From 15c95e7b7404764540a17fe24712ffd3035b9a02 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 19 Feb 2017 17:23:09 +0800 Subject: [PATCH 01/23] feature: support ssl.create_ctx and tcp:setsslctx Signed-off-by: detailyang --- lib/ngx/ssl.lua | 49 ++++ lib/resty/core.lua | 1 + lib/resty/core/socket/tcp.lua | 67 +++++ t/cert/ca-client-server/ca.crt | 18 ++ t/cert/ca-client-server/ca.key | 30 ++ t/cert/ca-client-server/client.cer | 18 ++ t/cert/ca-client-server/client.crt | 18 ++ t/cert/ca-client-server/client.csr | 17 ++ t/cert/ca-client-server/client.key | 30 ++ t/cert/ca-client-server/client.p12 | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 27 ++ t/cert/ca-client-server/ecc-server.crt | 14 + t/cert/ca-client-server/ecc-server.csr | 9 + t/cert/ca-client-server/ecc-server.key | 5 + t/cert/ca-client-server/generate-cert.sh | 39 +++ t/cert/ca-client-server/server.cer | 18 ++ t/cert/ca-client-server/server.crt | 18 ++ t/cert/ca-client-server/server.csr | 17 ++ t/cert/ca-client-server/server.key | 30 ++ t/cert/ca-client-server/server.unsecure.key | 27 ++ t/ssl-ctx.t | 290 ++++++++++++++++++++ 22 files changed, 742 insertions(+) create mode 100644 lib/resty/core/socket/tcp.lua create mode 100644 t/cert/ca-client-server/ca.crt create mode 100644 t/cert/ca-client-server/ca.key create mode 100644 t/cert/ca-client-server/client.cer create mode 100644 t/cert/ca-client-server/client.crt create mode 100644 t/cert/ca-client-server/client.csr create mode 100644 t/cert/ca-client-server/client.key create mode 100644 t/cert/ca-client-server/client.p12 create mode 100644 t/cert/ca-client-server/client.pfx create mode 100644 t/cert/ca-client-server/client.unsecure.key create mode 100644 t/cert/ca-client-server/ecc-server.crt create mode 100644 t/cert/ca-client-server/ecc-server.csr create mode 100644 t/cert/ca-client-server/ecc-server.key create mode 100755 t/cert/ca-client-server/generate-cert.sh create mode 100644 t/cert/ca-client-server/server.cer create mode 100644 t/cert/ca-client-server/server.crt create mode 100644 t/cert/ca-client-server/server.csr create mode 100644 t/cert/ca-client-server/server.key create mode 100644 t/cert/ca-client-server/server.unsecure.key create mode 100644 t/ssl-ctx.t diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 89d42a533..96d3ba164 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -58,6 +58,18 @@ int ngx_http_lua_ffi_set_priv_key(void *r, void *cdata, char **err); void ngx_http_lua_ffi_free_cert(void *cdata); void ngx_http_lua_ffi_free_priv_key(void *cdata); + +void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, + size_t method_len, char **err); + +void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); + +int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, + void *cdata_key, char **err); + +int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, + void *cdata_cert, char **err); + ]] @@ -261,6 +273,43 @@ function _M.set_priv_key(priv_key) end +function _M.create_ctx(options) + if type(options) ~= 'table' then + return nil, "no options found" + end + + local method = "SSLv23_method" + if options.method ~= nil then + method = options.method + end + + local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + return nil, ffi_str(errmsg[0]) + end + + ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + + if options.cert ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, + options.cert, errmsg) + if rc ~= FFI_OK then + return nil, ffi_str(errmsg[0]) + end + end + + if options.priv_key ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, + options.priv_key, errmsg) + if rc ~= FFI_OK then + return nil, ffi_str(errmsg[0]) + end + end + + return ctx +end + + do _M.SSL3_VERSION = 0x0300 _M.TLS1_VERSION = 0x0301 diff --git a/lib/resty/core.lua b/lib/resty/core.lua index 71bb94642..8ac51e5d9 100644 --- a/lib/resty/core.lua +++ b/lib/resty/core.lua @@ -14,6 +14,7 @@ require "resty.core.request" require "resty.core.response" require "resty.core.time" require "resty.core.worker" +require "resty.core.socket.tcp" local base = require "resty.core.base" diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua new file mode 100644 index 000000000..117e16eb3 --- /dev/null +++ b/lib/resty/core/socket/tcp.lua @@ -0,0 +1,67 @@ +-- Copyright (C) Yichun Zhang (agentzh) + + +local ffi = require "ffi" +local base = require "resty.core.base" + + +local C = ffi.C +local ffi_str = ffi.string +local getfenv = getfenv +local error = error +local errmsg = base.get_errmsg_ptr() +local FFI_OK = base.FFI_OK + + +ffi.cdef[[ + + int + ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, + void *u, void *cdata_ctx, char **err); + +]] + + +local function check_tcp(tcp) + if not tcp or type(tcp) ~= "table" then + return error("bad \"tcp\" argument") + end + + tcp = tcp[1] + if type(tcp) ~= "userdata" then + return error("bad \"tcp\" argument") + end + + return tcp +end + + +local function setsslctx(tcp, ssl_ctx) + tcp = check_tcp(tcp) + + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) + if rc ~= FFI_OK then + return false, ffi_str(errmsg[0]) + end + + return true +end + + +local mt = getfenv(0).__ngx_socket_tcp_mt +if mt then + mt = mt.__index + if mt then + mt.setsslctx = setsslctx + end +end + + +return { + version = base.version +} diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt new file mode 100644 index 000000000..075fb9fb4 --- /dev/null +++ b/t/cert/ca-client-server/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIJAPQtwgjj8kufMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDIxOTE1MTYwNVoXDTE3MDMyMTE1MTYwNVowDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVINQ5PqDbYUz+ +g9sxuJWC87leChR0EwoT6NwVBFEQiqtFSBK17gN1kYTez2qFIeqjwoAL3K2VNTlP +g/79E501HynND8vQG7cBQGX/GRtQoU8aCp/DgmkzNeLudlu8Rgp3mhQY+DLMQkXs +mUsmcjVpx6+tPXsnxAnbQ7DdH8gD+XaECoGH39FIdGiwmZY5Y/PjPYUk36qknkfm +pUem7GSVPbG5Etxbk0Q4jAjL8JrN6wBtj4HiX9LLW+o8b/nNypf2HkDObV1DliPx +S1A9lbYcq+X/uXlq67uzMO/8Xy1optJNe4AMsUp7VWIqMCJ2e2q0c7jULJGNdmUz +EO0fAopjAgMBAAGjUDBOMB0GA1UdDgQWBBReqrUnkoVTa1qkVBdIbTR0c15/NDAf +BgNVHSMEGDAWgBReqrUnkoVTa1qkVBdIbTR0c15/NDAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQBGEec8MWgYkj4JzKeHUF6q5Vw2fyD6lZZsv7NmSnkb +jUhe+mKxgvwn82lKiGcyQth9OQtVQ7j6Q3gHfcLSqHNhQGjZA1/tgHGjHH9yK3Lw +69dRgQZFT/1IP84qrU/TVVY2tsVlO00BTfDbPgHvQTMkoRneN36l8P8gmwAzOG4h +R/z7c3bExwy/liAPtbKCXW9tZkJ72x7jLPgLk+NBw0heH6Sank46eMvg9c8H2HXD +oF1dPlaNZXqoeIIMGAWzxLOF8gl3F2+tFM1qpjdg+kFaK+bh9W59MefDoVZ+r+f1 +GP1cO7cbo8hn2rFf/LT3JFiU+uS5nmoAKJF0w5u5O1YY +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key new file mode 100644 index 000000000..4c98e236c --- /dev/null +++ b/t/cert/ca-client-server/ca.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeyaHYkkMvlQCAggA +MBQGCCqGSIb3DQMHBAiAPxNz0HpLxQSCBMh8p/EASfeEFeHqX4ZYiIwBRnGvX5PB +jTCxNQkBeDB5OP+3LS0jNIpr8ynEYCER6cCo46PUve0oWqszItfoOgZ0yAaiak4h +k/foVMX8WSDN+9yMYRfF0T1ia6yvJDxJYneVt+azF5a5Mz3PdGuz9CKdgU0+9gMY +AnW35Imx0lp7R+qa23fmDDGFbFaBvyAymCyF/nE1yq7Y4HrmxQxM9ZgB+1HO2Xff +PHlU+M+bH66P7MkoQmwMourWP0DT5OuWUppjN5DMz5FejdzdWtkJ8ZHfnm1t0J0w +/o+xjKzbCmODKLBGSrig5Wy0wBN1aseHModNBBiYX/hcuYjdl8smlewtpD5mxm6L +fgjxW7/q1aut3bTtK1wLI4UY/exj06umYzNqcS3Uv9rDEOJHen/yfXzOiWz5onBr +Cl6WPN5+SiAT1buRRY7G3HDmur2ehA9FDWz+5udMfwQFFc+qHJCDnzcymE64yOVe +YL5fJNyubysAERx2RA/HaqjP7gLyx3YjZSEmsta1esu6zYreNlrBSrulRwKa/vBN +CsKDsHl+zSSzyT8nuZVBCWKgUvzpndCyrQ7DnBiiNZHdbFeT5FMd+Px77RNSI+4P +ga5r/ksDUHY/OYQILGwrG5fpUE9Ag1VId+FhkHJXcQD58YyYvwysBpeQnnc/cQDV +yl1q6RL7J4sJbZTLATTUnsqDXg88p+4/mVEdCF2KxLl/mnc80UQ/GZ375y43y5Du +RqZBaTt6HWsp9m7Q/zi/6F4mKP3JjaGwVny8VWftB5Wcd+p2LeR0xq7uuUo70mwA +rtgZFqIuzio5xQK3u+GxOGAk8G9SMzt4BeQeAnh9Q9sL1nbNdX60SaXZRhVeXxeQ +1ISW0JOqhCgL2Zp0Gro8uDLe4S6DlOXMVlh1PBp5oAI9yJeexnCFLYN8lAuM1iq0 +KwrVEEzlhBc+VlqDeP66sKfE8nXKPH6iWSguiTn9ydXFU8Y+osr9g5s9z86L4smn +RjiXH9h1DbgMh+3wROCmLQ9Zl8Gdcf5T5JjiDwsn0BWeSOePjJ2Utg9XUOZnU6Ze +AEqI14bSNBSdjIrfhJsbxVshYkuySNKzBIX4fO483BTsQQRO+KtFMxlVHvCLAy6g +pyeHtaouThNqGysYPoqDnUqhVKiVc/bD+0DyU4sXDXkqW4ooHfH/ubicAYbj0aFl +4rpQQowNPJ7Cb2/ksHL/Wr9AZSCtyDseaM9wNW+6FEg/GaCdDr66j0SGfrN1rmmo +yeFamnsdyqXhrKGq2aStUslW6ZL+lWJJVMLqZ1Ebbc6MqTdulfv/mf9mtlEKDHJy +uKcQOo7dmoOiQpV+BEEpJlQeIMm5fGLecqxQ5+r1szFKhEKeAEDemqn/ch/MZMS2 +4kDgnM7lWZMPCaE2Rnso/BqDgkzKyZl3clYw2K16Tp69iEOGHpVtNfIXj5XFZCqy +33V0LgDYcGVJVIR3fF7zeXCkJ3cYwG0LOxzP2HzrOgZ6OShPZ8o7yfZTctJs0N86 +AvqegXEtmPoHID7lsZyITzl9b8CsqnkzpL1+9Z2HyRCTcGJUxsYJ1LrKiinXO3hN +XNuKfkx5Ku8AaoBAsnWN7o5wxv774MoWgXKYHnSChu+tPgMQZKn9mBlmx6HsjYXK +dk8= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer new file mode 100644 index 000000000..5de531e80 --- /dev/null +++ b/t/cert/ca-client-server/client.cer @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc +18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB +VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y +D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG +jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy +VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla +gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d +5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm +YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs +pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt +yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt new file mode 100644 index 000000000..5de531e80 --- /dev/null +++ b/t/cert/ca-client-server/client.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc +18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB +VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y +D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG +jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy +VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla +gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d +5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm +YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs +pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt +yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr new file mode 100644 index 000000000..1cb7db1f8 --- /dev/null +++ b/t/cert/ca-client-server/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOfni5G+9n6k1xfuktzJaAu268tLI7LbLHsPt5p/vNzXx96Q4pI6YIyQaxtoH5Dk +bVOZBrgH/v1qOm7zFLFU83KJFsq/5zx02F8IFWCUeYFVudQstDGkBhZQbzrlAKlu +pqnWxrlUM9Yb3AhIJIYttU6kXtxTsUoVGpbWP6TAznIPodDRtlozp5Uyg1OJXMs7 +DwCOgQyUX0m9iMJD75SQ2Xb+++WqD3ay6/5iYBRUwcaNzPfJnzp2OPgty8mQCySD +CAd/y7N7KKp7xpYc5cW8hulrdhjxcRkG6x4++Q0WEHJUkOLhPawdM2o67M3BIb3Q +vxvA2n1EQZg/1hbpmgFOJtcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7hFKK +OJw3pyRJmS7CCpY3ZA2V9MdrONdKVaAGCCp8RiOplixHCr1tIXjaOCpv1EVA2+Ne +UvOFCsDTWUQm3OHocyIiz6jlClzcY0iGqHWjz4CBqe1ZefQ9tPpH6YfXj//G1rb0 +Nvo8mjI4IvzJUm+63VFUYPHMoVu81KCZtIlI4m8gU1ErTDTt2FSrv8ZOfbYpGQ7g +R4XnZfAgLlfnLdkg0NDnWNlcyWen8HcImW7GthvNG4fHLe19eaZnzYX67xg/jCxq +MSOuZukAi/z2wZV/w24QO9YrQBkuWaugv7DoYnokOk0zEpifii/deKSgSrFe8Xqn +YOcXEnskm0YqxoBJ +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key new file mode 100644 index 000000000..41bcad398 --- /dev/null +++ b/t/cert/ca-client-server/client.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,61C44F36123FA0E6 + +u9eMJqZr0XGsWx00JhOL/iZmnPZftVq0cCkrz7YWRwAEFTf7AV1HKVC6DhOFGDBL +mJLMlbXTxWo3pai012QJAkjUnXfa/DB5KnnUiRMu57mgYc27Hik9R968QbAjKT8E +4O3t6LayGkLGwoH8Hh9/V5HgDdFRnQLJsgVLkDOmv4TiybZ/1fV1ON8Mar5ThNiK +Rxr1k047nLP4STSm6RshTWe55Nbm5h4DBR5jk2REV6JneCDxx7Mdh+LyzKIiVGlO +TI5L3bGaBXVv5+/9B+dW/CFOsteG342VmtEoJYqJXe1lDkfMc3RD66pGQe450r6e +exmwZl0yCIjD1xxBFQE8qYWsQqtg65v9APN3eijaga6a8MImvpptbSdE15SitR7y +vgl5g0CdvVoAFPsBFFwlsUQZex2Q7BR1kw1nwUibYzDUjIdhTr50k7GPaHT11GXs +D2jAYyB02sfT1VXZaVYzOPTKvqv3BBaBjr8+5zoV/9VHPLVcaAq5SIeLjd1t9FWZ +NR0jmiaSTN7sSjtFK0KUmTqzoPpHk4oujPbklwFRJXc+r9eAkRmlIvM0gMv8kkF/ +gsH4OiZBvE7AivFrtizTdco4PdAhqZ0cRm1+3Tjks4zoD67OkeD6n05hPqqms8fC +mIOnyGNLywwz0G5QwpO+9xXUvu6QueqmYTgy5uDZmjO0rnyUyYfUbMix6J4qkaMs +y4Q37udBbSAdLkIFw7LF34VvBUmGpXKKrvtm+bt5wYfa/91EYe7lW/72elZQ4S5z +ty7zxaTUFlI+E4kLZeO02EKtkeNImX/X3bYmH1DkjH/SuRgpxCgbbbd24AQLLugO +VRt+E54J/JsIDLl9Mv6FwKXB/GY+3NEsOzlsdPCEJlY5UyGkoRmg9zDlpVjCYRop +OIxg0nSTaf8n9cPK3Jv9OxFkMVPrbJpHCLlN591CYFDne0uiuJ6BAmhM0f67y0On +ejxv0N4yG7BrmeVTygA0f1QuiRXwqFK4IuAH/B0psc+UlrRVOSNPSMrvcS/GGXqr +VX+9e9exV8V3vRcywd/wnN905c/XPLZ6+I0nH0DqwFDHbpW9QD7KcoUsdk2Lk/ns +87gX+LYrCq2Psolf25dVV7VUquXUrvUByfL2O31qg7IQS8aehYec7snHijYWY+RW +fiuF6rckB+4euye2SGY+7qeyFIbdJq1y32TKI30aDKLTprbx1wGk6EFtVGloeRd+ +BP80ExwLDkxo7n+VSsaAyvXAg7sIu4Gc3VBo5k0ZBT/gWgaceWsn8yXnDinTlVaE +t8dT5WaPJQCU86xUoGhddrO1DloZMyoWp42pM3sCZoWvR+MtO/xHQKVVmfg4suT/ +9nYJbJBc/YJ04Yc4GdnDmtPJH29gLbOewEgdyVmmpsEG4Aw3Dh12/ls5FAEcD7zV +ToZoYaOC+TABmemNtIxuJ/HBa7GKvopEhbZbgoNvRYv+5XNxH3JvSrj9kW0t3h9R +06cMKyNpX3wuosLMHWWoyBDkwoK+Ir78TgKF8iB11IPssIoe23oUV6/tt5NdPMh+ +s61D6fUHZtPN9ZyIgnI0ewQZdnbnG/M6hn7/kb8PEeLmIQquW2EfWr9+2LGzQN5Y +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..dfacf68ab0dc463707fb4a9dec910d20b1ee18b8 GIT binary patch literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQUvvGf+pS)4qG2kVh}|Qs zR0ADCeR+C({&X{IaWKxykd(eVWQ48Qxgo>V{}MlY6HapTuUO;iE{Yg-af<02IcNyD z<8Guo_TgR0z|9IzRFa#@rQE88#Rv(GYN?cU>r?4|kvuh@s}zZaR6#m)tGAL*~IE|F&rCN40x=bzYF} zkhNbaGBDxx7T9JsXO=k%-xt7JVUy~aT%v;v%AiZJn=rIyM0QEn$F*(4uYp~830Jv} z?_b>WK@ruhBR~fom$iU3pAP~>9?)RImI`X7hz}Gm2B2WsN=UjMKQ2dsJgLzjCyP}3 zR}0E<0PSNWZq2?tXOX-8Kw`=qNO??!C`8?I6!I|x#1WzwvlW7Zs+^dZwgZ~R^ASNW}!UB=DDYeIh3Xyw*!Bx z{gFW~U6jZW&k0U}V{;T)E%UqC$2JhbZT#`M*l$_>%m|Cj^YEsdyPQgWw z^u~$`A5J_~;&NP9Gff0n6^fvL@2YlXM@5$h#GnV}WI@V}felQ9!#9+Y|E)S^>l7=5 zmP^7F31THx!&c$FZf_)vc9Bl@Sjxv);MX>$nSwW@yF10)AG;pJl%Zi(|BR|J9d$-b zOVBCddoHPB?I2_$s=gj}#22-EG9|`haFRx>y~THzPIIl4@}*7y9r`#VVbGP%B={2P zsP9XP;?x=D$**z$V2MDEf4}&iFoFd^1_>&LNQUTgnaN27m8=4K-y=%%Wm@CftxkB?=hIsdjssY5)EIvos(NxOsS4+C=DxqHTDw z9gS+5DK_rxW2(IC{i5Q)7DnD};ULOnj{3h6mh5g3h6eeydg89dCcTSS`!B2IX{SNDEm*lRFtO#_TmU1!OrPrW2Zvs4$xdD zaOr$~5Oq{!6kC?{I#^+OLdw?@U{Zh}`tMn9n9@ zYT934Ud~}odgIbl%|eLjns~}+m?(R7TijA|odtbI4xFfQ=}kIX6o^=h=L&soZ!F%& zD~VmMStVhS%C&m;pQ!%jxPW8LRt5Zb?D?7HR<+e$mB>F*8ji!CwzHhb{Eb+hwg(Mqofa&HStPt|ZSf&ghI>oUDI>%=O{#BW^Tr0WrtwXBPLE0?RKT@cfvb2#;!93s4Av6D6V!`%U-CFEyjpkE^RI$ch3VmCjpCBmkz#hd$ z?4Lx_IgwueEXZ9oCeHjqfCinue5X1bh0ONH`s1k-vwL>!$TO5S60TgWdVa|`vQ*9n zJ%+#!fd#msiGOF&o6$dovJv3v-pEVS&>++|M1e}1A43o}rHO?<$F4dNdy5+im{v14 zoxzB?81Qf^7EG&t!OrvxRA-`s4!Hrvg>URTAG8$1t|OaMHtr0WPlEuhv zOnrxQtX^1S8fX5^Ljqgo@8PwLgp5LpHN?w}y4@I_kmTT9ticrM_{LWkM?;_98+2h- z2Gj{tTrqwN$V26Govm70AExl zb_uQ32|}s>&cUm6p-AXNJYWKhCw23(-lTn1bsvgjJSrtTjEltDg0VV;sW&PDf*gDg z#=7g|FAALi#Ec;X;o&*AG9GU|2)y4?KW;z@0s;sCn+{#< literal 0 HcmV?d00001 diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx new file mode 100644 index 0000000000000000000000000000000000000000..2ac10de8c5fffeaa14822d728e825df6eb68fffb GIT binary patch literal 2349 zcmY+Ec{me}AICR447snOrpU1|=IEF+ll$0L62giKqa4$U+?$ORmiwrL4hf~(m1Yt# zN1G^N61g(Ig^AIxp6B=beSg0{KF{ZQUhn65|Mz;M$zli*AP7x{EkebRGzXeM5-18R zBg4kQWZ1}W`~gh{G5(35Wn@tDZxk;A1pI!ae-a>iCsh334cmZFv=kVoFcA2{IJ{h6 zL<9y%CW9QJw`xoE^UMg4J?Cs$%rV>6_|X@HBmQ&UlfjPp{H1AA+;pY9N5O+ZdZ?pS zXy8u+%QHil?$W}z(K4126*G%khs>@^7t(hVTf8hoVz22`Vy~Z zoSvq{RP9n2`Xs5{t;EhpVcmKw6&{oe0qi+#nU2c=-sKk$_|$aV&$ARfU{yi1Xu4iV){wZ_rCtDpS4}<(|(O*ym-Y*0frcpZ|vy1J_$LcT3Q7U z5j;z>=;h7Epo+&O)mJU0Z7N~~mzm{puG%}H=8Q+OUS|5nqx-_VG+W)^kaKOOq+Me0 zA*6dh;2vP`yHcKccDe0@V%HcsN)laz)6>3lJ965fF~sS5)7wbhe8MT1%WYn0+eJve zw8``0XxW5OtGpmX%-P28yjx|_-C3==+uRLMl3zwHdD(WJ@fcaORE znxb2evgQfYW}b9_U2IXvm(#ECxu}h;q~5rx@UB?!