.key;
2467+
2468+
server_tokens off;
2469+
location / {
2470+
default_type 'text/plain';
2471+
content_by_lua_block { ngx.say(ngx.var.ssl_client_verify) }
2472+
more_clear_headers Date;
2473+
}
2474+
}
2475+
--- config
2476+
server_tokens off;
2477+
lua_ssl_trusted_certificate ../../cert/test.crt;
2478+
2479+
location /t {
2480+
proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
2481+
}
2482+
2483+
--- request
2484+
GET /t
2485+
--- response_body
2486+
NONE
2487+
2488+
--- error_log
2489+
2490+
--- no_error_log
2491+
[error]
2492+
[alert]
2493+
[emerg]

t/stream/ssl.t

Lines changed: 123 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ use t::TestCore::Stream;
88

99
repeat_each(2);
1010

11-
plan tests => repeat_each() * (blocks() * 6 + 1);
11+
plan tests => repeat_each() * 145;
1212

1313
no_long_string();
1414
#no_diff();
@@ -1887,3 +1887,125 @@ got TLS1 version: TLSv1.3,
18871887
[error]
18881888
[alert]
18891889
[emerg]
1890+
1891+
1892+
1893+
=== TEST 23: verify client with CA certificates
1894+
--- stream_config
1895+
server {
1896+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
1897+
1898+
ssl_certificate_by_lua_block {
1899+
local ssl = require "ngx.ssl"
1900+
1901+
local f = assert(io.open("t/cert/test.crt", "rb"))
1902+
local cert_data = f:read("*all")
1903+
f:close()
1904+
1905+
local cert = ssl.parse_pem_cert(cert_data)
1906+
if not cert then
1907+
ngx.log(ngx.ERR, "failed to parse pem cert: ", err)
1908+
return
1909+
end
1910+
1911+
local ok, err = ssl.verify_client(1, cert)
1912+
if not ok then
1913+
ngx.log(ngx.ERR, "failed to verify client: ", err)
1914+
return
1915+
end
1916+
}
1917+
1918+
ssl_certificate ../../cert/test2.crt;
1919+
ssl_certificate_key ../../cert/test2.key;
1920+
1921+
return "$ssl_client_verify\n";
1922+
}
1923+
--- stream_server_config
1924+
lua_ssl_trusted_certificate ../../cert/test.crt;
1925+
1926+
proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock;
1927+
proxy_ssl on;
1928+
proxy_ssl_certificate ../../cert/test.crt;
1929+
proxy_ssl_certificate_key ../../cert/test.key;
1930+
1931+
--- stream_response
1932+
SUCCESS
1933+
--- error_log
1934+
1935+
--- no_error_log
1936+
[error]
1937+
[alert]
1938+
1939+
1940+
1941+
=== TEST 24: verify client without CA certificates
1942+
--- stream_config
1943+
server {
1944+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
1945+
1946+
ssl_certificate_by_lua_block {
1947+
local ssl = require "ngx.ssl"
1948+
1949+
local ok, err = ssl.verify_client(1, nil)
1950+
if not ok then
1951+
ngx.log(ngx.ERR, "failed to verify client: ", err)
1952+
return
1953+
end
1954+
}
1955+
1956+
ssl_certificate ../../cert/test2.crt;
1957+
ssl_certificate_key ../../cert/test2.key;
1958+
1959+
return "$ssl_client_verify\n";
1960+
}
1961+
--- stream_server_config
1962+
lua_ssl_trusted_certificate ../../cert/test.crt;
1963+
1964+
proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock;
1965+
proxy_ssl on;
1966+
proxy_ssl_certificate ../../cert/test.crt;
1967+
proxy_ssl_certificate_key ../../cert/test.key;
1968+
1969+
--- stream_response
1970+
FAILED:self signed certificate
1971+
--- error_log
1972+
1973+
--- no_error_log
1974+
[error]
1975+
[alert]
1976+
1977+
1978+
1979+
=== TEST 25: verify client but client provides no certificate
1980+
--- stream_config
1981+
server {
1982+
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
1983+
1984+
ssl_certificate_by_lua_block {
1985+
local ssl = require "ngx.ssl"
1986+
1987+
local ok, err = ssl.verify_client(1, nil)
1988+
if not ok then
1989+
ngx.log(ngx.ERR, "failed to verify client: ", err)
1990+
return
1991+
end
1992+
}
1993+
1994+
ssl_certificate ../../cert/test2.crt;
1995+
ssl_certificate_key ../../cert/test2.key;
1996+
1997+
return "$ssl_client_verify\n";
1998+
}
1999+
--- stream_server_config
2000+
lua_ssl_trusted_certificate ../../cert/test.crt;
2001+
2002+
proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock;
2003+
proxy_ssl on;
2004+
2005+
--- stream_response
2006+
NONE
2007+
--- error_log
2008+
2009+
--- no_error_log
2010+
[error]
2011+
[alert]

0 commit comments

Comments
 (0)