^4S6V2>GBB{d-kdW1QmassVn> z5AzIxF9ktwu@(lIq_af0%^sh?O0yQMS}O9RdX1-%bxrjBD-rRB%6B*z33ZPet@H7< zlmJ`=-(vBuEX`%(N_6(q=Bpbt=@Mk$hUovs$ls?0mH3Z_;y{ryGMJAhgXjLwPS77a zJ)Vz3%_Hkn|JVs8gF9i}z0VnUL=6rHSH0K6-W|3+B zmW0=lNYvoP!eq}~zI_N>ymZ_Wy|Af%g@gOjV;+EQXKzwZ76OQlBs0ZGIE`^1pHA%D zP^MV>vs_2!D!DVMpw`=`iy4oPSBs80)q4Ce?3ivZ@sTIX%JX)t5%%~yd!rQ!Pp5D% zyzSzwsPg>y3YYMsk0b|Cngij9GP=JZFcolkD5;ysT~wc+4FF?dSi1u zWJcnJ{lfJYvN(GwG?%?=wy<2xYSncZdVU4w9rQtg!nP-R8x3=<|DLK(i4LCCVQFv= z^o(IKPVB$Gr;md6?UfuEJ*LnRG1WN5?IxFrayTPG3FS zVZ=pbzK`NC`8PEVd(c=cC6)d%w({wFvJ5v#D3M|l5?k|xV&aGzK51t`D_|Sz%Bu%cGISST;@Yl{`yp&QmYoI$vpQ}CHr3w4dXWel zkAq@sm64DKR@J+fVM{YZ1OwL9egk5#A`f4YJBi9H`68an!D)|%Az|MR*}ncE^h5L? zWMIs*by631+-7pyKXp;)VWH4?NC5Vr#+?{n6|mgR@S2KI1pgHa(Jj4@sG*vpmFTTp zG=7XO09;V-v^cy#DK&>S8>CPa@*)J9rF}Lr3-cEiFHAl>Sye6?d?|6685-D#faOoS z4sWYzxj(g=iy6>)KtO;s1P$90PO@ly!)K;4k#CnEk-T8W6=}E*i*!{l0#;Y2`{_iV zxZ2RUZv7Yy{5Oq#vrK-*o%z@Bt1*IfQ7=Abf7&oF%}cB3eXY`Z4S6c_;u&AkJKpd+q@LVoue1WmG?TXuO&P*~+9SonhNW$5QSdg2 zgyB)TTL=Ke;;XC5`mS_%b{6;_a)0zPSUUc`CA-GmnJ{EEVs)~6QJACdFJF5c z$Xu{ZS@U=FqI>-K5q|83u=HqDqnF`LRDDB|p>~S1;kD{{)=U~ZF3a+R6eZYV0!8AT zbp?5+->u5(jKPd!noiFKzj{N}YVIuY1uX=-*?-+p6*e^uDiTFeMaZ()b&mQ*Rj3e_ z5(yZ>P~Wb{$bD{gx1YPETwCii*>krB)tGCcp+>_esbX7^yr8GrYSnB;+`}JpN!M)U z+!yeh868|?Cw=!a$*gnd19($5aw(8i}5MSj}C|xi2_|J52rm!JC^anfQV3;c3zyi{ULC5@J;w- z=fh&(l1iY;@I2fy$R{XNXcNU(OjNz>Suj6QN7?>s6tq91wx}Xai_y;?T!*>LwyV{6 z6`s#el7FR#u`%{YlpfoXVbsQ%#KKvMsYr%H=~NO9Wi8KlyzGPz2m%GX)KNQk+wm$S_fzywg9{|I8 P08b{{6^h3HtmMA{5Ku@9 literal 0 HcmV?d00001 diff --git a/t/cert/ca-client-server/client.unsecure.key b/t/cert/ca-client-server/client.unsecure.key new file mode 100644 index 000000000..65413413c --- /dev/null +++ b/t/cert/ca-client-server/client.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5+eLkb72fqTXF+6S3MloC7bry0sjstssew+3mn+83NfH3pDi +kjpgjJBrG2gfkORtU5kGuAf+/Wo6bvMUsVTzcokWyr/nPHTYXwgVYJR5gVW51Cy0 +MaQGFlBvOuUAqW6mqdbGuVQz1hvcCEgkhi21TqRe3FOxShUaltY/pMDOcg+h0NG2 +WjOnlTKDU4lcyzsPAI6BDJRfSb2IwkPvlJDZdv775aoPdrLr/mJgFFTBxo3M98mf +OnY4+C3LyZALJIMIB3/Ls3soqnvGlhzlxbyG6Wt2GPFxGQbrHj75DRYQclSQ4uE9 +rB0zajrszcEhvdC/G8DafURBmD/WFumaAU4m1wIDAQABAoIBAQDYgTqzYiZ9C+Zo +SGrCSCKkNS2kiU0V0TuQ1JakXjdzsty9tGRjAq9a7AWi+63ktu4+ivJT49syufc9 +2CFsgZQbTVODDHCU572N010p4tQhZGhuZyH/6lNoh8WgpWXdyRk+HO9A3RTcAvyE +mt3Gi2vmtNx/NH+jW1qMkg+u//Z9UsXXUYodhTr2Q5VS78Z9RETYA584B72wVRCj +QWdIqzCx/Qt6AHoc4waZq/5q7G+4+dMyBfwi/TLySADETdkuDYHx/2l14Zw7uN2f +nf1AMJn74x3Z/B58U03PWyTmygfy+KzvI/0Ghb0I9f3NMQrosxWvzExan1F1LX/x +uK4EyfQhAoGBAPVSeL2mGQ6/JDQ8RNGRxZIPFmpMX1YSBykzY9cQDekJoMxTlblJ +zWCtK6ImW+GO2x5N7t48Zg3Z5TzKQ9p45RJ0EUyF3xQFJ7ybRvgPbrrjjcHzPtIS +gBpZWfGT6VnrUNl5tEVQuGMoVEV9E0yXIxQAD9kXXBMn8eq4uTn5xwixAoGBAPH/ +kMsEkMkYzj+7uqUNY7jh61ZJayHtn2HUJWKhC2qlb14hXbHc3BcnLbZfocuJ0eLV +tweqP0oNkpc0fabXJRMBF/cEF1vF4S+UZ1/bH74a0swJo8Y3KJP2yQUsImVx7baI +cGdLYv25/9RzpDaOclQuY9Jtr7roORyYqH/wZgoHAoGAUyU0jvJwo7Lczmdu26iQ +UcSTUEu6NC3AB5LHT+i9DjKZMSdTI42D8jQ/CaH+miAU29yGDQRjgmZLb6MOBEnd +Obfk9Q6aYOquYRovn3t7iBP/w7Bxpjlm+Yc3GM2M1VEQAeVh1+xX0iOlDDgsBlVj +KjArLuTf7A4py+f3v1KMxsECgYBgDOvPaLR+3NWf/kcKk9Hs496glOtsv//uuGFO +UFVTsu4NEnk5y0uf9PDz3ek9/CnOOr020Z/lKJXyZecpfWM9s8VrSbhruJK0a9bL ++REUR1k7mufiGKqGcAFBiE7urNWJCYZzuTxFMLoV/QBEly1RtEfykY6aROnGK+FV +Rnl5qQKBgQDHVOPc7IvA7/SsscP82HJZBAczONY+zCM6TLIhmdfZIcqqmTaqgYoI +Y9lF5t2PJ+QjpKIl5QzFwpu/wJT5WOB2FkfEpO/hEu/YnEz28onYzftV2t5SecU9 +8CREZyO+1bxvQsBLOTR/QhHNnWPDPzwvgeCXUAY1U4+KVAzFJ3Yhjw== +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/ecc-server.crt b/t/cert/ca-client-server/ecc-server.crt new file mode 100644 index 000000000..c7be93d97 --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHzCCAQcCAQMwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGcxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMRMwEQYDVQQDDAplY2Mtc2VydmVyMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEUNRTepuYaeMvMz674huSqWnV1B4jJzR2hsim9TxogBE8 +cK17NSvFYTwNRdRD14spdFTJen8eD2n40rBMdmHzWTANBgkqhkiG9w0BAQsFAAOC +AQEAg7yt0M4My7VVWdE1sZe0kzWIinCIa+s2hptNNK9iwxkWh5xvr4Et0fnB1s7X +YKEc968t3488hKxMe0jC5H9pa8p4QN5eLcdpj413Qzj12RBS/Mt1jnrYJelTLSX9 +cUU2ym9spHOekhZApSGG6OJjtM97wQLb8a0PR5yxaRD8kCVBzJnOjiTU0+LMQf9s +5JKly7ZGtNYx50WVHU+nOSX1w/Q8p6aAA84qom1+uVo2wCqWyMtLFF2W+yougRqy +gDnO+8G4OYI0FhkR/9TNyzHD6pNSFl28GFWmWA1BgPiHFvwbOuqzB0e0GSxjQGRC +4ZZ7ZDLy7Jz3pWa00yt7tCBlYg== +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ecc-server.csr b/t/cert/ca-client-server/ecc-server.csr new file mode 100644 index 000000000..3852c0bac --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.csr @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBITCByQIBADBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwNT3BlblJlc3R5IEluYzET +MBEGA1UEAwwKZWNjLXNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFDU +U3qbmGnjLzM+u+Ibkqlp1dQeIyc0dobIpvU8aIARPHCtezUrxWE8DUXUQ9eLKXRU +yXp/Hg9p+NKwTHZh81mgADAKBggqhkjOPQQDAgNHADBEAiAStgXb9WVJD54T3Ekp +sHxLtcS41iyewWCU/xT+Yfw6UAIgAMDy6h6570z0MQ2ByniYyqqPgxz1r3bZ+l7w +MFLhJeM= +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/ecc-server.key b/t/cert/ca-client-server/ecc-server.key new file mode 100644 index 000000000..4f2f1f05a --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGlMlfAxa97Uxdk1/WdP9eWjNrR/tX0MCGpLY89pLfVGoAoGCCqGSM49 +AwEHoUQDQgAEUNRTepuYaeMvMz674huSqWnV1B4jJzR2hsim9TxogBE8cK17NSvF +YTwNRdRD14spdFTJen8eD2n40rBMdmHzWQ== +-----END EC PRIVATE KEY----- diff --git a/t/cert/ca-client-server/generate-cert.sh b/t/cert/ca-client-server/generate-cert.sh new file mode 100755 index 000000000..95f27b838 --- /dev/null +++ b/t/cert/ca-client-server/generate-cert.sh @@ -0,0 +1,39 @@ +#! /bin/bash + +cd "$( dirname "${BASH_SOURCE[0]}" )" + +SUBJECT="/C=US/ST=California/L=Mountain View/O=OpenResty Inc" + +PASSWORD=${PASSWORD:-openresty} + +# Server key、no password key、csr +openssl genrsa -des3 -passout "pass:$PASSWORD" -out server.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in server.key -out server.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=server" -key server.key -out server.csr + +# Server ecc-key、csr +openssl ecparam -genkey -name secp256r1 | openssl ec -out ecc-server.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=ecc-server" -key ecc-server.key -out ecc-server.csr + +# Client key、no password key、csr +openssl genrsa -des3 -passout "pass:$PASSWORD" -out client.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in client.key -out client.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=client" -key client.key -out client.csr + +# CA key、crt +openssl req -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -new -x509 -subj "$SUBJET/CN=ca" -keyout ca.key -out ca.crt + +# Client key、Server key、 ECC-Server key +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in client.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in server.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out server.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in ecc-server.csr -CA ca.crt -CAkey ca.key -set_serial 3 -out ecc-server.crt + +# Client p12、pfx +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -clcerts -in client.crt -inkey client.key -out client.p12 +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -in client.crt -inkey client.key -out client.pfx + +# Client cer、Server cer、ECC-server cer +openssl x509 -in client.crt -out client.cer +openssl x509 -in server.crt -out server.cer +openssl x509 -in ecc-server.crt -out ecc-server.crt + diff --git a/t/cert/ca-client-server/server.cer b/t/cert/ca-client-server/server.cer new file mode 100644 index 000000000..449486634 --- /dev/null +++ b/t/cert/ca-client-server/server.cer @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDoFbQMPAsAZT+1E2KVZXtrR1ry1TtjKRupxJZ/jmGo +XDH85t5DADrc+x0qGnfzSzJD5YpAMmCzvhkum8HARaeFxGgGIJt4mm7yGtCoLZbm +/c5ZzHJ2UtGpm3+Yh9Q7WM71ESBB1VLuAdec1WvpUZrCfXthZ+xnQlWYgd3TPpAt +Qez57Smp2fiTzpqjcYBc8ihuAHlhsqXX0lmjM8Mul8/F5qHqUKDkiNwQFuymL0v8 +m0vtU4ZrINFedHFHmFRnAZ5FlJKBC9WZ7N4+CvgQFGye35QNBAokJO8hRQDd1AIT +qlkUI2uNuXYGiOep9iA159D6u+g9+j71z3BoOOntxdErAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBACg7t1KNy0AbYcvBJkwHBQ9sgVCDgAaLI80sDEZmEHZXTIH8pw4S +ZoJrgteux/ZOM5rGQj58lIRa9eam6fGb7TzY+/OqdjQIZZhnllhQxlqmf5aV8UH9 +uGPvixWGJi+1wZU+faF4akFkoaA+tnvC8IGaTZ5hWbE3ZhpCaSD3NgrVDOUMuDcH +AbqOpg0JxWQ8AafPNT0d9vzUD8+pUc4nDYVNmPkX0iJa0ToD5RuHZiuytf33joG4 +mpszJ7MfzEYmsNfO92VJLDN40p2SOgc6GcXwFG9z6g9NRy7bmyX8ZWz8UHdgq0zZ +WIR0t7kCVGxlFu24eA+nmiTRKBRkX8iIX10= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/server.crt b/t/cert/ca-client-server/server.crt new file mode 100644 index 000000000..449486634 --- /dev/null +++ b/t/cert/ca-client-server/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDoFbQMPAsAZT+1E2KVZXtrR1ry1TtjKRupxJZ/jmGo +XDH85t5DADrc+x0qGnfzSzJD5YpAMmCzvhkum8HARaeFxGgGIJt4mm7yGtCoLZbm +/c5ZzHJ2UtGpm3+Yh9Q7WM71ESBB1VLuAdec1WvpUZrCfXthZ+xnQlWYgd3TPpAt +Qez57Smp2fiTzpqjcYBc8ihuAHlhsqXX0lmjM8Mul8/F5qHqUKDkiNwQFuymL0v8 +m0vtU4ZrINFedHFHmFRnAZ5FlJKBC9WZ7N4+CvgQFGye35QNBAokJO8hRQDd1AIT +qlkUI2uNuXYGiOep9iA159D6u+g9+j71z3BoOOntxdErAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBACg7t1KNy0AbYcvBJkwHBQ9sgVCDgAaLI80sDEZmEHZXTIH8pw4S +ZoJrgteux/ZOM5rGQj58lIRa9eam6fGb7TzY+/OqdjQIZZhnllhQxlqmf5aV8UH9 +uGPvixWGJi+1wZU+faF4akFkoaA+tnvC8IGaTZ5hWbE3ZhpCaSD3NgrVDOUMuDcH +AbqOpg0JxWQ8AafPNT0d9vzUD8+pUc4nDYVNmPkX0iJa0ToD5RuHZiuytf33joG4 +mpszJ7MfzEYmsNfO92VJLDN40p2SOgc6GcXwFG9z6g9NRy7bmyX8ZWz8UHdgq0zZ +WIR0t7kCVGxlFu24eA+nmiTRKBRkX8iIX10= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/server.csr b/t/cert/ca-client-server/server.csr new file mode 100644 index 000000000..000a03b49 --- /dev/null +++ b/t/cert/ca-client-server/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOgVtAw8CwBlP7UTYpVle2tHWvLVO2MpG6nEln+OYahcMfzm3kMAOtz7HSoad/NL +MkPlikAyYLO+GS6bwcBFp4XEaAYgm3iabvIa0Kgtlub9zlnMcnZS0ambf5iH1DtY +zvURIEHVUu4B15zVa+lRmsJ9e2Fn7GdCVZiB3dM+kC1B7PntKanZ+JPOmqNxgFzy +KG4AeWGypdfSWaMzwy6Xz8XmoepQoOSI3BAW7KYvS/ybS+1Thmsg0V50cUeYVGcB +nkWUkoEL1Zns3j4K+BAUbJ7flA0ECiQk7yFFAN3UAhOqWRQja425dgaI56n2IDXn +0Pq76D36PvXPcGg46e3F0SsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCkb18t +CB7P63L+2+tlGvpBs1Mhxkg98yEWE2uuxEgL7q+HmkLbIFVB+M/kLhJaPqPBhAkt +l+Cc6mUMpHL3S6XjU1oYxeHDoXqUEgZSQWPTxnyAxqVrFkKzaf2Mo+kmRpuPpECi +MyIDmuVMrBpYnGXTwdncxtmM9K/Fpsd+vR82Lc9H1uiNVtunsFtRoiaYYbIvO+03 +5Ie085kNQtJW3u9JiKJ6Ui9YhWMHV8m8yl9Rt1CVpz1dVant9UkvoacYnmtNC4An +tH2F14/zX4+pCkQbxX8R/GTZMtD36Esfp4czHiEfLl8/U2tUV1HBSkX96e3GEVPv +D2vxGL1kln7yulUS +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/server.key b/t/cert/ca-client-server/server.key new file mode 100644 index 000000000..2c5996fea --- /dev/null +++ b/t/cert/ca-client-server/server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,7803FB947423C395 + +7TL3cH0trCVNY+DG+vsbA/kB0UldQ6AdUiGozXewCBGENVLwu95ngyB9WV7IFdO2 +78zg0FSYNgOwaGJLbfgNSxvJQete/k6eOvPe0iQtjlcM65oHqmSJVR3G4XOu0wPV +XdJtQfVO9KH2sg2cV0c9XGKJ9vSplldcfaEXbQ3k5Xcb5QLrGElelQ8XdTETI1Ql +iDDIrpkjVJPEhh+LESLMvQrAqEIs12BFe2zLT+MOocvUXSt9L/ljQvkqfj/0TOOA +5MdxCmO0Un1pbY8INGYR2K+zIx4zqQ4xxe5iDGOqv5XpYwXqsNKwbJvtU9eYSjot +1V5b/1IC4d2/B9cekBkrDnNHEPvUFzDuAwD5N8r291JgL1wHshk6o5sMx72xRoXc +fJ8pV6aAftxYvr9HzFVRs60kOrs099T+YTTkLXXfhi9mtfoi6Zu0Ykwo3ClOfhi+ +HmDSJ+yYmyIoxLEjoFRNJpemSFlFae9OrppOkuNvTQGOO8nnVxDhAto+w2D3h3+y +SiVjhMvE6fR1HNY0n+wmGo0rfoOx6iBJKq7TyZ7JwWiFQG1vOzhrFFEjtCuaqfjX +6B9oZp1f1JsQT9LGTKCYFSKOgFH6Q+MwZqNSLrJXgl5Zk7NUxZxR1vx6+wJ5tbvY +xdtqqmyMJCsqsyKw49JLZHK0YSRynKDipIbvIXMyVyUuBaRy2OyKZereddR23kpD +Wd/vLj4ngyOP3h77N2Jp3Lp/nAJNYLjWoLS/R7LOz3cxJh9iTzHwbTnWEsTrsssD +gT3JXoLNyYiHc+BJP2G2aDu/EP3paerfN9izSQb2EsLiKj9FjVdCpc0H32ql9N8g +iNIr0Qnq1IQK6Zz3GYTyLkg6b/rH5SO/hr5/ylfd0kR8HY+Ssb+Chi9BF4++Grnw +PWZnSzVgf3Vy/L6w/PxYLE/BDbf3HT9dw7AVSqmS2wX8l2eJE6oOoHEGLIxXNgzJ +prlTTmQ+9+MJE9c0+gg9LASDrt4uldbl5KOpRbNeD5VEMTYXZ0burYLarCY7zoca +2tZ4YntS6qBXZlJj+1YI/6GrQbyviZfL+fyIsBFAKVSuiwTPqW5ItW8Cqfg6PBv4 +dUR8qY1lRtreN479AZeW414KWlKeB+dGn0lAkm3+iIFmOLlFK5mz7o9I1XEur00P +9ZNfgWHTLMtRl55cg3JXBOaTpmuSwAjizqCqXxEcQCqoVIAqmBYOtC9pFiGzl7Kq +XbK2dQZn+cBOmcqgwqKr41cSaKlAlMTtbrr/9YnraHk1Yd4Kmo++InWqXmmOqX2r +UX5rNHtMGXEZ6W4+GQKfPHBvG5T0Mp190tQ0qHnrqU3V13ns0Ya7s8pWkJG5Nz5Q +aNtFn/mGVKMUU1HivUwmsTORHv5DAv7YxvTeERo20hG1wzjFRQWJ7qPngUomnT0O +9JinV9uVnAtI3/VNX+gJovOEdnwvdxv2rwkiWbWz2faG4fWD6a+uflRrwJ+q7B5G +OK8Vnk7NSjFI7XHwp3RbNqSx5q0Pt63uyAsUJcEry27zk7gRv4Nxb9QT29UtRuOX +fzPsetlDSL0pVJM1Uvl979KPEPSTlzhTeckbsIUhR15Q2p4ylDy3Hubnwzetc1yE +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/server.unsecure.key b/t/cert/ca-client-server/server.unsecure.key new file mode 100644 index 000000000..18d47ed8a --- /dev/null +++ b/t/cert/ca-client-server/server.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA6BW0DDwLAGU/tRNilWV7a0da8tU7YykbqcSWf45hqFwx/Obe +QwA63PsdKhp380syQ+WKQDJgs74ZLpvBwEWnhcRoBiCbeJpu8hrQqC2W5v3OWcxy +dlLRqZt/mIfUO1jO9REgQdVS7gHXnNVr6VGawn17YWfsZ0JVmIHd0z6QLUHs+e0p +qdn4k86ao3GAXPIobgB5YbKl19JZozPDLpfPxeah6lCg5IjcEBbspi9L/JtL7VOG +ayDRXnRxR5hUZwGeRZSSgQvVmezePgr4EBRsnt+UDQQKJCTvIUUA3dQCE6pZFCNr +jbl2BojnqfYgNefQ+rvoPfo+9c9waDjp7cXRKwIDAQABAoIBAQCSBzXmjNEPSqWv +NadOATCK67baHDjlx7PUOhHH6LqhyIDbdBhdaAOhj49mMolO1/2kowU+J3SZI/+M +SAy9AhbKIC6jzFiGpgUw6JZpe2X7qa7w6acLtEifw2uhebWcMeDmagQ16BfqEdas +o8zmXaZWwcWkIFOrFR3ue6grhq4JCsM4hpbfKmrCb1qq7u0QntEKibSc8jLAzCR8 +55ghCBIqQlRV0LfZB1Q0+JvIX+a/8bAI5gZCFK7o7nUX4Wl8hmZ8Eeg17OpZa/70 +knhgKCEPymUiNFrKxfU4Y7bUWdiV1OjlttdyN3art8Xhr9/6/dkG7Lhjo3p1DvfV +XBOPR8BhAoGBAPxVyieuJT0NgIa/3oUTaZNOMESfN0ojhPt2Ny/Y9+/zLZVwzmc7 +tSez3K/Iuy4NGqjKbMJ2Ewfz7goHUtjwM55IoowW8eaAHgA0d9VJOZxnfKid9NHc +87xVrkmSqLwRd2yca/OwW10bztbFCMiN2nJfs3qoxhecA7Y2/+NaJqPFAoGBAOt0 +nuB5GlxV8VIhWRJiaqYZ9ehIj5Lp34Zl7WvSYfJVdrq5fvY6Wf3wBsefuLXQKTOY +xPLXNiiW942guxTRkZzwpptDNNN47W8bONBELp21Cwf2fNM27BB2QgQ/6meb9Brd +FdM+DESm/jJoxxb5cT8WkIpJg7q6tXjBk1x6EsAvAoGALvkpcMmSVRM2Yd9F5S// +71QW2C9rc3m5P7Z5/4Y8YYa7bZ5aTg1nY8SvyGltrtzxoYpNRMYGNOzL20IRwiC0 ++zo6SCndTjN7Yj5iMGo5N0xsgFcnRAoFtYGduER89MWrnaRg1DR4TZTnpEN5pxwB +FlmKZ8MTXUHFzx3d9MzLdKECgYEArjmXLmauGNEHRkyiyjXE0K+5BG5cvssLuTlG +21fLXjPbLQQBbFV1LbAkdCY92Vr0gddzNHYG/zXmbAgZJqiD5Os1fQHX3vtGRcaQ +3Zr2G4BRb0z2xJuJRg0bgGWDH7OIhzA87Binn00qH0bkup1NLO+XeJw5OzzY90fV +sMIricUCgYEAwOAZYCmODw8pWC2sLKB9Ot70VssbzR+z/5dEooOU+Mm634lSCW+C +mSCV1/3NvNOUtAvAVB6bnKzJ+Gdw2lZW/gKXB7s7Zqt9momVvc68uTnlaOuf9kYa +Z/ifOs7TYy5uEvVffiasJZNGv559mstcDc1bqINOHka6iBr2pfwsHKw= +-----END RSA PRIVATE KEY----- diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t new file mode 100644 index 000000000..47a8a9d3e --- /dev/null +++ b/t/ssl-ctx.t @@ -0,0 +1,290 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: + +use Test::Nginx::Socket::Lua; +use Cwd qw(cwd); +use Digest::MD5 qw(md5_hex); + +repeat_each(2); + +plan tests => repeat_each() * (blocks() + 5); + +our $CWD = cwd(); +$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); +our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; + +log_level 'debug'; + +no_long_string(); + +sub read_file { + my $infile = shift; + open my $in, $infile + or die "cannot open $infile for reading: $!"; + my $cert = do { local $/; <$in> }; + close $in; + $cert; +} + +our $clientKey = read_file("t/cert/ca-client-server/client.key"); +our $clientUnsecureKey = read_file("t/cert/ca-client-server/client.unsecure.key"); +our $clientCrt = read_file("t/cert/ca-client-server/client.crt"); +our $clientCrtMd5 = md5_hex($clientCrt); +our $serverKey = read_file("t/cert/ca-client-server/server.key"); +our $serverUnsecureKey = read_file("t/cert/ca-client-server/server.unsecure.key"); +our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); +our $caKey = read_file("t/cert/ca-client-server/ca.key"); +our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); +our $http_config = <<_EOS_; +lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;"; + +init_by_lua_block { + require "resty.core.socket.tcp" + + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + function get_response_body(response) + for k, v in ipairs(response) do + if #v == 0 then + return table.concat(response, "\\r\\n", k + 1) + end + end + + return nil, "CRLF not found" + end + + function https_get(host, port, path, ssl_ctx) + local sock = ngx.socket.tcp() + + local ok, err = sock:connect(host, port) + if not ok then + return nil, err + end + + local ok, err = sock:setsslctx(ssl_ctx) + if not ok then + return nil, err + end + + local sess, err = sock:sslhandshake() + if not sess then + return nil, err + end + + local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: server\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + return nil, err + end + + local response = {} + while true do + local line, err, partial = sock:receive() + if not line then + if not partial then + response[#response+1] = partial + end + break + end + + response[#response+1] = line + end + + sock:close() + + return response + end +} +server { + listen 1983 ssl; + server_name server; + ssl_certificate ../html/server.crt; + ssl_certificate_key ../html/server.unsecure.key; + + ssl on; + ssl_client_certificate ../html/ca.crt; + ssl_verify_client on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + ssl_prefer_server_ciphers on; + + server_tokens off; + more_clear_headers Date; + default_type 'text/plain'; + + location / { + content_by_lua_block { + ngx.say("foo") + } + } + + location /protocol { + content_by_lua_block {ngx.say(ngx.var.ssl_protocol)} + } + + location /cert { + content_by_lua_block { + ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) + } + } +} +_EOS_ +our $user_files = <<_EOS_; +>>> client.key +$clientKey +>>> client.unsecure.key +$clientUnsecureKey +>>> client.crt +$clientCrt +>>> server.key +$serverKey +>>> server.unsecure.key +$serverUnsecureKey +>>> server.crt +$serverCrt +>>> ca.key +$caKey +>>> ca.crt +$caCrt +>>> wrong.crt +OpenResty +>>> wrong.key +OpenResty +_EOS_ + +add_block_preprocessor(sub { + my $block = shift; + + $block->set_value("http_config", $http_config); + $block->set_value("user_files", $user_files); +}); + +run_tests(); + +__DATA__ + +=== TEST 1: ssl ctx - create_ctx must pass options +--- config + location /t{ + content_by_lua_block { + local ssl = require "ngx.ssl" + local ssl_ctx, err = ssl.create_ctx() + if ssl_ctx == nil then + ngx.say(err) + end + } + } +--- request +GET /t +--- response_body +no options found + + + +=== TEST 2: ssl ctx - disable ssl protocols method SSLv2 SSLv3 +--- config + location /t{ + content_by_lua_block { + local ssl = require "ngx.ssl" + local ssl_ctx, err = ssl.create_ctx({ + method = "SSLv2_method", + }) + if ssl_ctx == nil then + ngx.say(err) + end + local ssl_ctx, err = ssl.create_ctx({ + method = "SSLv3_method", + }) + if ssl_ctx == nil then + ngx.say(err) + end + } + } +--- request +GET /t +--- response_body +SSLv2 methods disabled +SSLv3 methods disabled + + + +=== TEST 3: ssl ctx - specify ssl protocols method TLSv1、TLSv1.1、TLSv1.2 +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + function test_ssl_method(method) + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + local ssl_ctx, err = ssl.create_ctx({ + method = method, + priv_key = priv_key, + cert = cert + }) + if ssl_ctx == nil then + return err + end + + local response, err = https_get('127.0.0.1', 1983, '/protocol', ssl_ctx) + + if not response then + return err + end + + local body, err = get_response_body(response) + if not body then + return err + end + return body + end + + ngx.say(test_ssl_method("TLSv1_method")) + ngx.say(test_ssl_method("TLSv1_1_method")) + ngx.say(test_ssl_method("TLSv1_2_method")) + } + } + +--- request +GET /t +--- response_body +TLSv1 +TLSv1.1 +TLSv1.2 + +--- no_error_log +[error] + + + +=== TEST 4: ssl ctx - send client certificate +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body eval +"$::clientCrtMd5 +" From 9407f3c177869108428371addc035a72e51a791d Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 21 Feb 2017 11:33:34 +0800 Subject: [PATCH 02/23] tests: test sslctx with lrucache Signed-off-by: detailyang --- t/ssl-ctx.t | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 3 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 47a8a9d3e..c8d72b187 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -6,12 +6,13 @@ use Digest::MD5 qw(md5_hex); repeat_each(2); -plan tests => repeat_each() * (blocks() + 5); +plan tests => repeat_each() * (blocks() + 7); our $CWD = cwd(); $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; +our $TEST_NGINX_HTML_DIR = $ENV{TEST_NGINX_HTML_DIR}; log_level 'debug'; @@ -36,7 +37,7 @@ our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); our $caKey = read_file("t/cert/ca-client-server/ca.key"); our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); our $http_config = <<_EOS_; -lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;"; +lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;../lua-resty-lrucache/lib/?.lua;"; init_by_lua_block { require "resty.core.socket.tcp" @@ -48,6 +49,26 @@ init_by_lua_block { return content end + local lrucache = require "resty.lrucache" + local c, err = lrucache.new(1) + if not c then + return error("failed to create the cache: " .. (err or "unknown")) + end + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + + c:set("sslctx", ssl_ctx) + + function lrucache_getsslctx() + return c:get("sslctx") + end + function get_response_body(response) for k, v in ipairs(response) do if #v == 0 then @@ -262,7 +283,31 @@ TLSv1.2 -=== TEST 4: ssl ctx - send client certificate +=== TEST 4: ssl ctx - dismatch priv_key and cert +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/server.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + if ssl_ctx == nil then + ngx.say("create_ctx err: ", err) + end + } + } + +--- request +GET /t +--- response_body +create_ctx err: SSL_CTX_use_PrivateKey() failed + + + +=== TEST 5: ssl ctx - send client certificate --- config location /t { content_by_lua_block { @@ -288,3 +333,20 @@ GET /t --- response_body eval "$::clientCrtMd5 " + + + +=== TEST 6: ssl ctx - setsslctx with cached ssl_ctx +--- config + location /t { + content_by_lua_block { + local ssl_ctx = lrucache_getsslctx() + local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body eval +"$::clientCrtMd5 +" From 818327ecdfe649833fa84b5855f896e9946dc8b1 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 26 Feb 2017 21:00:40 +0800 Subject: [PATCH 03/23] refactor: use protocols as arg to create_ctx Signed-off-by: detailyang --- lib/ngx/ssl.lua | 23 +++++++++++++++------ t/ssl-ctx.t | 55 +++++++++++++++---------------------------------- 2 files changed, 34 insertions(+), 44 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 96d3ba164..918c76e26 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -3,6 +3,7 @@ local ffi = require "ffi" local base = require "resty.core.base" +local bit = require "bit" local C = ffi.C @@ -16,6 +17,7 @@ local get_string_buf = base.get_string_buf local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK +local bor = bit.bor ffi.cdef[[ @@ -59,8 +61,7 @@ void ngx_http_lua_ffi_free_cert(void *cdata); void ngx_http_lua_ffi_free_priv_key(void *cdata); -void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, - size_t method_len, char **err); +void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); @@ -273,17 +274,27 @@ function _M.set_priv_key(priv_key) end +_M.PROTOCOL_SSLv2 = 0x0002 +_M.PROTOCOL_SSLv3 = 0x0004 +_M.PROTOCOL_TLSv1 = 0x0008 +_M.PROTOCOL_TLSv1_1 = 0x0010 +_M.PROTOCOL_TLSv1_2 = 0x0020 +local default_protocols = bor(bor(bor(_M.PROTOCOL_SSLv3,_M.PROTOCOL_TLSv1), + _M.PROTOCOL_TLSv1_1), _M.PROTOCOL_TLSv1_2) + + function _M.create_ctx(options) if type(options) ~= 'table' then return nil, "no options found" end - local method = "SSLv23_method" - if options.method ~= nil then - method = options.method + local protocols = default_protocols + + if options.protocols ~= nil then + protocols = options.protocols end - local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) if ctx == nil then return nil, ffi_str(errmsg[0]) end diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index c8d72b187..d378c2887 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -6,7 +6,7 @@ use Digest::MD5 qw(md5_hex); repeat_each(2); -plan tests => repeat_each() * (blocks() + 7); +plan tests => repeat_each() * (blocks() + 6); our $CWD = cwd(); $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; @@ -127,7 +127,7 @@ server { ssl_certificate ../html/server.crt; ssl_certificate_key ../html/server.unsecure.key; - ssl on; + ssl on; ssl_client_certificate ../html/ca.crt; ssl_verify_client on; @@ -208,43 +208,17 @@ no options found -=== TEST 2: ssl ctx - disable ssl protocols method SSLv2 SSLv3 ---- config - location /t{ - content_by_lua_block { - local ssl = require "ngx.ssl" - local ssl_ctx, err = ssl.create_ctx({ - method = "SSLv2_method", - }) - if ssl_ctx == nil then - ngx.say(err) - end - local ssl_ctx, err = ssl.create_ctx({ - method = "SSLv3_method", - }) - if ssl_ctx == nil then - ngx.say(err) - end - } - } ---- request -GET /t ---- response_body -SSLv2 methods disabled -SSLv3 methods disabled - - - -=== TEST 3: ssl ctx - specify ssl protocols method TLSv1、TLSv1.1、TLSv1.2 +=== TEST 2: ssl ctx - specify ssl protocols TLSv1、TLSv1.1、TLSv1.2 --- config location /t { content_by_lua_block { local ssl = require "ngx.ssl" - function test_ssl_method(method) + function test_ssl_protocol(protocols) + local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) local ssl_ctx, err = ssl.create_ctx({ - method = method, + protocols = protocols, priv_key = priv_key, cert = cert }) @@ -265,9 +239,13 @@ SSLv3 methods disabled return body end - ngx.say(test_ssl_method("TLSv1_method")) - ngx.say(test_ssl_method("TLSv1_1_method")) - ngx.say(test_ssl_method("TLSv1_2_method")) + local bit = require "bit" + local bor = bit.bor + + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1)) + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_1)) + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_2)) + ngx.say(test_ssl_protocol(bor(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1_2))) } } @@ -277,13 +255,14 @@ GET /t TLSv1 TLSv1.1 TLSv1.2 +TLSv1.2 --- no_error_log [error] -=== TEST 4: ssl ctx - dismatch priv_key and cert +=== TEST 3: ssl ctx - dismatch priv_key and cert --- config location /t { content_by_lua_block { @@ -307,7 +286,7 @@ create_ctx err: SSL_CTX_use_PrivateKey() failed -=== TEST 5: ssl ctx - send client certificate +=== TEST 4: ssl ctx - send client certificate --- config location /t { content_by_lua_block { @@ -336,7 +315,7 @@ GET /t -=== TEST 6: ssl ctx - setsslctx with cached ssl_ctx +=== TEST 5: ssl ctx - setsslctx with cached ssl_ctx --- config location /t { content_by_lua_block { From a81d912b5ab5e3396d97f729d8a939e9e651d953 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 16:39:29 +0800 Subject: [PATCH 04/23] refactor: get tcp metatable from REGISTRY --- lib/ngx/ssl.lua | 10 +++------- lib/resty/core/socket/tcp.lua | 5 +++-- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 918c76e26..a4b0dee05 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -279,8 +279,8 @@ _M.PROTOCOL_SSLv3 = 0x0004 _M.PROTOCOL_TLSv1 = 0x0008 _M.PROTOCOL_TLSv1_1 = 0x0010 _M.PROTOCOL_TLSv1_2 = 0x0020 -local default_protocols = bor(bor(bor(_M.PROTOCOL_SSLv3,_M.PROTOCOL_TLSv1), - _M.PROTOCOL_TLSv1_1), _M.PROTOCOL_TLSv1_2) +local default_protocols = bor(_M.PROTOCOL_SSLv3, _M.PROTOCOL_TLSv1, + _M.PROTOCOL_TLSv1_1, _M.PROTOCOL_TLSv1_2) function _M.create_ctx(options) @@ -288,11 +288,7 @@ function _M.create_ctx(options) return nil, "no options found" end - local protocols = default_protocols - - if options.protocols ~= nil then - protocols = options.protocols - end + local protocols = options.protocols or default_protocols local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) if ctx == nil then diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index 117e16eb3..285932e11 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -2,12 +2,13 @@ local ffi = require "ffi" +local debug = require 'debug' local base = require "resty.core.base" local C = ffi.C local ffi_str = ffi.string -local getfenv = getfenv +local registry = debug.getregistry() local error = error local errmsg = base.get_errmsg_ptr() local FFI_OK = base.FFI_OK @@ -53,7 +54,7 @@ local function setsslctx(tcp, ssl_ctx) end -local mt = getfenv(0).__ngx_socket_tcp_mt +local mt = registry.__ngx_socket_tcp_mt if mt then mt = mt.__index if mt then From 109999202c01c91115fda42db028bcc74d264b8c Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 17:14:36 +0800 Subject: [PATCH 05/23] refactor: use nil to replace false as return value --- lib/resty/core/socket/tcp.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index 285932e11..ff7029a4b 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -47,7 +47,7 @@ local function setsslctx(tcp, ssl_ctx) local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) if rc ~= FFI_OK then - return false, ffi_str(errmsg[0]) + return nil, ffi_str(errmsg[0]) end return true From 896f36ebb7241322e2b463d3f51c852f0430f652 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 8 Mar 2017 15:18:42 +0800 Subject: [PATCH 06/23] refactor: caller allocate error message buffer --- lib/ngx/ssl.lua | 21 ++++++++++++++------- t/ssl-ctx.t | 4 ++-- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index a4b0dee05..5333d94fc 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -14,6 +14,7 @@ local error = error local tonumber = tonumber local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf +local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK @@ -66,10 +67,10 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, - void *cdata_key, char **err); + void *cdata_key, unsigned char **err_buf, size_t err_buf_len); int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, - void *cdata_cert, char **err); + void *cdata_cert, unsigned char **err_buf, size_t err_buf_len); ]] @@ -79,6 +80,7 @@ local _M = { version = base.version } local charpp = ffi.new("char*[1]") local intp = ffi.new("int[1]") +local err_buf = ffi.new("unsigned char *[1]") function _M.clear_certs() @@ -297,19 +299,24 @@ function _M.create_ctx(options) ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + local size = get_string_buf_size() + local buf = get_string_buf(size) + err_buf[0] = buf + if options.cert ~= nil then - local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, - options.cert, errmsg) + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, options.cert, + err_buf, size) if rc ~= FFI_OK then - return nil, ffi_str(errmsg[0]) + return nil, ffi_str(err_buf[0]) end end if options.priv_key ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, - options.priv_key, errmsg) + options.priv_key, + err_buf, size) if rc ~= FFI_OK then - return nil, ffi_str(errmsg[0]) + return nil, ffi_str(err_buf[0]) end end diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index d378c2887..acfc580cf 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -274,7 +274,7 @@ TLSv1.2 cert = cert }) if ssl_ctx == nil then - ngx.say("create_ctx err: ", err) + ngx.say(err) end } } @@ -282,7 +282,7 @@ TLSv1.2 --- request GET /t --- response_body -create_ctx err: SSL_CTX_use_PrivateKey() failed +error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch From aa58488e0bcdf2fa1f2ff3bd932cb35184da283e Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:36:16 +0800 Subject: [PATCH 07/23] refactor: copy literal to caller error buffer --- lib/ngx/ssl.lua | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 5333d94fc..252cf91ae 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -19,6 +19,7 @@ local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK local bor = bit.bor +local ERR_BUF_SIZE = 256 ffi.cdef[[ @@ -66,11 +67,11 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); -int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, - void *cdata_key, unsigned char **err_buf, size_t err_buf_len); +int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, + unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); -int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, - void *cdata_cert, unsigned char **err_buf, size_t err_buf_len); +int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, + unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); ]] @@ -299,24 +300,26 @@ function _M.create_ctx(options) ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) - local size = get_string_buf_size() - local buf = get_string_buf(size) - err_buf[0] = buf + local err_buf = get_string_buf(ERR_BUF_SIZE) + local err_buf_len = get_size_ptr() + err_buf_len[0] = ERR_BUF_SIZE if options.cert ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, options.cert, - err_buf, size) + err_buf, + err_buf_len) if rc ~= FFI_OK then - return nil, ffi_str(err_buf[0]) + return nil, ffi_str(err_buf, err_buf_len[0]) end end if options.priv_key ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, options.priv_key, - err_buf, size) + err_buf, + err_buf_len) if rc ~= FFI_OK then - return nil, ffi_str(err_buf[0]) + return nil, ffi_str(err_buf, err_buf_len[0]) end end From f4fa4bc306d6e77e8374f9f804cf791f71961b2e Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:38:40 +0800 Subject: [PATCH 08/23] travis: use personal lua-nginx-module to pass test --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3f5cf76bf..143a70aba 100644 --- a/.travis.yml +++ b/.travis.yml @@ -56,7 +56,7 @@ install: - git clone https://github.com/openresty/openresty.git ../openresty - git clone https://github.com/openresty/openresty-devel-utils.git - git clone https://github.com/simpl/ngx_devel_kit.git ../ndk-nginx-module - - git clone https://github.com/openresty/lua-nginx-module.git ../lua-nginx-module + - git clone -b lua-ffi-api-sslctx https://github.com/detailyang/lua-nginx-module.git ../lua-nginx-module - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx - git clone https://github.com/openresty/echo-nginx-module.git ../echo-nginx-module - git clone https://github.com/openresty/lua-resty-lrucache.git From f1be855c67837c60e2a382874baa5e5562980aed Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:46:44 +0800 Subject: [PATCH 09/23] style: remove unused variable --- lib/ngx/ssl.lua | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 252cf91ae..03699c5be 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -14,7 +14,6 @@ local error = error local tonumber = tonumber local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf -local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK @@ -81,7 +80,6 @@ local _M = { version = base.version } local charpp = ffi.new("char*[1]") local intp = ffi.new("int[1]") -local err_buf = ffi.new("unsigned char *[1]") function _M.clear_certs() From ea2e6347a41027c2a7393319d9af430ecdea48f3 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:27:04 +0800 Subject: [PATCH 10/23] refactor: omit PROTOCOL prefix in ngx.ssl --- lib/ngx/ssl.lua | 13 ++++++------- t/ssl-ctx.t | 8 ++++---- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 03699c5be..19efe8d7b 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -275,13 +275,12 @@ function _M.set_priv_key(priv_key) end -_M.PROTOCOL_SSLv2 = 0x0002 -_M.PROTOCOL_SSLv3 = 0x0004 -_M.PROTOCOL_TLSv1 = 0x0008 -_M.PROTOCOL_TLSv1_1 = 0x0010 -_M.PROTOCOL_TLSv1_2 = 0x0020 -local default_protocols = bor(_M.PROTOCOL_SSLv3, _M.PROTOCOL_TLSv1, - _M.PROTOCOL_TLSv1_1, _M.PROTOCOL_TLSv1_2) +_M.SSLv2 = 0x0002 +_M.SSLv3 = 0x0004 +_M.TLSv1 = 0x0008 +_M.TLSv1_1 = 0x0010 +_M.TLSv1_2 = 0x0020 +local default_protocols = bor(_M.SSLv3, _M.TLSv1, _M.TLSv1_1, _M.TLSv1_2) function _M.create_ctx(options) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index acfc580cf..0abac449e 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -242,10 +242,10 @@ no options found local bit = require "bit" local bor = bit.bor - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1)) - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_1)) - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_2)) - ngx.say(test_ssl_protocol(bor(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1_2))) + ngx.say(test_ssl_protocol(ssl.TLSv1)) + ngx.say(test_ssl_protocol(ssl.TLSv1_1)) + ngx.say(test_ssl_protocol(ssl.TLSv1_2)) + ngx.say(test_ssl_protocol(bor(ssl.SSLv2, ssl.TLSv1_2))) } } From 2052108afcd9f229de1d5d2f4c69e5b776cfb45c Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:27:56 +0800 Subject: [PATCH 11/23] style: ffi.cdef should not be indented --- lib/resty/core/socket/tcp.lua | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index ff7029a4b..1720a908d 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -16,9 +16,8 @@ local FFI_OK = base.FFI_OK ffi.cdef[[ - int - ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, - void *u, void *cdata_ctx, char **err); +int ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, void *u, + void *cdata_ctx, char **err); ]] From 4b26b17ce6a50843275ee609f11107a92ca7bfdf Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:30:16 +0800 Subject: [PATCH 12/23] refactor: no need to assign ctx again after ffi_gc --- lib/ngx/ssl.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 19efe8d7b..28db5c0fe 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -295,7 +295,7 @@ function _M.create_ctx(options) return nil, ffi_str(errmsg[0]) end - ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) local err_buf = get_string_buf(ERR_BUF_SIZE) local err_buf_len = get_size_ptr() From 9ebd5b619d789484077f6689b4f3f6c777d3cc28 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:31:39 +0800 Subject: [PATCH 13/23] style: omit parentheses only one argument --- t/ssl-ctx.t | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 0abac449e..e281fbf8f 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -58,10 +58,10 @@ init_by_lua_block { local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } c:set("sslctx", ssl_ctx) @@ -195,7 +195,7 @@ __DATA__ location /t{ content_by_lua_block { local ssl = require "ngx.ssl" - local ssl_ctx, err = ssl.create_ctx() + local ssl_ctx, err = ssl.create_ctx{} if ssl_ctx == nil then ngx.say(err) end @@ -217,11 +217,11 @@ no options found local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ protocols = protocols, priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then return err end @@ -269,10 +269,10 @@ TLSv1.2 local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/server.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then ngx.say(err) end @@ -294,10 +294,10 @@ error:0B080074:x509 certificate routines:X509_check_private_key:key values misma local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then ngx.say("failed to init ssl ctx: ", err) From 23b1d04b6aca5eda09b3bf929daddf4c33a7038a Mon Sep 17 00:00:00 2001 From: detailyang Date: Mon, 8 May 2017 00:38:45 +0800 Subject: [PATCH 14/23] tests: fix create_ctx must pass options --- t/ssl-ctx.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index e281fbf8f..f15aeb89f 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -195,7 +195,7 @@ __DATA__ location /t{ content_by_lua_block { local ssl = require "ngx.ssl" - local ssl_ctx, err = ssl.create_ctx{} + local ssl_ctx, err = ssl.create_ctx() if ssl_ctx == nil then ngx.say(err) end From 38fb43451c755974ca1762aab2e0b7b47744a964 Mon Sep 17 00:00:00 2001 From: detailyang Date: Mon, 8 May 2017 00:39:40 +0800 Subject: [PATCH 15/23] cert: regenerate ca client server key and crt --- t/cert/ca-client-server/ca.crt | 32 +++++------ t/cert/ca-client-server/ca.key | 56 ++++++++++---------- t/cert/ca-client-server/client.cer | 26 ++++----- t/cert/ca-client-server/client.crt | 26 ++++----- t/cert/ca-client-server/client.csr | 24 ++++----- t/cert/ca-client-server/client.key | 52 +++++++++--------- t/cert/ca-client-server/client.p12 | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 50 ++++++++--------- t/cert/ca-client-server/ecc-server.crt | 18 +++---- t/cert/ca-client-server/ecc-server.csr | 10 ++-- t/cert/ca-client-server/ecc-server.key | 6 +-- t/cert/ca-client-server/server.cer | 26 ++++----- t/cert/ca-client-server/server.crt | 26 ++++----- t/cert/ca-client-server/server.csr | 24 ++++----- t/cert/ca-client-server/server.key | 52 +++++++++--------- t/cert/ca-client-server/server.unsecure.key | 50 ++++++++--------- 17 files changed, 239 insertions(+), 239 deletions(-) diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt index 075fb9fb4..9e64ef695 100644 --- a/t/cert/ca-client-server/ca.crt +++ b/t/cert/ca-client-server/ca.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7TCCAdWgAwIBAgIJAPQtwgjj8kufMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV -BAMMAmNhMB4XDTE3MDIxOTE1MTYwNVoXDTE3MDMyMTE1MTYwNVowDTELMAkGA1UE -AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVINQ5PqDbYUz+ -g9sxuJWC87leChR0EwoT6NwVBFEQiqtFSBK17gN1kYTez2qFIeqjwoAL3K2VNTlP -g/79E501HynND8vQG7cBQGX/GRtQoU8aCp/DgmkzNeLudlu8Rgp3mhQY+DLMQkXs -mUsmcjVpx6+tPXsnxAnbQ7DdH8gD+XaECoGH39FIdGiwmZY5Y/PjPYUk36qknkfm -pUem7GSVPbG5Etxbk0Q4jAjL8JrN6wBtj4HiX9LLW+o8b/nNypf2HkDObV1DliPx -S1A9lbYcq+X/uXlq67uzMO/8Xy1optJNe4AMsUp7VWIqMCJ2e2q0c7jULJGNdmUz -EO0fAopjAgMBAAGjUDBOMB0GA1UdDgQWBBReqrUnkoVTa1qkVBdIbTR0c15/NDAf -BgNVHSMEGDAWgBReqrUnkoVTa1qkVBdIbTR0c15/NDAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQBGEec8MWgYkj4JzKeHUF6q5Vw2fyD6lZZsv7NmSnkb -jUhe+mKxgvwn82lKiGcyQth9OQtVQ7j6Q3gHfcLSqHNhQGjZA1/tgHGjHH9yK3Lw -69dRgQZFT/1IP84qrU/TVVY2tsVlO00BTfDbPgHvQTMkoRneN36l8P8gmwAzOG4h -R/z7c3bExwy/liAPtbKCXW9tZkJ72x7jLPgLk+NBw0heH6Sank46eMvg9c8H2HXD -oF1dPlaNZXqoeIIMGAWzxLOF8gl3F2+tFM1qpjdg+kFaK+bh9W59MefDoVZ+r+f1 -GP1cO7cbo8hn2rFf/LT3JFiU+uS5nmoAKJF0w5u5O1YY +MIIC7TCCAdWgAwIBAgIJAM0KJFGpzyyYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDUwNTE4MDM0MFoXDTE3MDYwNDE4MDM0MFowDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Tg7yQoZq4xM6 +/Gl5+BIN3Hj+4GPhBW9Q+gitVSHNVaZU1gDqt6Is5jMzK3/id2keDmVVraAHLpOu ++IoLae1iU29cnAzIWAiYxLMSVvzfka5nqkFcyEes967EsPEJrE/omI8HgVgBi7M8 +0SGxeTBjFtpp7Q4GHQFBRU2DmREfzmvU4smFc29LNPh0y/GAyhOtTPK9hoQPVLRx +fHHzIq48pDzY/G38GCCR0KL5tVT3Ln/u9SJD3OXnrkEBJOTGUWX5LATyULKcEBGm +fIK2xOOEcM0OBSE5CRrKKvioNHaDnNgp4KZ2ZE6KIMwBT0nkRzx/jA22/zAAQs15 +RZ/51//LAgMBAAGjUDBOMB0GA1UdDgQWBBS4nNeF58CTALtsvP10v7m5mW3XNjAf +BgNVHSMEGDAWgBS4nNeF58CTALtsvP10v7m5mW3XNjAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQCGzzsh8ea3OkjrRia2ijPOUZ+NKujO0xkQLPUfCnNF +HDXJkdt4w1+cq7P+ioLe4t4XN4MeZ7KM7AOObHtRo3drKXP2rwhGtFBLwD/VRwgS +ndWRvLdgJJaBww+HYWykVV27LD9Q9Iw/+4O7srShVaD9ia6i6UhlEFaio63Ra4cZ +NavE1LJzBSoJDsCjiaMIaenv5EsfwOch1gXTCFcmQSU17SmZ+q1K/ouql0kUEa9g +LaGQndHOWc0J9sZijCfqqLaIBVoFckrh+eRXKR0Sg10LjbIWZrDNjXsBnkVJtLMV +APcTBa3PS2eGl0Yg2i/SeTUd+oRRadeVioWTejBV1zaM -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key index 4c98e236c..c59d56e60 100644 --- a/t/cert/ca-client-server/ca.key +++ b/t/cert/ca-client-server/ca.key @@ -1,30 +1,30 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeyaHYkkMvlQCAggA -MBQGCCqGSIb3DQMHBAiAPxNz0HpLxQSCBMh8p/EASfeEFeHqX4ZYiIwBRnGvX5PB -jTCxNQkBeDB5OP+3LS0jNIpr8ynEYCER6cCo46PUve0oWqszItfoOgZ0yAaiak4h -k/foVMX8WSDN+9yMYRfF0T1ia6yvJDxJYneVt+azF5a5Mz3PdGuz9CKdgU0+9gMY -AnW35Imx0lp7R+qa23fmDDGFbFaBvyAymCyF/nE1yq7Y4HrmxQxM9ZgB+1HO2Xff -PHlU+M+bH66P7MkoQmwMourWP0DT5OuWUppjN5DMz5FejdzdWtkJ8ZHfnm1t0J0w -/o+xjKzbCmODKLBGSrig5Wy0wBN1aseHModNBBiYX/hcuYjdl8smlewtpD5mxm6L -fgjxW7/q1aut3bTtK1wLI4UY/exj06umYzNqcS3Uv9rDEOJHen/yfXzOiWz5onBr -Cl6WPN5+SiAT1buRRY7G3HDmur2ehA9FDWz+5udMfwQFFc+qHJCDnzcymE64yOVe -YL5fJNyubysAERx2RA/HaqjP7gLyx3YjZSEmsta1esu6zYreNlrBSrulRwKa/vBN -CsKDsHl+zSSzyT8nuZVBCWKgUvzpndCyrQ7DnBiiNZHdbFeT5FMd+Px77RNSI+4P -ga5r/ksDUHY/OYQILGwrG5fpUE9Ag1VId+FhkHJXcQD58YyYvwysBpeQnnc/cQDV -yl1q6RL7J4sJbZTLATTUnsqDXg88p+4/mVEdCF2KxLl/mnc80UQ/GZ375y43y5Du -RqZBaTt6HWsp9m7Q/zi/6F4mKP3JjaGwVny8VWftB5Wcd+p2LeR0xq7uuUo70mwA -rtgZFqIuzio5xQK3u+GxOGAk8G9SMzt4BeQeAnh9Q9sL1nbNdX60SaXZRhVeXxeQ -1ISW0JOqhCgL2Zp0Gro8uDLe4S6DlOXMVlh1PBp5oAI9yJeexnCFLYN8lAuM1iq0 -KwrVEEzlhBc+VlqDeP66sKfE8nXKPH6iWSguiTn9ydXFU8Y+osr9g5s9z86L4smn -RjiXH9h1DbgMh+3wROCmLQ9Zl8Gdcf5T5JjiDwsn0BWeSOePjJ2Utg9XUOZnU6Ze -AEqI14bSNBSdjIrfhJsbxVshYkuySNKzBIX4fO483BTsQQRO+KtFMxlVHvCLAy6g -pyeHtaouThNqGysYPoqDnUqhVKiVc/bD+0DyU4sXDXkqW4ooHfH/ubicAYbj0aFl -4rpQQowNPJ7Cb2/ksHL/Wr9AZSCtyDseaM9wNW+6FEg/GaCdDr66j0SGfrN1rmmo -yeFamnsdyqXhrKGq2aStUslW6ZL+lWJJVMLqZ1Ebbc6MqTdulfv/mf9mtlEKDHJy -uKcQOo7dmoOiQpV+BEEpJlQeIMm5fGLecqxQ5+r1szFKhEKeAEDemqn/ch/MZMS2 -4kDgnM7lWZMPCaE2Rnso/BqDgkzKyZl3clYw2K16Tp69iEOGHpVtNfIXj5XFZCqy -33V0LgDYcGVJVIR3fF7zeXCkJ3cYwG0LOxzP2HzrOgZ6OShPZ8o7yfZTctJs0N86 -AvqegXEtmPoHID7lsZyITzl9b8CsqnkzpL1+9Z2HyRCTcGJUxsYJ1LrKiinXO3hN -XNuKfkx5Ku8AaoBAsnWN7o5wxv774MoWgXKYHnSChu+tPgMQZKn9mBlmx6HsjYXK -dk8= +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHubYMBY2WEECAggA +MBQGCCqGSIb3DQMHBAiAutcERUP8PASCBMin+/7JEjwfuogJqvH+NtgLrqxmhWvG +LbjCNcjb2AeYWEYzG0BtOKvqKuK5zpJL2++uCxarAGwz2GCVbQvtKWEuDN4k0oUr +LL00S87jkAIfT1HQ6GBKmbEZ2PduoTkl3wy4n9lcegD4FaMn4oU5UpdNlEALXZl6 +DQNgbsWXsMzkjzHu+yt5VxfrVcp3tyyZztbRNnDDi0Gka7dkokwfVJwjj61Ra51r +48iASqqjOtT8spXo6CyUC32CRE/F3MKrscdBTHa0/37vgobKSUqy7kcNkXVXpq+4 +HPzUzCtBAs7BxZD+SoKtAIEap7Nl81yWvMrkVM324dzhIRTw5eg83mPpRp8V0q5S +A7ntz5F3Dm73jCpz2uRwwYdoj2uIqi2JbxRdSguSYTTwZ99Dgv4wN33KlaDmZzMP +i2Ouk3e/xJ3lZpv3s4yODxORw0yXOfawIEpz1V8wwRYpgHpzKdlF6WmNoTXDGo51 +o0PmzsAsdWq5W6SXwgIR1uqKzgfpynVSVxmeQzMUkrhThmngmVxW208n8a8TQm9p +ZZTrCt3uxVkHkgxsNa71/jQXMBZnZ8AamgzstFM1NGpDTgiNiVb8M4/8238NGTLG +Iudz6l0ff07xKjLv+ot93vFNLvGrxMgE/O3x+Dq0h15e9er87dnpOgV66PLajnd7 +qugsyPbFnodc+ETVA+7R1GXwqOxKtqNxVUpzNtw27NjUSeOD4I8aVuTLCx0hNIdS +7cgHnKPrnts2Y87JlPslDxVZuutRaLJM8XVzsjTdZ+RQYMZOHF6p72kBPuW4xrqX +MqON6nrUginC6/UIZR9SXs7RTkbikymEKPOVa8qjHdSASAKYa1WwGcMPVNktZ10u +YnGyx+Tg6M3SC2+o3q1ga4wUiNW0RWXtb5k2vah7PFbuzDqvgglyrDxb2/buZSSS +37sv86w3ApRV1MB7qIGmws1PkjEZAS6EVZrBqtmzhLr6xg/ZnYThr/84vjEsy9P4 +8EbU/rj/7cQiHJsAzT9EGVZX4jxhZ9OFdT7vg7+ihPZ+TAXKjDyhESpr4pEyo8HP +yyasWbq0PWYcJqEg4HVTYVIYNaknM8BCuMTBG2tJxvaBLpHHBqmYxygFROhdRvbg +liBI10CFj5D157xSQx0Fb8/wc9e1BzOjTWVtlveVJ8gcGQUd2Dqy4sWUogYlWbbW +qkOapqYy1sSXHW/vlO9TNcaxOnWHmmkmpc9VKqu8CG93sreY21d0Y/GGmZB3+VUd +NU9zDBfzNaJfvJDxM4wjVYeCHexddf+gwg7jitvgtITV89epG6MWZgiX1c0ezIBQ +/Mw1zleae8p4ut4sdhr7OE4kbv/787DCE+eztbH20bDk0ZxkgaeJb+shTlUfFxC4 +BXyG7BAVsmbNaurgC8hJJbjgDJ0Y7PkdXVPFZpcn2gsxDQ2nxcOQhqfEAnZ3JbJ/ +UKjxj4DxPsUK4pSIRdjTJV0FdxG7YGDnOF9Hpw2VfhMnbpcFz+ZmM/EO7RplXHJP +gucdAmMhGsnzTIUnH+jBogzKFNskpOBshOxlfxt3XDl/dNzH6dolkbCK/nyz8nmY +acbszKMN+RvV3RT8C9w3fczqGQbPulz6y1pnzx//OjZs5McXfQP08flVK1lYrAPl +3/k= -----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer index 5de531e80..03bf44f25 100644 --- a/t/cert/ca-client-server/client.cer +++ b/t/cert/ca-client-server/client.cer @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc -18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB -VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y -D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG -jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy -VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla -gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d -5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm -YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs -pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt -yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw +Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY +5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c +NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ +08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs +W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk +OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG +quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z +Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ +YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX +V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt index 5de531e80..03bf44f25 100644 --- a/t/cert/ca-client-server/client.crt +++ b/t/cert/ca-client-server/client.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc -18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB -VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y -D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG -jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy -VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla -gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d -5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm -YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs -pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt -yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw +Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY +5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c +NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ +08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs +W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk +OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG +quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z +Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ +YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX +V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr index 1cb7db1f8..1f72dfe23 100644 --- a/t/cert/ca-client-server/client.csr +++ b/t/cert/ca-client-server/client.csr @@ -2,16 +2,16 @@ MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AOfni5G+9n6k1xfuktzJaAu268tLI7LbLHsPt5p/vNzXx96Q4pI6YIyQaxtoH5Dk -bVOZBrgH/v1qOm7zFLFU83KJFsq/5zx02F8IFWCUeYFVudQstDGkBhZQbzrlAKlu -pqnWxrlUM9Yb3AhIJIYttU6kXtxTsUoVGpbWP6TAznIPodDRtlozp5Uyg1OJXMs7 -DwCOgQyUX0m9iMJD75SQ2Xb+++WqD3ay6/5iYBRUwcaNzPfJnzp2OPgty8mQCySD -CAd/y7N7KKp7xpYc5cW8hulrdhjxcRkG6x4++Q0WEHJUkOLhPawdM2o67M3BIb3Q -vxvA2n1EQZg/1hbpmgFOJtcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7hFKK -OJw3pyRJmS7CCpY3ZA2V9MdrONdKVaAGCCp8RiOplixHCr1tIXjaOCpv1EVA2+Ne -UvOFCsDTWUQm3OHocyIiz6jlClzcY0iGqHWjz4CBqe1ZefQ9tPpH6YfXj//G1rb0 -Nvo8mjI4IvzJUm+63VFUYPHMoVu81KCZtIlI4m8gU1ErTDTt2FSrv8ZOfbYpGQ7g -R4XnZfAgLlfnLdkg0NDnWNlcyWen8HcImW7GthvNG4fHLe19eaZnzYX67xg/jCxq -MSOuZukAi/z2wZV/w24QO9YrQBkuWaugv7DoYnokOk0zEpifii/deKSgSrFe8Xqn -YOcXEnskm0YqxoBJ +ANSBLMVqo9ZpTyOUckRkflQlgLLljfgiZTBJvcd/THBefimGVYC+28DtBwOOIyUx +oMlEbB8ulCSD/tLAYXBqEcG3gtnWcn2nACd0WkrfY1jlB7EwoFICzkLbDq9XoRwp +o0TSuEO7ER5eFWpbNm09XcaOsDrFlKpRyDMRK9gPDpw3JKWzddcRiI6H7d6Oaz/w +xJFC4fGQPJetpIiuWyD5Y9YNgrUKrbOKAtNqWRiXpUnTxEKGFWoPnAOBm5NBo70g +mfHSR+WiuZArtzA4VgPrL/k5Wm+0SKWsxj5hAyBM6qxbfL5xI8K4LucjUey1kryD +2HQ9qRQi2fjcTCKYfF7FZ1sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCgDYMm +N5NqRH/HeQOC9C+NZBeproXo77iqjC08X1TWTsOLyah/jCiWGj8QTu/sc0FFw04M +PNR8sFbbA9PBJz8ohev/GziDeeZ96k7PgJSKo/zpHKA/DXnGxZ+iYLfVpxzdM+GK +VNa+fkfU4xt2NYPMG0V5YyzPCo2lhB+5su/3gNQRp0sn6bqST8R3o22m3zlUd+oS +uHcvKxJPqvxsc8DIUB7PYbWHUsSnS8b5NxA0DTwHa+1J19T5HfssWyGCz9XoTHme +ZaeWO1toSj2pFCaC1Cqa0ZR3kzMJABBzp04ZV4UJa5eFrgdp8M3ShZarzWCx//Cd +czWYk6k1CoVqYPfm -----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key index 41bcad398..742541982 100644 --- a/t/cert/ca-client-server/client.key +++ b/t/cert/ca-client-server/client.key @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,61C44F36123FA0E6 +DEK-Info: DES-EDE3-CBC,07ACB60032712D30 -u9eMJqZr0XGsWx00JhOL/iZmnPZftVq0cCkrz7YWRwAEFTf7AV1HKVC6DhOFGDBL -mJLMlbXTxWo3pai012QJAkjUnXfa/DB5KnnUiRMu57mgYc27Hik9R968QbAjKT8E -4O3t6LayGkLGwoH8Hh9/V5HgDdFRnQLJsgVLkDOmv4TiybZ/1fV1ON8Mar5ThNiK -Rxr1k047nLP4STSm6RshTWe55Nbm5h4DBR5jk2REV6JneCDxx7Mdh+LyzKIiVGlO -TI5L3bGaBXVv5+/9B+dW/CFOsteG342VmtEoJYqJXe1lDkfMc3RD66pGQe450r6e -exmwZl0yCIjD1xxBFQE8qYWsQqtg65v9APN3eijaga6a8MImvpptbSdE15SitR7y -vgl5g0CdvVoAFPsBFFwlsUQZex2Q7BR1kw1nwUibYzDUjIdhTr50k7GPaHT11GXs -D2jAYyB02sfT1VXZaVYzOPTKvqv3BBaBjr8+5zoV/9VHPLVcaAq5SIeLjd1t9FWZ -NR0jmiaSTN7sSjtFK0KUmTqzoPpHk4oujPbklwFRJXc+r9eAkRmlIvM0gMv8kkF/ -gsH4OiZBvE7AivFrtizTdco4PdAhqZ0cRm1+3Tjks4zoD67OkeD6n05hPqqms8fC -mIOnyGNLywwz0G5QwpO+9xXUvu6QueqmYTgy5uDZmjO0rnyUyYfUbMix6J4qkaMs -y4Q37udBbSAdLkIFw7LF34VvBUmGpXKKrvtm+bt5wYfa/91EYe7lW/72elZQ4S5z -ty7zxaTUFlI+E4kLZeO02EKtkeNImX/X3bYmH1DkjH/SuRgpxCgbbbd24AQLLugO -VRt+E54J/JsIDLl9Mv6FwKXB/GY+3NEsOzlsdPCEJlY5UyGkoRmg9zDlpVjCYRop -OIxg0nSTaf8n9cPK3Jv9OxFkMVPrbJpHCLlN591CYFDne0uiuJ6BAmhM0f67y0On -ejxv0N4yG7BrmeVTygA0f1QuiRXwqFK4IuAH/B0psc+UlrRVOSNPSMrvcS/GGXqr -VX+9e9exV8V3vRcywd/wnN905c/XPLZ6+I0nH0DqwFDHbpW9QD7KcoUsdk2Lk/ns -87gX+LYrCq2Psolf25dVV7VUquXUrvUByfL2O31qg7IQS8aehYec7snHijYWY+RW -fiuF6rckB+4euye2SGY+7qeyFIbdJq1y32TKI30aDKLTprbx1wGk6EFtVGloeRd+ -BP80ExwLDkxo7n+VSsaAyvXAg7sIu4Gc3VBo5k0ZBT/gWgaceWsn8yXnDinTlVaE -t8dT5WaPJQCU86xUoGhddrO1DloZMyoWp42pM3sCZoWvR+MtO/xHQKVVmfg4suT/ -9nYJbJBc/YJ04Yc4GdnDmtPJH29gLbOewEgdyVmmpsEG4Aw3Dh12/ls5FAEcD7zV -ToZoYaOC+TABmemNtIxuJ/HBa7GKvopEhbZbgoNvRYv+5XNxH3JvSrj9kW0t3h9R -06cMKyNpX3wuosLMHWWoyBDkwoK+Ir78TgKF8iB11IPssIoe23oUV6/tt5NdPMh+ -s61D6fUHZtPN9ZyIgnI0ewQZdnbnG/M6hn7/kb8PEeLmIQquW2EfWr9+2LGzQN5Y +yTzuQ8qXHtMF6BEN3ABI3E3BBahIdd4iM7ziPXhtKlG3mtKvfPgpKxhZE0d6cZ6h +neaoCIAzsbtDGFQjc9omHCdtlrdJpvT7wpDq7Vz+VOLXK1aVTQgJuojb/2dpMwbi +Ibe2qHlCpPP6rUDkI+KT9k+WLlOBSf0OAnyjoK1G2b/cK6pVr/a5yWVObRj7UU0W +Nqk7XkHyghyneNYtWXilGmD+7u5kDq//qkxVR7mqGwqvm0vIIsMYJ8idiFGy02s9 +PA7iTu/THDmKkIuGCgewgBhuHCbO+PbXA3Cc8Xw2yNElHnjzVyTboL9I7QHf4CSD +KXp3seGQQjgf/1YfeJmRgVZF9MIcqZBt0vdgWnfbDRKDkyiB3SQYNr528lG6XCL1 +Z1n133ueJyZ0t80I+7g4IBSdPmYj2YlA0IldkIRqLpOInUkRTaajzOULJbuqBra5 +hmW2nSxzG2ZqH1hndpqnr/Wgk+UqcsUP4kB3gU6oCkODderQW95sSvFC0tkwYnTN +Av5em0urVlVAFFg0eVTJhL66XS7rysIDYRN8T/+iAjTuLzYqa4jpiaXG0xgIbdQZ +EFnEGc6sh3CrR2qO6TIVKuvflEEggC+UVtFa1RiW0KJgWrC4wSUVQ2MrRW0Jfwdo +DvccEFOZF0a8waqkTmZggADcBaQ6awgBYjE9cpPLq7/rWMVLFnhkdbStyKhHv8vx +jibju08pcZbrWtSo2CIe/Omftmw3MWFhIc6c0fBtclJCQ+8UkcPQF38IbUtKsfPj +4ZrcClPaF2NjN9g6Q/+Fv0hKvGzkXIY15s9pZMPLoco2Lh8AqDTzU4dMQPNHxRsT +pKowLPr6ZGHnQSotU8IoZgxmfDYx30bYj2+boSi37tpxmYa9Bt80jPZ8GRJnl649 +HsxIBzKMYZCa6C5KYnh7ULfRL92Dr9iN8W5mpIGD49jZ8rw0TflHVbxYV+Cl1wo/ +z+DLxC8cvp4fLbPCgNQ3rzKOTczqLg3s0x872E/3ec+rItzYoS2Xf03P3WIDdy2K +nMek99QXL8q8cCtheotucyuWKg95JCKAPZ8yAOR1AC6Kg58oyj7MPcVHhj/80xvp +NMV2h+lv3rv5DDqRw5AxBRe0f15R7yn1+r5yEVuabL3QspizdCebZf2Bd9IWbWUj +vtJHAnRzbGz3N9dqlGv3yIz5PNPn5UKQWnC1ycpghOzi7OolXvEgEvn1RunAgdMD +M0eI8jTWKJs/BPdmJ5QsDphqAmgjEb1LdBU8PY8FKbeYB7SBm9/WZ9TbjQjV0PY6 +C2OHy7RpxEYQE4310TEyineLvzuyJ1sR+WzCApLxhE5fUynOIHql7nWwvnJ2K67/ +QMof1etAk7op6rnoGYbDd3VaZXo35V3UvEAU/DNndlBa+HT4Shu7hOl6N4a0qNMO +xfYRD2If9GexszC+SFEEB6uNLtCy884teSjwERohfLl/+cZVBenqLGnQGPEdpMmT +4TFYbxdoehnKmhrNl6rEIjgWN6GxyLVKoZ8HYhFTxnhCISC6bDSrqmGY84joAktE +3d2oj145CpZbEl/R/oNggboyRFX4wb/MRkS0LazT4hHPkw3+ynYKsf4tvzVTCJWU -----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 index dfacf68ab0dc463707fb4a9dec910d20b1ee18b8..63f7b99c6bc3099e69186bc71b0ac7a9bd050dd5 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4JXn+BCqiVj2Ph2mpYB14w(O{yp`>&7Q9M`!hE-BWT8f|6rMKM zTU&41i^$^;`Tn2?oZN<{I*Vnyjwo7V48cTv9V<|O+^?%y76<(f(SKZY-Q}ghbwCNc zP06k>ymH2|z~}<`zW@a8hy{)@$c#``dP+k1H6Y?Ig@5|n?;EK$oBDJWU|j{G-09Mv z>D$l|PHZPt2<&PIFZc1GI*shP$AO+;Ive!^XyvHJZ{p=p1ia91oSI?2#Q1goKbDn+ zzTDyJK)QwcJV58|?YtdpP`lp46K9YS*Fi;5HQ(}VmbAf+0@=Vzd3xsWxL;KU+8Ut? ze9cfU@qeWSZ8BNACF#0(RQmRmNkEQH3GK*mZ0K0g_o*_QnMY_BZ=&x*DT>E!3j*T=sw^w}BEd;ImLyLJCh zh#+B5=BmFq%m?}ye!!!?`77`fCk$>og98JIY!!6kcnx*=-H=3@12^8Me*vMU&c=>D z!CnC*eR_xO8GflUYb7)qPCnNu_Q_INhDXCXJ9o~rEetJ^r+0)IR}~yAOC)11LmQ^` z-61?ebvu@AoMM9r0mP-$6ehc#06qUJf1Qbh7U`qleGgze|=Kt z!vHxjl>!0?00e>r$WHp;8iWf7*6CNoEAxpT<)y=A{EzzH{KhY}&X-vD+`#$XFBKpS z@*x(ng>xA}!?@<9xJC>(R*@Qcw|bo=5inoDOAVeZsZp%BOC+B`E0cPhC~Kio8fer< z6M*!Otj#moj3u(HON@A zi6IjEg{D8Mh3v?iqps=J>z_{$8uc)I54U=G?#cR6lQaZg?StKG2 zJB8XFhN(eGN)qnzIR-H+b@lT-?tz#mKu(JF5-DGNUwqs`Mt56nkmq7PYMZJ)HtqGJtDxm53IUMRr);vvKl}6-mAqHW{!#y zaL?m@5;pwhxqh>Jf4Ekp-q?lxF9jjh`YVW;6quYNelZ!EF^8%|D0?K&GY1QgX<(p| zRr7-}aJr)|kz*A0W&w1kBP%uWrMFxOCv)}C!&=<)Rys;INdG5m$7{9kpANjoN`Au_ z0cv0pf0Bh*Q5del7LK#nnks;SzvDMho(mu6_Z5~orWW5@Y<`exC$ooojBoPdLK`Dv z`D!^qOu~Te8)~sYA1!+^zYEeNZFMs`(PJ8^^sJ_?YSB1r5#>iBTVn>eDeL zFe3&DDuzgg_YDCF6)_eB6!LaaWQxqozG=8IJYdOgK_|HCLO?JvFd;Ar1_dh)0|FWa o00b05u$a&TKZAr;q+sM+ft!^nF*6+m2(vIu)Noe!@&W<~02-`FCjbBd delta 2214 zcmV;X2wC^760H)DU4L@kQV<3nNelu42mpYB14!Dl>>9!~0erGyO835qNHixqRI6)t z&S`0;sD<5$o!Be4hFF5UW0G%316_w=A`Qv`ZO_pa!Shn!?sP4>m<-AuQBJ&HC=t<+ zr1ngM47H$<$I2s3u4IYI4G>?D{qzBn+t}M-BKX0uYbys~zkiE6c>604p#mh9iQbTeylFwV=6l)gJ;gss@QA;Z=G59VXb8CDZlpW*;a$nV%?eLclAFq<+^U7e2nmjAsg!l=Q|W$@ zJT;%I6qX>>Re#7z*7@O`7iCVB$~{8S)*EA{E#bWK(9Iil0Kc1E;Zh^0fm<0UqKBA+ zN~RjOY-92Q_@eGe05%s?vS-#DKaqO_7>P?HfNSO3f~vNTVa#xnOvfS49cKO zv70coW<+*L*T=PO!>@r|c?nm!j_+UG^Fa~Sts_7O9hbF$HJ=XxMIO*#!j=kZric#| zF9x7s*?&q%x*k6+M}a)4(I6*_RQp#8%5ebgV!+>)>I zNdQP}Y=f>d#fCZm4gV<-+c!07k$>GH{v1Ze=AoIT97Z@mY8tuW7&Nw#YyEEL`_yj= zQ!-ZG4t{2#JjUj^r;0h0rX9Bff2;kGK`vdC$bS&e2~L4ya}-(Q(VFQZA~fpDT#$zb z@80-al0CzeoaTO*TB`+WQqiqW!9|bs#)=9bPCQlOa$Hw4O$1jJilBe*s&-{ZMVAM} zpaHR^h#FZzPO%kxuql%EwvY*EXh^ zf?hYIyF10)AG;pJl%Zi(|BR|J9d$-bOVBCddoHPB?I2_$s=gj}#22-EG9|`haFRx> zy~THzPIIl4@}*7y9r`#VVbGP%B={2PsP9XP;?x=D$**z$V2MDEf4}&ileGgzf3Bn3 z^Hn%DiUI-%00e>r$f!jnOKIcqzRHx+QU1X|8tz(hm}oxagoz=#7evGEruef#ynM#4 z@eGSOp+7-f-*;S)U4LpQFT~Gi#66sSfjrg>=>#z0Lc4ZtQ_LID>HtyXk8y#)Iv(}2 zRvvq~8N`;Yao``5b?a7J$_?WNe}C_P4K-y=%%Wm@CftxkB?=hIsdjssY5)EIvos(N zxOsS4+C=DxqHTDw9gS+5DK_rxW2(IC{i5Q)7DnD};ULOnj{3h6mh5g3h6eeydg89dCcTSS`!B2IX{SNDEm*le^ivG1oq+x zAHmM)Wn-s8=nl|aCvfR}a$dQ78f?3UyA6;WPqga`AKx5ASe(#M-Zn zc<)SGi-_FxyO_@=X=>VEUtZ2(PI}|gQ_Vt%>6&=TXqYH_bz9t0a-9WzM-H5*ap_Gu zS`>&_i{}b`ZEq~z$190lf38_2VUfzUdiS5G{^huUW6f3t{CDj6ndMfs)n1qlSdC)H zr|zM#un;aLgT3UeYxMpl4~@hjD}`w5wS$=1TImH3IV#KV5ULkJXWL=dwge0G5&oqi z7|_X>!KGt?9p3i$OiDFNSJLUqJ^dPv!=JXZoXGr*Se>>94QZVge=LSsB)n~H@gY=( zdrQzMBY!#E{Rx2K2+#T?udD*z!B}Wk1cB?;O(qI)YIaAx`C`4gqZpLI~hhWnr>Q!)Hc=%;4O8ocr?o?LjD4@(C zrO2F86oN6jG3bsQe`gmocr`%g83}_VgyDTK=q#w|0+Pc9fbj#SExklz?#x>PLE0?R zKT@cfvb2#;!93s4Av6D6V!`%U-CFEyjpkE^ zRI$ch3VmCjpCBmkz#hd$?4Lx_IgwueEXZ9oCeHjqfCinue|)Dp9EHsG$NJ-`6tjDF z?Z`8fHWIE}t$KdRII>jE20ezr4}k@^p^1NI(VNjfg|ZRg>E6go)6gK)H$;I-n;%0E zHl>M$KgX^*5qpap3Yb#f5L|J0G+Z!>%Kn zQ#S4-<&kWSe=Cl{Ek%;W$Zbr0hjXl6SYsMz{>?)ITjuZKwT*;~LW(uS%Z<9-7@m;i z;9ac26zKTIR~JV^pWYjEVO9pz2~%7#ehbJ$<#U~_T3R2b@aLiyW(k5Cj>kE&%xzZ6 z*~fd#`jeCCA&Xzo$lMw2m#lUPtOMb@Q^`qx9DEPPy6faG3Y`GNj3ET!;W@W7c0L%@_$(&CMIa%j9tHJY zdSB?TpMvIP^UvALums*2kal8}&m=wP!l)ova2}{+QJDzWN8(QiuCFAc= z_Vt{ue_h-VDy~+{9~03XwHMMy+;9FM<8kHxM%%&J_VszM)ktZ3K9+f9x!_+yfFxhf z$QsVwM4a?{5sQpU6p#M&Yby%$n1MyUHB38n)8-;dz#*+RJII;esVUIW(=B0|W`8jy zFe3&DDuzgg_YDCF6)_eB6u5gV;#7s(3vx@sJOkKOXy|*f0kJSKFd;Ar1_dh)0|FWa o00b0e3JJPvTu~h?<9WI?QAom&PwBA)2nf92Qa^4$3IYNM08ffRhX4Qo diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx index 2ac10de8c5fffeaa14822d728e825df6eb68fffb..1d3b164749e162132c09db195443db7cb4ed4187 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4NmHi}hl^@)iOD2mpYB14zjl@tFiA_9236j(E!1h(}r-y;`W) zIXV9{#+j7QKypB~~!3ymo3qFr@12 z)CLXXlbhnYj&|v~F&x#Y9OUc*9x(E^4*?f$)PrTK=Kkx4fiMBqz%3=Hwjv&Is<4@3Ko-C1t=~~zhiWdJJ8`}P?=16 z!)-C8&&|Ype7)1K7LhTAMW;dxiR$}iZlFusR7(hE3aLGTJEQ$KL=}E>*KFIJ1$Np^ zJ5-X(0>Q^{XY=^voDVb>ajasW90>k!Q0+E>1b_ZY$^wmR$ZW`a=({Rr>7R81b>O!Q z1XetAN=+N1CeBiJK}h`Wc+E^NWn$hR13WQ|n0P-kMyM-%{jk=GGpYTVGU_-+A)3S< zJ4(4Iu#0V`)rC~e`Y)NCm$gknP&P1El}1ol^0>My+>CYKiSN`B3^&DU1T))ww z>0Ue*QOXsg)STn4+M<6Wf-$~c>|B(mw>5HE1oe?S4)-b#{XL(o=y!}2C~5di*8?Qq znViGGqMly+r$U>CG#3O|ml_#?3QwROY%)m>nW0vXgpy)@O$F=J12rwBHYRLp&ts*K5 zn}Hi8j_5EF##bN2El3M8o~9jWe?-#w!$X0j3UsPEUlg(-T{Y7fpk6g49@v4Yc6P(v zRu`bhpEVYVI1aSQhHaJ33TVCzyA&O`!7SXh@Ct*JUm7#9Q(3Try zsc+4@&YabR!oc!kvQj9x^)m9v2!Wq#mc9pp+Q5~=ka69}@quwi>b$OSf1?qS9iFU* z5~M_bx%KZG`SNM4qPb@o1;6zxJ_Xu7*eRc!{ZxLf)5Y`5qPh6ze)YInn=S)#tU-BuW_Od&Eov>3)wzEmCZeKYj>j%iihbqdraQ??Jc zx$a5L+Ar(`P0I4X7D!GybTOu#P9^IthLsr;U#Tr4i+vc7&l}I{e>of5kG*6*K;^dS zV#86i7oV6RW6C{dJc405|1;GlQOJI^D`u55K87muw7YW&#Yt&VS=?TC;w;uV zFBhwcZdanCd->jde~8ipn_QOpqt9lS{qog_vX2N-=Ct0xH5r;(UUMK^ z3cVlWIaiN(BQh?oXxVKf>a6HS7YL`*&qDj1BGtj+t@YPm99FHx?F6juE(6|6j4u$p ziX%7sVX_j<1$_KjTeS_27haH6J#^`_FNzf&edce#iL2-9e=wEEe8t~d$e>-8-Fu5R zbx$=jAjZtS{Wr&gkS0T;Gf*+Cld}legQ*xP9ZB{LX7~A8Dg7|O+Q9KJ=%z_6>!9>E z(8@G(XR`ov?1erYhO?}ugq%H0xv3Vv4kG@r%ve5`i-vw)w6e@)c7 zvD$*q21wPV1U)V^(xVzf2q`B%BBhc(i9L6C^Y1f%dF#!RF; zL+dGgytz2@g#Pp~0Xgj1H_yu;5E@X8g=sGQ?Dowfe{W_nMP|aB#>6(-Xl2nu1~fyJ z-$m|Jk9Yh&%{8O5s#?K2S(iPmaf)`YDqt8V)-vVW!HM9hHKMv5Izf{=^a}g24?bHLtlz-1hg>I)QVF(T6-1fRz zfZsA33TYS7Qp$yN^D!;&M3WhKg}q)MGl+*4z#GaG*V_#z%NER)EkaJtrxdQC`~b}A zClJSqVOXJeH(9L5pVC6d3>T*}O_9=`LhE$T3jp~JgZSv#(2wHYMyfuAz$@IoP-ZJj zlFHNal=o9g{C`rbP1H3h(SG(cE*jDR3(H|i4s)<(1YFS~(} zLnthO)LsWhZtgJ)0h$Yk1Qk)y9|g2f#;Wx?(}F>btABF$()BNL1gju2z+4WAB*ft^ zjuHEt%jABKAHHL!x>2iol_J zO(z@%Jdd#vS352<-8E}hCBaS}1#QDRbsY&F*D6ua0H^@g@)ndlk)cK670TX%aSbr6 zPb?>;q3)g=f1v5xC$g}mPnVMckFXyatRUXv~R z{(sJUeR(BDil6X?-oX z7G9uj=aJ5i#ZkP5?25LT&@*x8G`q#_P652Nc_L);=7~8aDk#^O7DCZEm>4RsH%4ZR zOr$Oy~MwvVL(6|A|7`5_*K!6uf@*O5UJKlfOPImOk6OSy@Sm^zjI z3s+KbE!KCJfK?q^&nZuQ4}0*5m%F(2(of^fJYhn`%>9L6mjH4}bvqSs9)^#qUWjtY z`xk>jUBXS=>ZjA_gag5(WSNh$e_E>t-b$@g^D)Qg#hO_Yf)Nwn8Te@-T}xOn6qjUy z({{2v}y=6obr1a#%9j(?Rj&f4G5jXXz-y zBhxp{-ap z&$!G;+)M)N&x1(h@r8Rre>gJ@d8f41f)LYx{0o6YXnCx&gEUDk+F(XKhL+4T zD-iZZu=&j5t9TK9ltO$o1E(W{1}RLN(}M<2X>p7z@4ZjMoZwt3MaT3?)Ygv2qhhJ1+G7<9rOtB=+|j4!jRA}a%UCaUZRuaEsdJve+rY*Pbb}LDhTXA zMa1*`Tq)2vk2yS%D1`4Bq`=d~+scE9Yib631z|!sBc*s-8UzxbZmgo+Dek|*Da#M- zej^)_CVp5KnBZ24_W*Vx$UQ{ugPuGFyf1-+6qIlGC7#bicWWL+TDpxXaEDk?jjozTlL3P$d+9|QL(*e4}7XV%&bu~`9+O8{Al)X z_TXzVS23S0xVe8ZCxJ^bo2%=>=!eXE zjy~89gJ(VBe=T+2Y)u1Lh^DEI$ap#6IlE-(XTQdUCcMa+TLbN9PDkb$scYru1DFRb zg#v;RLi*Ao`>AUD2!U__*ExmB`gjuI!BI!*qZh5MS>(;8tS!2eJtH56UVj@x!7ATo zv?m{{%#VAo^Xh+_MG{f%Uj2;6(<;b`_*wq%an5`?f0<%)N1~JmI?p-4Os#OzNK~eT zCcI}3r#Q1R-*xz#LT^iXletKNU-$zhU*($C2wOV;kK1uvi2!*5aRYjxZicakR*bhV zaw!_;OYh~R*kbn9#%_vBL<#JFng$mhluz^nS!QbdLvijEejAEamh0lMgBbta12&AU zn4*U!e~-}a*7^uc>BS$cSC@2^e-pnfIYTp3eh=RM5Ra{UGRwmlg3z8eLqz;eHWVjT;4Gy zFe3&DDuzgg_YDCF6)_eB6u5gV;#7s(3vx@sJOkKOXy|*f0kJSKFd;Ar1_dh)0|FWa o00a~(T-TV56C^CTqTxY6 Date: Mon, 8 May 2017 00:39:40 +0800 Subject: [PATCH 16/23] cert: regenerate ca client server key and crt --- t/cert/ca-client-server/ca.crt | 32 +++++------ t/cert/ca-client-server/ca.key | 56 ++++++++++---------- t/cert/ca-client-server/client.cer | 26 ++++----- t/cert/ca-client-server/client.crt | 26 ++++----- t/cert/ca-client-server/client.csr | 24 ++++----- t/cert/ca-client-server/client.key | 52 +++++++++--------- t/cert/ca-client-server/client.p12 | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 50 ++++++++--------- t/cert/ca-client-server/ecc-server.crt | 18 +++---- t/cert/ca-client-server/ecc-server.csr | 10 ++-- t/cert/ca-client-server/ecc-server.key | 6 +-- t/cert/ca-client-server/server.cer | 26 ++++----- t/cert/ca-client-server/server.crt | 26 ++++----- t/cert/ca-client-server/server.csr | 24 ++++----- t/cert/ca-client-server/server.key | 52 +++++++++--------- t/cert/ca-client-server/server.unsecure.key | 50 ++++++++--------- 17 files changed, 239 insertions(+), 239 deletions(-) diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt index 075fb9fb4..9e64ef695 100644 --- a/t/cert/ca-client-server/ca.crt +++ b/t/cert/ca-client-server/ca.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7TCCAdWgAwIBAgIJAPQtwgjj8kufMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV -BAMMAmNhMB4XDTE3MDIxOTE1MTYwNVoXDTE3MDMyMTE1MTYwNVowDTELMAkGA1UE -AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVINQ5PqDbYUz+ -g9sxuJWC87leChR0EwoT6NwVBFEQiqtFSBK17gN1kYTez2qFIeqjwoAL3K2VNTlP -g/79E501HynND8vQG7cBQGX/GRtQoU8aCp/DgmkzNeLudlu8Rgp3mhQY+DLMQkXs -mUsmcjVpx6+tPXsnxAnbQ7DdH8gD+XaECoGH39FIdGiwmZY5Y/PjPYUk36qknkfm -pUem7GSVPbG5Etxbk0Q4jAjL8JrN6wBtj4HiX9LLW+o8b/nNypf2HkDObV1DliPx -S1A9lbYcq+X/uXlq67uzMO/8Xy1optJNe4AMsUp7VWIqMCJ2e2q0c7jULJGNdmUz -EO0fAopjAgMBAAGjUDBOMB0GA1UdDgQWBBReqrUnkoVTa1qkVBdIbTR0c15/NDAf -BgNVHSMEGDAWgBReqrUnkoVTa1qkVBdIbTR0c15/NDAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQBGEec8MWgYkj4JzKeHUF6q5Vw2fyD6lZZsv7NmSnkb -jUhe+mKxgvwn82lKiGcyQth9OQtVQ7j6Q3gHfcLSqHNhQGjZA1/tgHGjHH9yK3Lw -69dRgQZFT/1IP84qrU/TVVY2tsVlO00BTfDbPgHvQTMkoRneN36l8P8gmwAzOG4h -R/z7c3bExwy/liAPtbKCXW9tZkJ72x7jLPgLk+NBw0heH6Sank46eMvg9c8H2HXD -oF1dPlaNZXqoeIIMGAWzxLOF8gl3F2+tFM1qpjdg+kFaK+bh9W59MefDoVZ+r+f1 -GP1cO7cbo8hn2rFf/LT3JFiU+uS5nmoAKJF0w5u5O1YY +MIIC7TCCAdWgAwIBAgIJAM0KJFGpzyyYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDUwNTE4MDM0MFoXDTE3MDYwNDE4MDM0MFowDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Tg7yQoZq4xM6 +/Gl5+BIN3Hj+4GPhBW9Q+gitVSHNVaZU1gDqt6Is5jMzK3/id2keDmVVraAHLpOu ++IoLae1iU29cnAzIWAiYxLMSVvzfka5nqkFcyEes967EsPEJrE/omI8HgVgBi7M8 +0SGxeTBjFtpp7Q4GHQFBRU2DmREfzmvU4smFc29LNPh0y/GAyhOtTPK9hoQPVLRx +fHHzIq48pDzY/G38GCCR0KL5tVT3Ln/u9SJD3OXnrkEBJOTGUWX5LATyULKcEBGm +fIK2xOOEcM0OBSE5CRrKKvioNHaDnNgp4KZ2ZE6KIMwBT0nkRzx/jA22/zAAQs15 +RZ/51//LAgMBAAGjUDBOMB0GA1UdDgQWBBS4nNeF58CTALtsvP10v7m5mW3XNjAf +BgNVHSMEGDAWgBS4nNeF58CTALtsvP10v7m5mW3XNjAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQCGzzsh8ea3OkjrRia2ijPOUZ+NKujO0xkQLPUfCnNF +HDXJkdt4w1+cq7P+ioLe4t4XN4MeZ7KM7AOObHtRo3drKXP2rwhGtFBLwD/VRwgS +ndWRvLdgJJaBww+HYWykVV27LD9Q9Iw/+4O7srShVaD9ia6i6UhlEFaio63Ra4cZ +NavE1LJzBSoJDsCjiaMIaenv5EsfwOch1gXTCFcmQSU17SmZ+q1K/ouql0kUEa9g +LaGQndHOWc0J9sZijCfqqLaIBVoFckrh+eRXKR0Sg10LjbIWZrDNjXsBnkVJtLMV +APcTBa3PS2eGl0Yg2i/SeTUd+oRRadeVioWTejBV1zaM -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key index 4c98e236c..c59d56e60 100644 --- a/t/cert/ca-client-server/ca.key +++ b/t/cert/ca-client-server/ca.key @@ -1,30 +1,30 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeyaHYkkMvlQCAggA -MBQGCCqGSIb3DQMHBAiAPxNz0HpLxQSCBMh8p/EASfeEFeHqX4ZYiIwBRnGvX5PB -jTCxNQkBeDB5OP+3LS0jNIpr8ynEYCER6cCo46PUve0oWqszItfoOgZ0yAaiak4h -k/foVMX8WSDN+9yMYRfF0T1ia6yvJDxJYneVt+azF5a5Mz3PdGuz9CKdgU0+9gMY -AnW35Imx0lp7R+qa23fmDDGFbFaBvyAymCyF/nE1yq7Y4HrmxQxM9ZgB+1HO2Xff -PHlU+M+bH66P7MkoQmwMourWP0DT5OuWUppjN5DMz5FejdzdWtkJ8ZHfnm1t0J0w -/o+xjKzbCmODKLBGSrig5Wy0wBN1aseHModNBBiYX/hcuYjdl8smlewtpD5mxm6L -fgjxW7/q1aut3bTtK1wLI4UY/exj06umYzNqcS3Uv9rDEOJHen/yfXzOiWz5onBr -Cl6WPN5+SiAT1buRRY7G3HDmur2ehA9FDWz+5udMfwQFFc+qHJCDnzcymE64yOVe -YL5fJNyubysAERx2RA/HaqjP7gLyx3YjZSEmsta1esu6zYreNlrBSrulRwKa/vBN -CsKDsHl+zSSzyT8nuZVBCWKgUvzpndCyrQ7DnBiiNZHdbFeT5FMd+Px77RNSI+4P -ga5r/ksDUHY/OYQILGwrG5fpUE9Ag1VId+FhkHJXcQD58YyYvwysBpeQnnc/cQDV -yl1q6RL7J4sJbZTLATTUnsqDXg88p+4/mVEdCF2KxLl/mnc80UQ/GZ375y43y5Du -RqZBaTt6HWsp9m7Q/zi/6F4mKP3JjaGwVny8VWftB5Wcd+p2LeR0xq7uuUo70mwA -rtgZFqIuzio5xQK3u+GxOGAk8G9SMzt4BeQeAnh9Q9sL1nbNdX60SaXZRhVeXxeQ -1ISW0JOqhCgL2Zp0Gro8uDLe4S6DlOXMVlh1PBp5oAI9yJeexnCFLYN8lAuM1iq0 -KwrVEEzlhBc+VlqDeP66sKfE8nXKPH6iWSguiTn9ydXFU8Y+osr9g5s9z86L4smn -RjiXH9h1DbgMh+3wROCmLQ9Zl8Gdcf5T5JjiDwsn0BWeSOePjJ2Utg9XUOZnU6Ze -AEqI14bSNBSdjIrfhJsbxVshYkuySNKzBIX4fO483BTsQQRO+KtFMxlVHvCLAy6g -pyeHtaouThNqGysYPoqDnUqhVKiVc/bD+0DyU4sXDXkqW4ooHfH/ubicAYbj0aFl -4rpQQowNPJ7Cb2/ksHL/Wr9AZSCtyDseaM9wNW+6FEg/GaCdDr66j0SGfrN1rmmo -yeFamnsdyqXhrKGq2aStUslW6ZL+lWJJVMLqZ1Ebbc6MqTdulfv/mf9mtlEKDHJy -uKcQOo7dmoOiQpV+BEEpJlQeIMm5fGLecqxQ5+r1szFKhEKeAEDemqn/ch/MZMS2 -4kDgnM7lWZMPCaE2Rnso/BqDgkzKyZl3clYw2K16Tp69iEOGHpVtNfIXj5XFZCqy -33V0LgDYcGVJVIR3fF7zeXCkJ3cYwG0LOxzP2HzrOgZ6OShPZ8o7yfZTctJs0N86 -AvqegXEtmPoHID7lsZyITzl9b8CsqnkzpL1+9Z2HyRCTcGJUxsYJ1LrKiinXO3hN -XNuKfkx5Ku8AaoBAsnWN7o5wxv774MoWgXKYHnSChu+tPgMQZKn9mBlmx6HsjYXK -dk8= +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHubYMBY2WEECAggA +MBQGCCqGSIb3DQMHBAiAutcERUP8PASCBMin+/7JEjwfuogJqvH+NtgLrqxmhWvG +LbjCNcjb2AeYWEYzG0BtOKvqKuK5zpJL2++uCxarAGwz2GCVbQvtKWEuDN4k0oUr +LL00S87jkAIfT1HQ6GBKmbEZ2PduoTkl3wy4n9lcegD4FaMn4oU5UpdNlEALXZl6 +DQNgbsWXsMzkjzHu+yt5VxfrVcp3tyyZztbRNnDDi0Gka7dkokwfVJwjj61Ra51r +48iASqqjOtT8spXo6CyUC32CRE/F3MKrscdBTHa0/37vgobKSUqy7kcNkXVXpq+4 +HPzUzCtBAs7BxZD+SoKtAIEap7Nl81yWvMrkVM324dzhIRTw5eg83mPpRp8V0q5S +A7ntz5F3Dm73jCpz2uRwwYdoj2uIqi2JbxRdSguSYTTwZ99Dgv4wN33KlaDmZzMP +i2Ouk3e/xJ3lZpv3s4yODxORw0yXOfawIEpz1V8wwRYpgHpzKdlF6WmNoTXDGo51 +o0PmzsAsdWq5W6SXwgIR1uqKzgfpynVSVxmeQzMUkrhThmngmVxW208n8a8TQm9p +ZZTrCt3uxVkHkgxsNa71/jQXMBZnZ8AamgzstFM1NGpDTgiNiVb8M4/8238NGTLG +Iudz6l0ff07xKjLv+ot93vFNLvGrxMgE/O3x+Dq0h15e9er87dnpOgV66PLajnd7 +qugsyPbFnodc+ETVA+7R1GXwqOxKtqNxVUpzNtw27NjUSeOD4I8aVuTLCx0hNIdS +7cgHnKPrnts2Y87JlPslDxVZuutRaLJM8XVzsjTdZ+RQYMZOHF6p72kBPuW4xrqX +MqON6nrUginC6/UIZR9SXs7RTkbikymEKPOVa8qjHdSASAKYa1WwGcMPVNktZ10u +YnGyx+Tg6M3SC2+o3q1ga4wUiNW0RWXtb5k2vah7PFbuzDqvgglyrDxb2/buZSSS +37sv86w3ApRV1MB7qIGmws1PkjEZAS6EVZrBqtmzhLr6xg/ZnYThr/84vjEsy9P4 +8EbU/rj/7cQiHJsAzT9EGVZX4jxhZ9OFdT7vg7+ihPZ+TAXKjDyhESpr4pEyo8HP +yyasWbq0PWYcJqEg4HVTYVIYNaknM8BCuMTBG2tJxvaBLpHHBqmYxygFROhdRvbg +liBI10CFj5D157xSQx0Fb8/wc9e1BzOjTWVtlveVJ8gcGQUd2Dqy4sWUogYlWbbW +qkOapqYy1sSXHW/vlO9TNcaxOnWHmmkmpc9VKqu8CG93sreY21d0Y/GGmZB3+VUd +NU9zDBfzNaJfvJDxM4wjVYeCHexddf+gwg7jitvgtITV89epG6MWZgiX1c0ezIBQ +/Mw1zleae8p4ut4sdhr7OE4kbv/787DCE+eztbH20bDk0ZxkgaeJb+shTlUfFxC4 +BXyG7BAVsmbNaurgC8hJJbjgDJ0Y7PkdXVPFZpcn2gsxDQ2nxcOQhqfEAnZ3JbJ/ +UKjxj4DxPsUK4pSIRdjTJV0FdxG7YGDnOF9Hpw2VfhMnbpcFz+ZmM/EO7RplXHJP +gucdAmMhGsnzTIUnH+jBogzKFNskpOBshOxlfxt3XDl/dNzH6dolkbCK/nyz8nmY +acbszKMN+RvV3RT8C9w3fczqGQbPulz6y1pnzx//OjZs5McXfQP08flVK1lYrAPl +3/k= -----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer index 5de531e80..03bf44f25 100644 --- a/t/cert/ca-client-server/client.cer +++ b/t/cert/ca-client-server/client.cer @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc -18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB -VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y -D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG -jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy -VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla -gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d -5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm -YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs -pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt -yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw +Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY +5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c +NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ +08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs +W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk +OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG +quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z +Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ +YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX +V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt index 5de531e80..03bf44f25 100644 --- a/t/cert/ca-client-server/client.crt +++ b/t/cert/ca-client-server/client.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc -18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB -VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y -D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG -jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy -VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla -gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d -5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm -YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs -pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt -yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw +Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY +5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c +NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ +08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs +W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk +OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG +quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z +Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ +YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX +V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr index 1cb7db1f8..1f72dfe23 100644 --- a/t/cert/ca-client-server/client.csr +++ b/t/cert/ca-client-server/client.csr @@ -2,16 +2,16 @@ MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AOfni5G+9n6k1xfuktzJaAu268tLI7LbLHsPt5p/vNzXx96Q4pI6YIyQaxtoH5Dk -bVOZBrgH/v1qOm7zFLFU83KJFsq/5zx02F8IFWCUeYFVudQstDGkBhZQbzrlAKlu -pqnWxrlUM9Yb3AhIJIYttU6kXtxTsUoVGpbWP6TAznIPodDRtlozp5Uyg1OJXMs7 -DwCOgQyUX0m9iMJD75SQ2Xb+++WqD3ay6/5iYBRUwcaNzPfJnzp2OPgty8mQCySD -CAd/y7N7KKp7xpYc5cW8hulrdhjxcRkG6x4++Q0WEHJUkOLhPawdM2o67M3BIb3Q -vxvA2n1EQZg/1hbpmgFOJtcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7hFKK -OJw3pyRJmS7CCpY3ZA2V9MdrONdKVaAGCCp8RiOplixHCr1tIXjaOCpv1EVA2+Ne -UvOFCsDTWUQm3OHocyIiz6jlClzcY0iGqHWjz4CBqe1ZefQ9tPpH6YfXj//G1rb0 -Nvo8mjI4IvzJUm+63VFUYPHMoVu81KCZtIlI4m8gU1ErTDTt2FSrv8ZOfbYpGQ7g -R4XnZfAgLlfnLdkg0NDnWNlcyWen8HcImW7GthvNG4fHLe19eaZnzYX67xg/jCxq -MSOuZukAi/z2wZV/w24QO9YrQBkuWaugv7DoYnokOk0zEpifii/deKSgSrFe8Xqn -YOcXEnskm0YqxoBJ +ANSBLMVqo9ZpTyOUckRkflQlgLLljfgiZTBJvcd/THBefimGVYC+28DtBwOOIyUx +oMlEbB8ulCSD/tLAYXBqEcG3gtnWcn2nACd0WkrfY1jlB7EwoFICzkLbDq9XoRwp +o0TSuEO7ER5eFWpbNm09XcaOsDrFlKpRyDMRK9gPDpw3JKWzddcRiI6H7d6Oaz/w +xJFC4fGQPJetpIiuWyD5Y9YNgrUKrbOKAtNqWRiXpUnTxEKGFWoPnAOBm5NBo70g +mfHSR+WiuZArtzA4VgPrL/k5Wm+0SKWsxj5hAyBM6qxbfL5xI8K4LucjUey1kryD +2HQ9qRQi2fjcTCKYfF7FZ1sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCgDYMm +N5NqRH/HeQOC9C+NZBeproXo77iqjC08X1TWTsOLyah/jCiWGj8QTu/sc0FFw04M +PNR8sFbbA9PBJz8ohev/GziDeeZ96k7PgJSKo/zpHKA/DXnGxZ+iYLfVpxzdM+GK +VNa+fkfU4xt2NYPMG0V5YyzPCo2lhB+5su/3gNQRp0sn6bqST8R3o22m3zlUd+oS +uHcvKxJPqvxsc8DIUB7PYbWHUsSnS8b5NxA0DTwHa+1J19T5HfssWyGCz9XoTHme +ZaeWO1toSj2pFCaC1Cqa0ZR3kzMJABBzp04ZV4UJa5eFrgdp8M3ShZarzWCx//Cd +czWYk6k1CoVqYPfm -----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key index 41bcad398..742541982 100644 --- a/t/cert/ca-client-server/client.key +++ b/t/cert/ca-client-server/client.key @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,61C44F36123FA0E6 +DEK-Info: DES-EDE3-CBC,07ACB60032712D30 -u9eMJqZr0XGsWx00JhOL/iZmnPZftVq0cCkrz7YWRwAEFTf7AV1HKVC6DhOFGDBL -mJLMlbXTxWo3pai012QJAkjUnXfa/DB5KnnUiRMu57mgYc27Hik9R968QbAjKT8E -4O3t6LayGkLGwoH8Hh9/V5HgDdFRnQLJsgVLkDOmv4TiybZ/1fV1ON8Mar5ThNiK -Rxr1k047nLP4STSm6RshTWe55Nbm5h4DBR5jk2REV6JneCDxx7Mdh+LyzKIiVGlO -TI5L3bGaBXVv5+/9B+dW/CFOsteG342VmtEoJYqJXe1lDkfMc3RD66pGQe450r6e -exmwZl0yCIjD1xxBFQE8qYWsQqtg65v9APN3eijaga6a8MImvpptbSdE15SitR7y -vgl5g0CdvVoAFPsBFFwlsUQZex2Q7BR1kw1nwUibYzDUjIdhTr50k7GPaHT11GXs -D2jAYyB02sfT1VXZaVYzOPTKvqv3BBaBjr8+5zoV/9VHPLVcaAq5SIeLjd1t9FWZ -NR0jmiaSTN7sSjtFK0KUmTqzoPpHk4oujPbklwFRJXc+r9eAkRmlIvM0gMv8kkF/ -gsH4OiZBvE7AivFrtizTdco4PdAhqZ0cRm1+3Tjks4zoD67OkeD6n05hPqqms8fC -mIOnyGNLywwz0G5QwpO+9xXUvu6QueqmYTgy5uDZmjO0rnyUyYfUbMix6J4qkaMs -y4Q37udBbSAdLkIFw7LF34VvBUmGpXKKrvtm+bt5wYfa/91EYe7lW/72elZQ4S5z -ty7zxaTUFlI+E4kLZeO02EKtkeNImX/X3bYmH1DkjH/SuRgpxCgbbbd24AQLLugO -VRt+E54J/JsIDLl9Mv6FwKXB/GY+3NEsOzlsdPCEJlY5UyGkoRmg9zDlpVjCYRop -OIxg0nSTaf8n9cPK3Jv9OxFkMVPrbJpHCLlN591CYFDne0uiuJ6BAmhM0f67y0On -ejxv0N4yG7BrmeVTygA0f1QuiRXwqFK4IuAH/B0psc+UlrRVOSNPSMrvcS/GGXqr -VX+9e9exV8V3vRcywd/wnN905c/XPLZ6+I0nH0DqwFDHbpW9QD7KcoUsdk2Lk/ns -87gX+LYrCq2Psolf25dVV7VUquXUrvUByfL2O31qg7IQS8aehYec7snHijYWY+RW -fiuF6rckB+4euye2SGY+7qeyFIbdJq1y32TKI30aDKLTprbx1wGk6EFtVGloeRd+ -BP80ExwLDkxo7n+VSsaAyvXAg7sIu4Gc3VBo5k0ZBT/gWgaceWsn8yXnDinTlVaE -t8dT5WaPJQCU86xUoGhddrO1DloZMyoWp42pM3sCZoWvR+MtO/xHQKVVmfg4suT/ -9nYJbJBc/YJ04Yc4GdnDmtPJH29gLbOewEgdyVmmpsEG4Aw3Dh12/ls5FAEcD7zV -ToZoYaOC+TABmemNtIxuJ/HBa7GKvopEhbZbgoNvRYv+5XNxH3JvSrj9kW0t3h9R -06cMKyNpX3wuosLMHWWoyBDkwoK+Ir78TgKF8iB11IPssIoe23oUV6/tt5NdPMh+ -s61D6fUHZtPN9ZyIgnI0ewQZdnbnG/M6hn7/kb8PEeLmIQquW2EfWr9+2LGzQN5Y +yTzuQ8qXHtMF6BEN3ABI3E3BBahIdd4iM7ziPXhtKlG3mtKvfPgpKxhZE0d6cZ6h +neaoCIAzsbtDGFQjc9omHCdtlrdJpvT7wpDq7Vz+VOLXK1aVTQgJuojb/2dpMwbi +Ibe2qHlCpPP6rUDkI+KT9k+WLlOBSf0OAnyjoK1G2b/cK6pVr/a5yWVObRj7UU0W +Nqk7XkHyghyneNYtWXilGmD+7u5kDq//qkxVR7mqGwqvm0vIIsMYJ8idiFGy02s9 +PA7iTu/THDmKkIuGCgewgBhuHCbO+PbXA3Cc8Xw2yNElHnjzVyTboL9I7QHf4CSD +KXp3seGQQjgf/1YfeJmRgVZF9MIcqZBt0vdgWnfbDRKDkyiB3SQYNr528lG6XCL1 +Z1n133ueJyZ0t80I+7g4IBSdPmYj2YlA0IldkIRqLpOInUkRTaajzOULJbuqBra5 +hmW2nSxzG2ZqH1hndpqnr/Wgk+UqcsUP4kB3gU6oCkODderQW95sSvFC0tkwYnTN +Av5em0urVlVAFFg0eVTJhL66XS7rysIDYRN8T/+iAjTuLzYqa4jpiaXG0xgIbdQZ +EFnEGc6sh3CrR2qO6TIVKuvflEEggC+UVtFa1RiW0KJgWrC4wSUVQ2MrRW0Jfwdo +DvccEFOZF0a8waqkTmZggADcBaQ6awgBYjE9cpPLq7/rWMVLFnhkdbStyKhHv8vx +jibju08pcZbrWtSo2CIe/Omftmw3MWFhIc6c0fBtclJCQ+8UkcPQF38IbUtKsfPj +4ZrcClPaF2NjN9g6Q/+Fv0hKvGzkXIY15s9pZMPLoco2Lh8AqDTzU4dMQPNHxRsT +pKowLPr6ZGHnQSotU8IoZgxmfDYx30bYj2+boSi37tpxmYa9Bt80jPZ8GRJnl649 +HsxIBzKMYZCa6C5KYnh7ULfRL92Dr9iN8W5mpIGD49jZ8rw0TflHVbxYV+Cl1wo/ +z+DLxC8cvp4fLbPCgNQ3rzKOTczqLg3s0x872E/3ec+rItzYoS2Xf03P3WIDdy2K +nMek99QXL8q8cCtheotucyuWKg95JCKAPZ8yAOR1AC6Kg58oyj7MPcVHhj/80xvp +NMV2h+lv3rv5DDqRw5AxBRe0f15R7yn1+r5yEVuabL3QspizdCebZf2Bd9IWbWUj +vtJHAnRzbGz3N9dqlGv3yIz5PNPn5UKQWnC1ycpghOzi7OolXvEgEvn1RunAgdMD +M0eI8jTWKJs/BPdmJ5QsDphqAmgjEb1LdBU8PY8FKbeYB7SBm9/WZ9TbjQjV0PY6 +C2OHy7RpxEYQE4310TEyineLvzuyJ1sR+WzCApLxhE5fUynOIHql7nWwvnJ2K67/ +QMof1etAk7op6rnoGYbDd3VaZXo35V3UvEAU/DNndlBa+HT4Shu7hOl6N4a0qNMO +xfYRD2If9GexszC+SFEEB6uNLtCy884teSjwERohfLl/+cZVBenqLGnQGPEdpMmT +4TFYbxdoehnKmhrNl6rEIjgWN6GxyLVKoZ8HYhFTxnhCISC6bDSrqmGY84joAktE +3d2oj145CpZbEl/R/oNggboyRFX4wb/MRkS0LazT4hHPkw3+ynYKsf4tvzVTCJWU -----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 index dfacf68ab0dc463707fb4a9dec910d20b1ee18b8..63f7b99c6bc3099e69186bc71b0ac7a9bd050dd5 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4JXn+BCqiVj2Ph2mpYB14w(O{yp`>&7Q9M`!hE-BWT8f|6rMKM zTU&41i^$^;`Tn2?oZN<{I*Vnyjwo7V48cTv9V<|O+^?%y76<(f(SKZY-Q}ghbwCNc zP06k>ymH2|z~}<`zW@a8hy{)@$c#``dP+k1H6Y?Ig@5|n?;EK$oBDJWU|j{G-09Mv z>D$l|PHZPt2<&PIFZc1GI*shP$AO+;Ive!^XyvHJZ{p=p1ia91oSI?2#Q1goKbDn+ zzTDyJK)QwcJV58|?YtdpP`lp46K9YS*Fi;5HQ(}VmbAf+0@=Vzd3xsWxL;KU+8Ut? ze9cfU@qeWSZ8BNACF#0(RQmRmNkEQH3GK*mZ0K0g_o*_QnMY_BZ=&x*DT>E!3j*T=sw^w}BEd;ImLyLJCh zh#+B5=BmFq%m?}ye!!!?`77`fCk$>og98JIY!!6kcnx*=-H=3@12^8Me*vMU&c=>D z!CnC*eR_xO8GflUYb7)qPCnNu_Q_INhDXCXJ9o~rEetJ^r+0)IR}~yAOC)11LmQ^` z-61?ebvu@AoMM9r0mP-$6ehc#06qUJf1Qbh7U`qleGgze|=Kt z!vHxjl>!0?00e>r$WHp;8iWf7*6CNoEAxpT<)y=A{EzzH{KhY}&X-vD+`#$XFBKpS z@*x(ng>xA}!?@<9xJC>(R*@Qcw|bo=5inoDOAVeZsZp%BOC+B`E0cPhC~Kio8fer< z6M*!Otj#moj3u(HON@A zi6IjEg{D8Mh3v?iqps=J>z_{$8uc)I54U=G?#cR6lQaZg?StKG2 zJB8XFhN(eGN)qnzIR-H+b@lT-?tz#mKu(JF5-DGNUwqs`Mt56nkmq7PYMZJ)HtqGJtDxm53IUMRr);vvKl}6-mAqHW{!#y zaL?m@5;pwhxqh>Jf4Ekp-q?lxF9jjh`YVW;6quYNelZ!EF^8%|D0?K&GY1QgX<(p| zRr7-}aJr)|kz*A0W&w1kBP%uWrMFxOCv)}C!&=<)Rys;INdG5m$7{9kpANjoN`Au_ z0cv0pf0Bh*Q5del7LK#nnks;SzvDMho(mu6_Z5~orWW5@Y<`exC$ooojBoPdLK`Dv z`D!^qOu~Te8)~sYA1!+^zYEeNZFMs`(PJ8^^sJ_?YSB1r5#>iBTVn>eDeL zFe3&DDuzgg_YDCF6)_eB6!LaaWQxqozG=8IJYdOgK_|HCLO?JvFd;Ar1_dh)0|FWa o00b05u$a&TKZAr;q+sM+ft!^nF*6+m2(vIu)Noe!@&W<~02-`FCjbBd delta 2214 zcmV;X2wC^760H)DU4L@kQV<3nNelu42mpYB14!Dl>>9!~0erGyO835qNHixqRI6)t z&S`0;sD<5$o!Be4hFF5UW0G%316_w=A`Qv`ZO_pa!Shn!?sP4>m<-AuQBJ&HC=t<+ zr1ngM47H$<$I2s3u4IYI4G>?D{qzBn+t}M-BKX0uYbys~zkiE6c>604p#mh9iQbTeylFwV=6l)gJ;gss@QA;Z=G59VXb8CDZlpW*;a$nV%?eLclAFq<+^U7e2nmjAsg!l=Q|W$@ zJT;%I6qX>>Re#7z*7@O`7iCVB$~{8S)*EA{E#bWK(9Iil0Kc1E;Zh^0fm<0UqKBA+ zN~RjOY-92Q_@eGe05%s?vS-#DKaqO_7>P?HfNSO3f~vNTVa#xnOvfS49cKO zv70coW<+*L*T=PO!>@r|c?nm!j_+UG^Fa~Sts_7O9hbF$HJ=XxMIO*#!j=kZric#| zF9x7s*?&q%x*k6+M}a)4(I6*_RQp#8%5ebgV!+>)>I zNdQP}Y=f>d#fCZm4gV<-+c!07k$>GH{v1Ze=AoIT97Z@mY8tuW7&Nw#YyEEL`_yj= zQ!-ZG4t{2#JjUj^r;0h0rX9Bff2;kGK`vdC$bS&e2~L4ya}-(Q(VFQZA~fpDT#$zb z@80-al0CzeoaTO*TB`+WQqiqW!9|bs#)=9bPCQlOa$Hw4O$1jJilBe*s&-{ZMVAM} zpaHR^h#FZzPO%kxuql%EwvY*EXh^ zf?hYIyF10)AG;pJl%Zi(|BR|J9d$-bOVBCddoHPB?I2_$s=gj}#22-EG9|`haFRx> zy~THzPIIl4@}*7y9r`#VVbGP%B={2PsP9XP;?x=D$**z$V2MDEf4}&ileGgzf3Bn3 z^Hn%DiUI-%00e>r$f!jnOKIcqzRHx+QU1X|8tz(hm}oxagoz=#7evGEruef#ynM#4 z@eGSOp+7-f-*;S)U4LpQFT~Gi#66sSfjrg>=>#z0Lc4ZtQ_LID>HtyXk8y#)Iv(}2 zRvvq~8N`;Yao``5b?a7J$_?WNe}C_P4K-y=%%Wm@CftxkB?=hIsdjssY5)EIvos(N zxOsS4+C=DxqHTDw9gS+5DK_rxW2(IC{i5Q)7DnD};ULOnj{3h6mh5g3h6eeydg89dCcTSS`!B2IX{SNDEm*le^ivG1oq+x zAHmM)Wn-s8=nl|aCvfR}a$dQ78f?3UyA6;WPqga`AKx5ASe(#M-Zn zc<)SGi-_FxyO_@=X=>VEUtZ2(PI}|gQ_Vt%>6&=TXqYH_bz9t0a-9WzM-H5*ap_Gu zS`>&_i{}b`ZEq~z$190lf38_2VUfzUdiS5G{^huUW6f3t{CDj6ndMfs)n1qlSdC)H zr|zM#un;aLgT3UeYxMpl4~@hjD}`w5wS$=1TImH3IV#KV5ULkJXWL=dwge0G5&oqi z7|_X>!KGt?9p3i$OiDFNSJLUqJ^dPv!=JXZoXGr*Se>>94QZVge=LSsB)n~H@gY=( zdrQzMBY!#E{Rx2K2+#T?udD*z!B}Wk1cB?;O(qI)YIaAx`C`4gqZpLI~hhWnr>Q!)Hc=%;4O8ocr?o?LjD4@(C zrO2F86oN6jG3bsQe`gmocr`%g83}_VgyDTK=q#w|0+Pc9fbj#SExklz?#x>PLE0?R zKT@cfvb2#;!93s4Av6D6V!`%U-CFEyjpkE^ zRI$ch3VmCjpCBmkz#hd$?4Lx_IgwueEXZ9oCeHjqfCinue|)Dp9EHsG$NJ-`6tjDF z?Z`8fHWIE}t$KdRII>jE20ezr4}k@^p^1NI(VNjfg|ZRg>E6go)6gK)H$;I-n;%0E zHl>M$KgX^*5qpap3Yb#f5L|J0G+Z!>%Kn zQ#S4-<&kWSe=Cl{Ek%;W$Zbr0hjXl6SYsMz{>?)ITjuZKwT*;~LW(uS%Z<9-7@m;i z;9ac26zKTIR~JV^pWYjEVO9pz2~%7#ehbJ$<#U~_T3R2b@aLiyW(k5Cj>kE&%xzZ6 z*~fd#`jeCCA&Xzo$lMw2m#lUPtOMb@Q^`qx9DEPPy6faG3Y`GNj3ET!;W@W7c0L%@_$(&CMIa%j9tHJY zdSB?TpMvIP^UvALums*2kal8}&m=wP!l)ova2}{+QJDzWN8(QiuCFAc= z_Vt{ue_h-VDy~+{9~03XwHMMy+;9FM<8kHxM%%&J_VszM)ktZ3K9+f9x!_+yfFxhf z$QsVwM4a?{5sQpU6p#M&Yby%$n1MyUHB38n)8-;dz#*+RJII;esVUIW(=B0|W`8jy zFe3&DDuzgg_YDCF6)_eB6u5gV;#7s(3vx@sJOkKOXy|*f0kJSKFd;Ar1_dh)0|FWa o00b0e3JJPvTu~h?<9WI?QAom&PwBA)2nf92Qa^4$3IYNM08ffRhX4Qo diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx index 2ac10de8c5fffeaa14822d728e825df6eb68fffb..1d3b164749e162132c09db195443db7cb4ed4187 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4NmHi}hl^@)iOD2mpYB14zjl@tFiA_9236j(E!1h(}r-y;`W) zIXV9{#+j7QKypB~~!3ymo3qFr@12 z)CLXXlbhnYj&|v~F&x#Y9OUc*9x(E^4*?f$)PrTK=Kkx4fiMBqz%3=Hwjv&Is<4@3Ko-C1t=~~zhiWdJJ8`}P?=16 z!)-C8&&|Ype7)1K7LhTAMW;dxiR$}iZlFusR7(hE3aLGTJEQ$KL=}E>*KFIJ1$Np^ zJ5-X(0>Q^{XY=^voDVb>ajasW90>k!Q0+E>1b_ZY$^wmR$ZW`a=({Rr>7R81b>O!Q z1XetAN=+N1CeBiJK}h`Wc+E^NWn$hR13WQ|n0P-kMyM-%{jk=GGpYTVGU_-+A)3S< zJ4(4Iu#0V`)rC~e`Y)NCm$gknP&P1El}1ol^0>My+>CYKiSN`B3^&DU1T))ww z>0Ue*QOXsg)STn4+M<6Wf-$~c>|B(mw>5HE1oe?S4)-b#{XL(o=y!}2C~5di*8?Qq znViGGqMly+r$U>CG#3O|ml_#?3QwROY%)m>nW0vXgpy)@O$F=J12rwBHYRLp&ts*K5 zn}Hi8j_5EF##bN2El3M8o~9jWe?-#w!$X0j3UsPEUlg(-T{Y7fpk6g49@v4Yc6P(v zRu`bhpEVYVI1aSQhHaJ33TVCzyA&O`!7SXh@Ct*JUm7#9Q(3Try zsc+4@&YabR!oc!kvQj9x^)m9v2!Wq#mc9pp+Q5~=ka69}@quwi>b$OSf1?qS9iFU* z5~M_bx%KZG`SNM4qPb@o1;6zxJ_Xu7*eRc!{ZxLf)5Y`5qPh6ze)YInn=S)#tU-BuW_Od&Eov>3)wzEmCZeKYj>j%iihbqdraQ??Jc zx$a5L+Ar(`P0I4X7D!GybTOu#P9^IthLsr;U#Tr4i+vc7&l}I{e>of5kG*6*K;^dS zV#86i7oV6RW6C{dJc405|1;GlQOJI^D`u55K87muw7YW&#Yt&VS=?TC;w;uV zFBhwcZdanCd->jde~8ipn_QOpqt9lS{qog_vX2N-=Ct0xH5r;(UUMK^ z3cVlWIaiN(BQh?oXxVKf>a6HS7YL`*&qDj1BGtj+t@YPm99FHx?F6juE(6|6j4u$p ziX%7sVX_j<1$_KjTeS_27haH6J#^`_FNzf&edce#iL2-9e=wEEe8t~d$e>-8-Fu5R zbx$=jAjZtS{Wr&gkS0T;Gf*+Cld}legQ*xP9ZB{LX7~A8Dg7|O+Q9KJ=%z_6>!9>E z(8@G(XR`ov?1erYhO?}ugq%H0xv3Vv4kG@r%ve5`i-vw)w6e@)c7 zvD$*q21wPV1U)V^(xVzf2q`B%BBhc(i9L6C^Y1f%dF#!RF; zL+dGgytz2@g#Pp~0Xgj1H_yu;5E@X8g=sGQ?Dowfe{W_nMP|aB#>6(-Xl2nu1~fyJ z-$m|Jk9Yh&%{8O5s#?K2S(iPmaf)`YDqt8V)-vVW!HM9hHKMv5Izf{=^a}g24?bHLtlz-1hg>I)QVF(T6-1fRz zfZsA33TYS7Qp$yN^D!;&M3WhKg}q)MGl+*4z#GaG*V_#z%NER)EkaJtrxdQC`~b}A zClJSqVOXJeH(9L5pVC6d3>T*}O_9=`LhE$T3jp~JgZSv#(2wHYMyfuAz$@IoP-ZJj zlFHNal=o9g{C`rbP1H3h(SG(cE*jDR3(H|i4s)<(1YFS~(} zLnthO)LsWhZtgJ)0h$Yk1Qk)y9|g2f#;Wx?(}F>btABF$()BNL1gju2z+4WAB*ft^ zjuHEt%jABKAHHL!x>2iol_J zO(z@%Jdd#vS352<-8E}hCBaS}1#QDRbsY&F*D6ua0H^@g@)ndlk)cK670TX%aSbr6 zPb?>;q3)g=f1v5xC$g}mPnVMckFXyatRUXv~R z{(sJUeR(BDil6X?-oX z7G9uj=aJ5i#ZkP5?25LT&@*x8G`q#_P652Nc_L);=7~8aDk#^O7DCZEm>4RsH%4ZR zOr$Oy~MwvVL(6|A|7`5_*K!6uf@*O5UJKlfOPImOk6OSy@Sm^zjI z3s+KbE!KCJfK?q^&nZuQ4}0*5m%F(2(of^fJYhn`%>9L6mjH4}bvqSs9)^#qUWjtY z`xk>jUBXS=>ZjA_gag5(WSNh$e_E>t-b$@g^D)Qg#hO_Yf)Nwn8Te@-T}xOn6qjUy z({{2v}y=6obr1a#%9j(?Rj&f4G5jXXz-y zBhxp{-ap z&$!G;+)M)N&x1(h@r8Rre>gJ@d8f41f)LYx{0o6YXnCx&gEUDk+F(XKhL+4T zD-iZZu=&j5t9TK9ltO$o1E(W{1}RLN(}M<2X>p7z@4ZjMoZwt3MaT3?)Ygv2qhhJ1+G7<9rOtB=+|j4!jRA}a%UCaUZRuaEsdJve+rY*Pbb}LDhTXA zMa1*`Tq)2vk2yS%D1`4Bq`=d~+scE9Yib631z|!sBc*s-8UzxbZmgo+Dek|*Da#M- zej^)_CVp5KnBZ24_W*Vx$UQ{ugPuGFyf1-+6qIlGC7#bicWWL+TDpxXaEDk?jjozTlL3P$d+9|QL(*e4}7XV%&bu~`9+O8{Al)X z_TXzVS23S0xVe8ZCxJ^bo2%=>=!eXE zjy~89gJ(VBe=T+2Y)u1Lh^DEI$ap#6IlE-(XTQdUCcMa+TLbN9PDkb$scYru1DFRb zg#v;RLi*Ao`>AUD2!U__*ExmB`gjuI!BI!*qZh5MS>(;8tS!2eJtH56UVj@x!7ATo zv?m{{%#VAo^Xh+_MG{f%Uj2;6(<;b`_*wq%an5`?f0<%)N1~JmI?p-4Os#OzNK~eT zCcI}3r#Q1R-*xz#LT^iXletKNU-$zhU*($C2wOV;kK1uvi2!*5aRYjxZicakR*bhV zaw!_;OYh~R*kbn9#%_vBL<#JFng$mhluz^nS!QbdLvijEejAEamh0lMgBbta12&AU zn4*U!e~-}a*7^uc>BS$cSC@2^e-pnfIYTp3eh=RM5Ra{UGRwmlg3z8eLqz;eHWVjT;4Gy zFe3&DDuzgg_YDCF6)_eB6u5gV;#7s(3vx@sJOkKOXy|*f0kJSKFd;Ar1_dh)0|FWa o00a~(T-TV56C^CTqTxY6 Date: Mon, 8 May 2017 00:51:58 +0800 Subject: [PATCH 17/23] travis: empty commit to trigger travis-ci From 6fbc8a20704ab4a8479abc4d545b8e32f7fea612 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 17 May 2017 13:16:35 +0800 Subject: [PATCH 18/23] style: rename variable err_buf to err --- lib/ngx/ssl.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 28db5c0fe..6573f3a9d 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -67,10 +67,10 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, - unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); + unsigned char *err, size_t *err_len); int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, - unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); + unsigned char *err, size_t *err_len); ]] From 930aa4775208afd0658926af18ec021a18a63edb Mon Sep 17 00:00:00 2001 From: detailyang Date: Thu, 1 Jun 2017 14:59:28 +0800 Subject: [PATCH 19/23] feature: add ciphers, CRL, ca, cert_store --- lib/ngx/ssl.lua | 106 ++++- t/cert/ca-client-server/ca.crt | 32 +- t/cert/ca-client-server/ca.key | 56 +-- t/cert/ca-client-server/ca.unsecure.key | 27 ++ t/cert/ca-client-server/client.cer | 26 +- t/cert/ca-client-server/client.crt | 26 +- t/cert/ca-client-server/client.csr | 24 +- t/cert/ca-client-server/client.key | 52 +-- t/cert/ca-client-server/client.p12 | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 2349 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 50 +- t/cert/ca-client-server/ecc-server.crt | 18 +- t/cert/ca-client-server/ecc-server.csr | 12 +- t/cert/ca-client-server/ecc-server.key | 6 +- t/cert/ca-client-server/generate-cert.sh | 1 + t/cert/ca-client-server/server.cer | 26 +- t/cert/ca-client-server/server.crt | 26 +- t/cert/ca-client-server/server.csr | 24 +- t/cert/ca-client-server/server.key | 52 +-- t/cert/ca-client-server/server.unsecure.key | 50 +- t/cert/test.crl | 11 + t/ssl-ctx.t | 488 +++++++++++++++++++- 22 files changed, 852 insertions(+), 261 deletions(-) create mode 100644 t/cert/ca-client-server/ca.unsecure.key create mode 100644 t/cert/test.crl diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 6573f3a9d..5d7795856 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -9,6 +9,7 @@ local bit = require "bit" local C = ffi.C local ffi_str = ffi.string local ffi_gc = ffi.gc +local ffi_copy = ffi.copy local getfenv = getfenv local error = error local tonumber = tonumber @@ -66,12 +67,34 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); +int ngx_http_lua_ffi_ssl_ctx_add_ca_cert(void *cdata_ctx, + const unsigned char *cert, size_t size, + unsigned char *err, size_t *err_len); + int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, unsigned char *err, size_t *err_len); int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, unsigned char *err, size_t *err_len); +int ngx_http_lua_ffi_ssl_ctx_set_ciphers(void *cdata_ctx, const char *cipher, + unsigned char *err, size_t *err_len); + +int ngx_http_lua_ffi_ssl_ctx_set_crl(void *cdata_ctx, const unsigned char *crl, + size_t size, unsigned char *err, size_t *err_len); + +int ngx_http_lua_ffi_ssl_ctx_set_cert_store(void *cdata_ctx, void *cdata_store, + int up_ref, unsigned char *err, size_t *err_len); + +void *ngx_http_lua_ffi_ssl_x509_store_init(unsigned char *err, + size_t *err_len); + +void ngx_http_lua_ffi_ssl_x509_store_free(void *cdata_store); + +int ngx_http_lua_ffi_ssl_x509_store_add_cert(void *cdata_store, + const unsigned char *cert, size_t size, unsigned char *err, + size_t *err_len); + ]] @@ -275,6 +298,32 @@ function _M.set_priv_key(priv_key) end +function _M.create_x509_store(...) + local err_buf = get_string_buf(ERR_BUF_SIZE) + local err_buf_len = get_size_ptr() + err_buf_len[0] = ERR_BUF_SIZE + + local store = C.ngx_http_lua_ffi_ssl_x509_store_init(err_buf, err_buf_len) + if store == nil then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + + ffi_gc(store, C.ngx_http_lua_ffi_ssl_x509_store_free) + + for i = 1, select('#', ...) do + local cert = select(i, ...) + local rc = C.ngx_http_lua_ffi_ssl_x509_store_add_cert(store, cert, + #cert, err_buf, + err_buf_len) + if rc ~= FFI_OK then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + end + + return store +end + + _M.SSLv2 = 0x0002 _M.SSLv3 = 0x0004 _M.TLSv1 = 0x0008 @@ -289,6 +338,12 @@ function _M.create_ctx(options) end local protocols = options.protocols or default_protocols + local ca = options.ca + local cert_store = options.cert_store + local cert = options.cert + local priv_key = options.priv_key + local ciphers = options.ciphers + local crl = options.crl local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) if ctx == nil then @@ -301,20 +356,53 @@ function _M.create_ctx(options) local err_buf_len = get_size_ptr() err_buf_len[0] = ERR_BUF_SIZE - if options.cert ~= nil then - local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, options.cert, - err_buf, - err_buf_len) + if cert_store ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert_store(ctx, cert_store, 1, + err_buf, + err_buf_len) + if rc ~= FFI_OK then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + end + + if ca ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_add_ca_cert(ctx, ca, #ca, err_buf, + err_buf_len) + if rc ~= FFI_OK then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + end + + if cert ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, cert, + err_buf, err_buf_len) + if rc ~= FFI_OK then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + end + + if priv_key ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, priv_key, + err_buf, err_buf_len) + if rc ~= FFI_OK then + return nil, ffi_str(err_buf, err_buf_len[0]) + end + end + + if ciphers ~= nil then + local ciphers_buf = get_string_buf(#ciphers + 1) + ffi_copy(ciphers_buf, ciphers) + + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_ciphers(ctx, ciphers_buf, + err_buf, err_buf_len) if rc ~= FFI_OK then return nil, ffi_str(err_buf, err_buf_len[0]) end end - if options.priv_key ~= nil then - local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, - options.priv_key, - err_buf, - err_buf_len) + if crl ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_crl(ctx, crl, #crl, err_buf, + err_buf_len) if rc ~= FFI_OK then return nil, ffi_str(err_buf, err_buf_len[0]) end diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt index 9e64ef695..c2c4c8468 100644 --- a/t/cert/ca-client-server/ca.crt +++ b/t/cert/ca-client-server/ca.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7TCCAdWgAwIBAgIJAM0KJFGpzyyYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV -BAMMAmNhMB4XDTE3MDUwNTE4MDM0MFoXDTE3MDYwNDE4MDM0MFowDTELMAkGA1UE -AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Tg7yQoZq4xM6 -/Gl5+BIN3Hj+4GPhBW9Q+gitVSHNVaZU1gDqt6Is5jMzK3/id2keDmVVraAHLpOu -+IoLae1iU29cnAzIWAiYxLMSVvzfka5nqkFcyEes967EsPEJrE/omI8HgVgBi7M8 -0SGxeTBjFtpp7Q4GHQFBRU2DmREfzmvU4smFc29LNPh0y/GAyhOtTPK9hoQPVLRx -fHHzIq48pDzY/G38GCCR0KL5tVT3Ln/u9SJD3OXnrkEBJOTGUWX5LATyULKcEBGm -fIK2xOOEcM0OBSE5CRrKKvioNHaDnNgp4KZ2ZE6KIMwBT0nkRzx/jA22/zAAQs15 -RZ/51//LAgMBAAGjUDBOMB0GA1UdDgQWBBS4nNeF58CTALtsvP10v7m5mW3XNjAf -BgNVHSMEGDAWgBS4nNeF58CTALtsvP10v7m5mW3XNjAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQCGzzsh8ea3OkjrRia2ijPOUZ+NKujO0xkQLPUfCnNF -HDXJkdt4w1+cq7P+ioLe4t4XN4MeZ7KM7AOObHtRo3drKXP2rwhGtFBLwD/VRwgS -ndWRvLdgJJaBww+HYWykVV27LD9Q9Iw/+4O7srShVaD9ia6i6UhlEFaio63Ra4cZ -NavE1LJzBSoJDsCjiaMIaenv5EsfwOch1gXTCFcmQSU17SmZ+q1K/ouql0kUEa9g -LaGQndHOWc0J9sZijCfqqLaIBVoFckrh+eRXKR0Sg10LjbIWZrDNjXsBnkVJtLMV -APcTBa3PS2eGl0Yg2i/SeTUd+oRRadeVioWTejBV1zaM +MIIC7TCCAdWgAwIBAgIJAO8bo8Y6NOllMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDUyNzIxNDYwOFoXDTE3MDYyNjIxNDYwOFowDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7mHzd9g+5Gthe +h5sr7a6/0JVTw+LtKA08IxRb7LqvHHiKsgoweKo+RomYtYvlNSZkROzJVscd85ND +xja2VfEGQ75Jf01+27pOgT+Gt5ZPVGIzr0KI/R9pWPLHeuWz6HkoLe4KTRJiLnPF +gvDWXKkMaGSTgul4W8PHWk+9ybEG/Tmm+48VlRMFrs1Y32GYsX4dA/CmPPbQeEQh +wIgMMu5NbTebxnK4AJ3sY3tZrm0kzXUePE4gXcj5GQNbnIr5cM2BsUb9QPCf+Ooe +PjBZiS9Ek8vDD+rVwZTVXiiSfWG4/7CJF/vPuoi/BhbsFKrZtqXWUR5MUaVs83mf +9aIDybjhAgMBAAGjUDBOMB0GA1UdDgQWBBT3QiA6YNIPWK5th89XtcHs6jv03jAf +BgNVHSMEGDAWgBT3QiA6YNIPWK5th89XtcHs6jv03jAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQBIcwH1BFK/cRc88XQQFEHOkvFLlfPnnHPdLv+iyQ9v +BsoJZVh8lzLFzYLJRRPdyqbBxCwRAna86v7MfwGAEBseH5EnIFsne1iV7o7+wOKx +WY/p+Q4B/fOWVdzxVd7naDIeH00dvhxWP3+E7F2KRJyUUehQOP4XXVy9sVlny/U+ +kloGu4i/k5y4wkn+kdmO9buH5hPEbaLv7Ud2A6J5brvqhktT1UIeA+jBycz0a5kH +h3x3DLq6+eeE8WuI1vLtPDJIAQXvSlKss3IpXcRf1r6kOtec6rpyjRtCGobL1CxV +QWWNRRLGjMRZSMlQAgp3QAmWbIvpKxxLwkEJUCtuujuR -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key index c59d56e60..da7e22cb8 100644 --- a/t/cert/ca-client-server/ca.key +++ b/t/cert/ca-client-server/ca.key @@ -1,30 +1,30 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIHubYMBY2WEECAggA -MBQGCCqGSIb3DQMHBAiAutcERUP8PASCBMin+/7JEjwfuogJqvH+NtgLrqxmhWvG -LbjCNcjb2AeYWEYzG0BtOKvqKuK5zpJL2++uCxarAGwz2GCVbQvtKWEuDN4k0oUr -LL00S87jkAIfT1HQ6GBKmbEZ2PduoTkl3wy4n9lcegD4FaMn4oU5UpdNlEALXZl6 -DQNgbsWXsMzkjzHu+yt5VxfrVcp3tyyZztbRNnDDi0Gka7dkokwfVJwjj61Ra51r -48iASqqjOtT8spXo6CyUC32CRE/F3MKrscdBTHa0/37vgobKSUqy7kcNkXVXpq+4 -HPzUzCtBAs7BxZD+SoKtAIEap7Nl81yWvMrkVM324dzhIRTw5eg83mPpRp8V0q5S -A7ntz5F3Dm73jCpz2uRwwYdoj2uIqi2JbxRdSguSYTTwZ99Dgv4wN33KlaDmZzMP -i2Ouk3e/xJ3lZpv3s4yODxORw0yXOfawIEpz1V8wwRYpgHpzKdlF6WmNoTXDGo51 -o0PmzsAsdWq5W6SXwgIR1uqKzgfpynVSVxmeQzMUkrhThmngmVxW208n8a8TQm9p -ZZTrCt3uxVkHkgxsNa71/jQXMBZnZ8AamgzstFM1NGpDTgiNiVb8M4/8238NGTLG -Iudz6l0ff07xKjLv+ot93vFNLvGrxMgE/O3x+Dq0h15e9er87dnpOgV66PLajnd7 -qugsyPbFnodc+ETVA+7R1GXwqOxKtqNxVUpzNtw27NjUSeOD4I8aVuTLCx0hNIdS -7cgHnKPrnts2Y87JlPslDxVZuutRaLJM8XVzsjTdZ+RQYMZOHF6p72kBPuW4xrqX -MqON6nrUginC6/UIZR9SXs7RTkbikymEKPOVa8qjHdSASAKYa1WwGcMPVNktZ10u -YnGyx+Tg6M3SC2+o3q1ga4wUiNW0RWXtb5k2vah7PFbuzDqvgglyrDxb2/buZSSS -37sv86w3ApRV1MB7qIGmws1PkjEZAS6EVZrBqtmzhLr6xg/ZnYThr/84vjEsy9P4 -8EbU/rj/7cQiHJsAzT9EGVZX4jxhZ9OFdT7vg7+ihPZ+TAXKjDyhESpr4pEyo8HP -yyasWbq0PWYcJqEg4HVTYVIYNaknM8BCuMTBG2tJxvaBLpHHBqmYxygFROhdRvbg -liBI10CFj5D157xSQx0Fb8/wc9e1BzOjTWVtlveVJ8gcGQUd2Dqy4sWUogYlWbbW -qkOapqYy1sSXHW/vlO9TNcaxOnWHmmkmpc9VKqu8CG93sreY21d0Y/GGmZB3+VUd -NU9zDBfzNaJfvJDxM4wjVYeCHexddf+gwg7jitvgtITV89epG6MWZgiX1c0ezIBQ -/Mw1zleae8p4ut4sdhr7OE4kbv/787DCE+eztbH20bDk0ZxkgaeJb+shTlUfFxC4 -BXyG7BAVsmbNaurgC8hJJbjgDJ0Y7PkdXVPFZpcn2gsxDQ2nxcOQhqfEAnZ3JbJ/ -UKjxj4DxPsUK4pSIRdjTJV0FdxG7YGDnOF9Hpw2VfhMnbpcFz+ZmM/EO7RplXHJP -gucdAmMhGsnzTIUnH+jBogzKFNskpOBshOxlfxt3XDl/dNzH6dolkbCK/nyz8nmY -acbszKMN+RvV3RT8C9w3fczqGQbPulz6y1pnzx//OjZs5McXfQP08flVK1lYrAPl -3/k= +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEjDowCzAg4ACAggA +MBQGCCqGSIb3DQMHBAh3lw0oluucPASCBMgFFN7lYaWHeb7Hv7f9+zc2kD0k1sgV +S6N1uHwAxrhYouFqrYI2wtvs+8ow4oefTUU9gTyouQXzhoykHFaSJw3FixbeQB56 +Jk/5X9Raq7zLZvTapkINWUE3q2ZOpzfXPlyCw9GkVjYhUSM2S0O+sKl2lco2SsNS +T7Vb8lNLaIJs8IMg+yDpGquoEMh3rQ4dywOuQ2to8/bxJYXo8o3L3lciaLTCGVCn +SOkjX6sUuFZJ8hR527z9u7/W4W2/HN0zRcGpyCDEswJGrDVV+b5nqHvy8KN3Yu5e +dwUErUvQmOpbDog9C+aNgtVHcD46rt21v9/FnQ/hEFNMx515lZVuH69BlaHWikUg +6QmUPAw7xb6kMgeVntFadPEMBghbqEXZtgXWyV8bxUggRRcE+pGphYcotMfx+6dR +JF6BBqo0dTlhPzzCqoV0wlumnnMbNwUSRlRsg25D+WC8dz5O0kj1Pv5HW/ccmiyx +8warzJlxGUSlz1wnysQ+Irgw11/ZnH3hcAywDP/8Jai2Mcml588KLm9QuPCS2F3d +QUmX9i7lYz3rJO0uNkC5eLrzB/LGRHFsvdxWUgUXh1HBweoJUN37CXY5UC7NQclA +xPI7Ocea3HgPChZ7/y9P0mVVEp9gFIpD5+uVb9GSR+zRv9y0aA8NrFyPWI+IBZdG +QDdC37LXjooueYXgDNMGsulb1UXOkUol2+UCxYiq12wjJ1eo3kfezswGCm7sSfl8 +7hve78KeaoJwFFJTgDKY5O8xZMbKDl1SMcfsZT/z2yu4tmIXlDUq3iLaWy1u2Spt +tUa8fsGOkP+bprsFVQIyJO1cg9nrd2FLei5wkQZWDGq5nTjJfIDO4cUJx+vlGDQP +AWh8qy1CNRQoFwZ/xrqqwYiO8nZv64FMweVun2R96PvnoaD8hB1pfTfQ6kg7q8lg +uNQvTgCfiF+6dR3KFOf29GpxGqGsvBe89k5EVOW2nmxvBoPb/VKXOC8zEcRvn71n +dgrEK0nd/AhGEdvnIR1RT3+42Hae50XV8sF1tX8ODNgPCON4f3qECe5F1RTVJdx0 +ZG/Jab/zOA1n1GyOqVSMWWZFIbKLt0U+XAhIO1HWruvgBDiMVxqk0cfjbMPFtD9n +yPHQPAMLZy7gqa96UD3BdS2YPSxJhLUqBtqaHwC4tU+LRoTBpC/Uiv6Ee5ZF2/OE +EnXSlCaPzzgW3KcPlf5q9/b4YikqSPVo3G76ouCdyHC/XA6uwd1ik2SpVQlZddth +rQra+UcQs6000hg1VP4yPOz/R5Jsd2GT+eA2ziYLKr959Lh32iBK+pnepWxdgW/y +jAHvfh9ysyUYUyGTIMQuMZ87r5DrsGcOoWIyuQeqFehlFze1RxGn0e7/ZcIUJhI3 +dnPFPpM9uGnNMpK+qzewj+zLBtVJ4rZJ5x81A65cSXL389aHOTuRxrqK7K0Vslk9 +EWmAd+XcuKEXnhWMtrugm9zxlEWbJzVDsX7IeR3kd5ewajTeOmS/fV8D5K57JQhH +YhlITCOHTWeUz68IQ2Dwb+XvmFM+Ijqp0YJq0cxOXy9ieuhbAjpG15P2xYmib9J6 +4WivnLS8srLkumTmMmTng3HCVHiJTxvsELJBWBYvegrQiCo5MYZEs8ql3N17XNXW +0io= -----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/ca.unsecure.key b/t/cert/ca-client-server/ca.unsecure.key new file mode 100644 index 000000000..f5629b2f8 --- /dev/null +++ b/t/cert/ca-client-server/ca.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAu5h83fYPuRrYXoebK+2uv9CVU8Pi7SgNPCMUW+y6rxx4irIK +MHiqPkaJmLWL5TUmZETsyVbHHfOTQ8Y2tlXxBkO+SX9Nftu6ToE/hreWT1RiM69C +iP0faVjyx3rls+h5KC3uCk0SYi5zxYLw1lypDGhkk4LpeFvDx1pPvcmxBv05pvuP +FZUTBa7NWN9hmLF+HQPwpjz20HhEIcCIDDLuTW03m8ZyuACd7GN7Wa5tJM11HjxO +IF3I+RkDW5yK+XDNgbFG/UDwn/jqHj4wWYkvRJPLww/q1cGU1V4okn1huP+wiRf7 +z7qIvwYW7BSq2bal1lEeTFGlbPN5n/WiA8m44QIDAQABAoIBADMPaD1J8jGh2u6v +3k5wnTXcYiiwkp2WXzPVIH98ybtL9otZtmhHD59vt5f3IiK6+r4j/Ic4tW2zlIvH +8bBjZ/0ahzqeCcvTprwjddUHN0RUZX5H38ZFjz0vVrVxAACd8Aw9pCLto2lR13UV +FNRj2Cdmaqmz4jQ+VeV28Wlo8mRCJQnEXXr4P78lxPqaWYE8CTh+Xw7PdyaAaMTz +I1uZCVeNhaks9SABXdCU2vAgSS9OtDco3QAHbkOfJAhuxPDygDOBDXuD6Cjno246 +ChND68PdTjTa3Itn9M0/KsaWQAwUQjp0chlp7I318ukGFGt4FI/2P5mbJy2gNLp/ +0v8tQAECgYEA4jZJQKtK++14CJPj0GTjRs70JxbkLLvyE2OYzeimJTFhwg+e39uM +fiHbuUfX506VOLalsxJIgO0qvhFlvm3sWBPzIZREQjl5SYjeOcemV038cm/T8MxE +s0VtCceGQVENld9Zw3lJg5JYEkVbNVrnveUF8R0siZtRTPer4Eheh+ECgYEA1Exs +vdlQy9+PxiupgSKBHSYrsWAQ3F1DaNZTAafV2W7XAHV4dCoAXlXQst8wUKCwy2AG +JHE+uVmb5g9rVYTHwA5JvgO7gH41vdVjv2JpaoXNeziGf2o8150lRdxficTo24G4 +wjL260lKCK80zYEnmN2mOlxepX6w+uBsPGwNUQECgYEAgw2QQrb6KhnZgJ6tTP4l +7c/YAw1wA7qe9DyvOhuepc2GJTeHg4leS3SyJxVIL+mG6eRm+ueMuaStLpBFsZ1d +X2mvYbTUFsnVSpTQqgjQhaPYrTO8RbUR2ApQsWm2jgC3LizHhEewH1mZTHyB6tdP +iuQ0HQwZ0V76Ku0R1k4W9gECgYBnOp4pllD2QUfMyZBLbXawsM3QGvE35dWQVZ7Z +ED4o0v+ShoxCl+XD+SBYybPZkLlGuvNhpvsj71GiBV9gnwbt+UScM35p1XTWULuG +5RhzJoqq3upvbD4XbZ8hIC4IdInxqlsnetabw/BO1rrrLmENsMFSYXXYLQlrg9K9 +cqDrAQKBgBTzs/jwX3cVdc+lOxTqJ7FdSTJ+RAZx1oD9ZQxrnG+ELYAo964Xp3iO +XhDTthN+PkDoBlLi/fikyhMCHSZjmcHBP+E+XteRKs4Sm/Jfc+gKs8IYfrR7j1z2 +jeo/Nc/CCyNnyPmZ3yRiDasCbZDZntrlLFlmfxjg3MvBKLZlTJVl +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer index 03bf44f25..2bd437134 100644 --- a/t/cert/ca-client-server/client.cer +++ b/t/cert/ca-client-server/client.cer @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTI3MjE0NjA4WhgPMjEwMTA0MjcyMTQ2MDhaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw -Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY -5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c -NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ -08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs -W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk -OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG -quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z -Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ -YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX -V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= +AQUAA4IBDwAwggEKAoIBAQCyeiP+hYpqsoFsD6vQ5UT4CZOIg+vy15G8SacwMZOs +pOSnREYBtdZqmC64HV54chD2UQYnyBDbXZKd89//jAqCbwdadwKX9DtyLMTnZ7i5 +xhYxkMRWKEKrPkFQwbLlNGXkJzhkwYlJ+JX8M/wbHTn+sg2r1/G2uY9bjp68kpcm +dKHqm6ue7qEFaNrnX7G2nfXuCWImWsO0OvpRaanHMVR3cChAb/kfB/NMhwAOZjCt +UrggbMaW5zPGFl8d86iMLLrDoM1nzzb4vm4T99blDJPiq5XarDIHe+F+vuhEKZyF +v1w83Z2L/dM5sgDdViptaxk8CHb7xSd+VvWi1DxKjyIpAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAEXHdn0CGB7Lb3IAgbIXAbxT/ffSRS0OlE6gpI2szFH1g6REsEvl +oghATvdlZ5qCO3YumBmv05fAV5kw6GC3cdl9EW7BM1eHQXihxnOrJKz0etCZHabY +zW8LtDywLa0oMgBO6ob4WofiJ/Axh6rCksOvC7OuquNVj7mYjmQnz/OvQJpq90LJ +EyQ5WAY4Qx8g12feJwsNj20Vv/c30X6sFA9PcRinyMmDZzMoRuYmu596O8FCTIoF +kdXiBCRGMtgySSZS+RNWICtat3JmnNau9Ku//4WFJ4i/SlJ+uMwaBqsIPrz6dPbo +7twC0LkAtMeAfrp07hn4aoBWXBFeUlsLNfo= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt index 03bf44f25..2bd437134 100644 --- a/t/cert/ca-client-server/client.crt +++ b/t/cert/ca-client-server/client.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -NTA1MTgwMzQwWhgPMjEwMTA0MDUxODAzNDBaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +NTI3MjE0NjA4WhgPMjEwMTA0MjcyMTQ2MDhaMGMxCzAJBgNVBAYTAlVTMRMwEQYD VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDUgSzFaqPWaU8jlHJEZH5UJYCy5Y34ImUwSb3Hf0xw -Xn4phlWAvtvA7QcDjiMlMaDJRGwfLpQkg/7SwGFwahHBt4LZ1nJ9pwAndFpK32NY -5QexMKBSAs5C2w6vV6EcKaNE0rhDuxEeXhVqWzZtPV3GjrA6xZSqUcgzESvYDw6c -NySls3XXEYiOh+3ejms/8MSRQuHxkDyXraSIrlsg+WPWDYK1Cq2zigLTalkYl6VJ -08RChhVqD5wDgZuTQaO9IJnx0kflormQK7cwOFYD6y/5OVpvtEilrMY+YQMgTOqs -W3y+cSPCuC7nI1HstZK8g9h0PakUItn43EwimHxexWdbAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAITcoW3CYirApxuHKoBee12/exxJWrL5jp5d4vbL6p7+EaP13Egk -OVkFOtGUCHeIf8Qu/q/AvQq+pec1V5hNuo+b9ISHya9hslWhEmzXCro6ABB41emG -quI4zxp0RmF7knNOQDmsgKq+PhQzN8/YVRKIdGeEDIFSZgOCocx3nQZhSyWkCL5Z -Jj1FgU5kSMtS6wqMHHmQ/RFzIEV6qBaA0Xb+Cq42UoiI9dd8GfywMqsaDdGeXPGZ -YdbnmGAPY6qBNesrmPNboCHF0TD8SxKRIJP/WX8Co0WorxDmri78lKHC4hjRVBJX -V4J1aGfQRZzpLDfXtSRVzddYcgoKTi8MZeQ= +AQUAA4IBDwAwggEKAoIBAQCyeiP+hYpqsoFsD6vQ5UT4CZOIg+vy15G8SacwMZOs +pOSnREYBtdZqmC64HV54chD2UQYnyBDbXZKd89//jAqCbwdadwKX9DtyLMTnZ7i5 +xhYxkMRWKEKrPkFQwbLlNGXkJzhkwYlJ+JX8M/wbHTn+sg2r1/G2uY9bjp68kpcm +dKHqm6ue7qEFaNrnX7G2nfXuCWImWsO0OvpRaanHMVR3cChAb/kfB/NMhwAOZjCt +UrggbMaW5zPGFl8d86iMLLrDoM1nzzb4vm4T99blDJPiq5XarDIHe+F+vuhEKZyF +v1w83Z2L/dM5sgDdViptaxk8CHb7xSd+VvWi1DxKjyIpAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAEXHdn0CGB7Lb3IAgbIXAbxT/ffSRS0OlE6gpI2szFH1g6REsEvl +oghATvdlZ5qCO3YumBmv05fAV5kw6GC3cdl9EW7BM1eHQXihxnOrJKz0etCZHabY +zW8LtDywLa0oMgBO6ob4WofiJ/Axh6rCksOvC7OuquNVj7mYjmQnz/OvQJpq90LJ +EyQ5WAY4Qx8g12feJwsNj20Vv/c30X6sFA9PcRinyMmDZzMoRuYmu596O8FCTIoF +kdXiBCRGMtgySSZS+RNWICtat3JmnNau9Ku//4WFJ4i/SlJ+uMwaBqsIPrz6dPbo +7twC0LkAtMeAfrp07hn4aoBWXBFeUlsLNfo= -----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr index 1f72dfe23..07c10f146 100644 --- a/t/cert/ca-client-server/client.csr +++ b/t/cert/ca-client-server/client.csr @@ -2,16 +2,16 @@ MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ANSBLMVqo9ZpTyOUckRkflQlgLLljfgiZTBJvcd/THBefimGVYC+28DtBwOOIyUx -oMlEbB8ulCSD/tLAYXBqEcG3gtnWcn2nACd0WkrfY1jlB7EwoFICzkLbDq9XoRwp -o0TSuEO7ER5eFWpbNm09XcaOsDrFlKpRyDMRK9gPDpw3JKWzddcRiI6H7d6Oaz/w -xJFC4fGQPJetpIiuWyD5Y9YNgrUKrbOKAtNqWRiXpUnTxEKGFWoPnAOBm5NBo70g -mfHSR+WiuZArtzA4VgPrL/k5Wm+0SKWsxj5hAyBM6qxbfL5xI8K4LucjUey1kryD -2HQ9qRQi2fjcTCKYfF7FZ1sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCgDYMm -N5NqRH/HeQOC9C+NZBeproXo77iqjC08X1TWTsOLyah/jCiWGj8QTu/sc0FFw04M -PNR8sFbbA9PBJz8ohev/GziDeeZ96k7PgJSKo/zpHKA/DXnGxZ+iYLfVpxzdM+GK -VNa+fkfU4xt2NYPMG0V5YyzPCo2lhB+5su/3gNQRp0sn6bqST8R3o22m3zlUd+oS -uHcvKxJPqvxsc8DIUB7PYbWHUsSnS8b5NxA0DTwHa+1J19T5HfssWyGCz9XoTHme -ZaeWO1toSj2pFCaC1Cqa0ZR3kzMJABBzp04ZV4UJa5eFrgdp8M3ShZarzWCx//Cd -czWYk6k1CoVqYPfm +ALJ6I/6FimqygWwPq9DlRPgJk4iD6/LXkbxJpzAxk6yk5KdERgG11mqYLrgdXnhy +EPZRBifIENtdkp3z3/+MCoJvB1p3Apf0O3IsxOdnuLnGFjGQxFYoQqs+QVDBsuU0 +ZeQnOGTBiUn4lfwz/BsdOf6yDavX8ba5j1uOnrySlyZ0oeqbq57uoQVo2udfsbad +9e4JYiZaw7Q6+lFpqccxVHdwKEBv+R8H80yHAA5mMK1SuCBsxpbnM8YWXx3zqIws +usOgzWfPNvi+bhP31uUMk+KrldqsMgd74X6+6EQpnIW/XDzdnYv90zmyAN1WKm1r +GTwIdvvFJ35W9aLUPEqPIikCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAzXOCe +MYTJrWkTi7OLAOq4RfLrz0EC+k/PS3VwifJi2j3SDD5b+oL3+8ZCr7RK0UvYSJ8H +zMAzc8Cig/8wZRJSRYs3gXYaDjVeAVDti0/mg0BJVhMvksAoswhcquitXdchvw6B +mYIMMTgQkInZUN39oLZiXBqj2urlW+8UHV0w3rWAlS7o2AILu+vcvFtcy+E//2F+ +0RDghpRGF3djAtl29MDpoPzrEroo1oV38/sRfD+TbS4YoMcXPBC2TKchaTQNxlO3 ++6vnjDYLXgQM0dVs5j1EaDVNz7ZUP7SFapV/2Hd5KZL6ZMAZ+e+xR7b6pFF416Si +bDMMjfWOv7hKkafa -----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key index 742541982..f06b48708 100644 --- a/t/cert/ca-client-server/client.key +++ b/t/cert/ca-client-server/client.key @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,07ACB60032712D30 +DEK-Info: DES-EDE3-CBC,473429D543CEAD77 -yTzuQ8qXHtMF6BEN3ABI3E3BBahIdd4iM7ziPXhtKlG3mtKvfPgpKxhZE0d6cZ6h -neaoCIAzsbtDGFQjc9omHCdtlrdJpvT7wpDq7Vz+VOLXK1aVTQgJuojb/2dpMwbi -Ibe2qHlCpPP6rUDkI+KT9k+WLlOBSf0OAnyjoK1G2b/cK6pVr/a5yWVObRj7UU0W -Nqk7XkHyghyneNYtWXilGmD+7u5kDq//qkxVR7mqGwqvm0vIIsMYJ8idiFGy02s9 -PA7iTu/THDmKkIuGCgewgBhuHCbO+PbXA3Cc8Xw2yNElHnjzVyTboL9I7QHf4CSD -KXp3seGQQjgf/1YfeJmRgVZF9MIcqZBt0vdgWnfbDRKDkyiB3SQYNr528lG6XCL1 -Z1n133ueJyZ0t80I+7g4IBSdPmYj2YlA0IldkIRqLpOInUkRTaajzOULJbuqBra5 -hmW2nSxzG2ZqH1hndpqnr/Wgk+UqcsUP4kB3gU6oCkODderQW95sSvFC0tkwYnTN -Av5em0urVlVAFFg0eVTJhL66XS7rysIDYRN8T/+iAjTuLzYqa4jpiaXG0xgIbdQZ -EFnEGc6sh3CrR2qO6TIVKuvflEEggC+UVtFa1RiW0KJgWrC4wSUVQ2MrRW0Jfwdo -DvccEFOZF0a8waqkTmZggADcBaQ6awgBYjE9cpPLq7/rWMVLFnhkdbStyKhHv8vx -jibju08pcZbrWtSo2CIe/Omftmw3MWFhIc6c0fBtclJCQ+8UkcPQF38IbUtKsfPj -4ZrcClPaF2NjN9g6Q/+Fv0hKvGzkXIY15s9pZMPLoco2Lh8AqDTzU4dMQPNHxRsT -pKowLPr6ZGHnQSotU8IoZgxmfDYx30bYj2+boSi37tpxmYa9Bt80jPZ8GRJnl649 -HsxIBzKMYZCa6C5KYnh7ULfRL92Dr9iN8W5mpIGD49jZ8rw0TflHVbxYV+Cl1wo/ -z+DLxC8cvp4fLbPCgNQ3rzKOTczqLg3s0x872E/3ec+rItzYoS2Xf03P3WIDdy2K -nMek99QXL8q8cCtheotucyuWKg95JCKAPZ8yAOR1AC6Kg58oyj7MPcVHhj/80xvp -NMV2h+lv3rv5DDqRw5AxBRe0f15R7yn1+r5yEVuabL3QspizdCebZf2Bd9IWbWUj -vtJHAnRzbGz3N9dqlGv3yIz5PNPn5UKQWnC1ycpghOzi7OolXvEgEvn1RunAgdMD -M0eI8jTWKJs/BPdmJ5QsDphqAmgjEb1LdBU8PY8FKbeYB7SBm9/WZ9TbjQjV0PY6 -C2OHy7RpxEYQE4310TEyineLvzuyJ1sR+WzCApLxhE5fUynOIHql7nWwvnJ2K67/ -QMof1etAk7op6rnoGYbDd3VaZXo35V3UvEAU/DNndlBa+HT4Shu7hOl6N4a0qNMO -xfYRD2If9GexszC+SFEEB6uNLtCy884teSjwERohfLl/+cZVBenqLGnQGPEdpMmT -4TFYbxdoehnKmhrNl6rEIjgWN6GxyLVKoZ8HYhFTxnhCISC6bDSrqmGY84joAktE -3d2oj145CpZbEl/R/oNggboyRFX4wb/MRkS0LazT4hHPkw3+ynYKsf4tvzVTCJWU +EmFlzvrxaD0EyCASkIGiW6/hhLB1/yZr+O61dBPQ8rkbluXXlwCfxWDgNpelGpVq +fdACt0CdwkAiGoBfu889X1wd+rn9y028mgoXNgF7/NRbP4UL4+/bZ5YX4RwXtts8 +mwRIyV2Fq90g+AoL/7DfixJn+VcAq8AbFjE2fkS/TysaHAoafS/hn6Wv+2EhfGgS +VnezTgZFOYflRxVxCooiL8Kc/EonJIPar5iRRPADZa1p3HOOqTEIKyxg8eH7M/sV +mrfC8myoKYGqckOUrZaVtDh3zbDkn1RUZ2eoZTX8fiTUHq1CZy4KAf4DeNKJH14C +rmpRbachRBm1KjpmPGk9OqFk7YMQJSU1GbKgOcFpdhCmZ9yyQgQtVtla5SF0aT2s +yr0Vg5bRRT9wGmKRjbhTt3r6g5BLVYEjOANEtcdNsbvOWuI26ZzBrmimjBGwVULV +rcaYX7NEHroNQ3XF8XRhR7zja0bjgBXFOod9tNZv0HxN9rMB+wX7ychOzoA9E0hN +O/Orcg/2I6yLpSck/pZn6E8m3k2Uvw5VEcdnfYTDEkbFeSbZBwtqwKaCJiGz7Z/x +a+UWQJys4n+sLKpx1m9gIho6b6MVIXvLgCayEVUF5I6jdCTNvxpZesEgc7UFy9DZ +majP7T4KZj2rH4OEv1eQ7OAFfMKVycaJSzoFa1Fs7XgQY9lDUvo/ua3sXoMyIWhh +FXMtCzkkqjRJ+myX9hfU1W2qgkjQ57CnrTbyoIE699dCNEYlW88jtV2hQxZud9M5 +m4mj1fdFZlDPgFo20b5MFv4j7nUnpv7nC2xzp+nCQe179UqwIIKbI/2YgzRaCN7Z +nWSDLIFOGHqTTWN5L1lrO5ZvhT+hgu+BGJErfACGdtX8Gpxg68MgETAoCcw6qpBy +8tERCylsEiOkXB1PIoe7TEbwZnSQ0LUGwH9XYxGeX/8Cgt+DPdg43MkF8uMOl4cg +Th9NXjv1p54Dz1998NQmbMercg/BKVA4+QLoQC/ZfOSeYsphklGt73gCDlYAz3Qr +8istSa6BkK/d0i/Zbt4l2CPbvOoIo2b7wPsGawIqa6xN3T188OlfCBQRP2V5doYM +YhNS8DtfaRxrBaDCiPVRwp4LpTcg3yG9zX1/lhwYWGcUAHXdn6oDQJQfUqUSRT4D +3uDdWkldjaM6dkoywuP0tOP8RQTxYUqLzFNs2k64lYFj8+2FkKBcxbr1Ltu1NnUj +pV8w9atgTXY3pQA2llSbhcQ3naygPD7/gAndDXQqakhZjWNaHb+t9afPg25Yp/h1 +f0Mbv9+80FzApVypcBc+g4uei9YZz36JjWATlAW1+74+3/WeKxKqR28JzsPSrICD +OYq3jNQccvHiThB79aUym857+XYkp+YrAgOPyuyf8W1KsaQMtkDwT/drEOBQ/uFm +rZMBfZusyY1iOcOUSstNAnsZPRZsOaY9mHsF/ZLWhvY01kNivO2g7xcQhz3ONO9f +h0M8kv69+9byn85bGTCtOkNuPks0Ju6HYoBEf6NsAvnN6YuVvNfouoC52cgDE1c5 +f9TTY5BI80tfXS8e/lED9f6Su85it8WSWwfM7Ia9CFrvaEWk6zpMBgrYtN8ehMgJ -----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 index 63f7b99c6bc3099e69186bc71b0ac7a9bd050dd5..74ce2cd0a34128c63552cf2f27bfa0b7fbf2db97 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4OhNKrb~S0SE#D2mpYB14y1Gy|WxiZC#ZT*KR*QkK^*Nm~|A3 z_P2CAK|3T|OwCJqGoa`9jK@x{@GKVb(Vp234^+dNXB!MZkJm80#_3^efqQpdYdIX4 zWbn<_vsgg`S8-+kJCj8xnytz85lxYzoks#zyKre+)9{MK(|_^CD&O}ykSS6hU`CO& zHbYLZS{IUOai>5#w6abvv_aZ$=0oX@d&kv58VKj8go8~$@LpBo@La0*gGm_YXRz_H zpSlQ<%})soi_+CMqZtr){37qr_d-6OP$d^mB`R&#S8OjE=8Ido%iz+a5YAeKJI$;I zzLr)?uRq~3k$?Yd*%Dh;#(bzB@X!;y5M(wj86+V481!t6qpr~#nNX>q(KM;xT?8fQS?&@CME9Ni6APxO->O^(f`8@LESeq-Cz>(yW-muGr3r&c zQ)H7+thp&=SeK#^h&MKP8`mJTF~029O-rTnCJ1dLnj7vv#b!L{LNGRMmW$9QTiQ70 zxk$i?3?WpW){bK#q0Zu~?-Tkz@F{nD6iRCS|Ll2t1+~-aFDFvope^le``ANGWCu(I}i5dnJAg4o+o=&i!+{z|#91~R{F#P+5c&bQ@2>3-iIGE>J}cr;PUA8P;@(?|;6XYhpCBJ57h}$sI-tCVc-jq>(yT z!KgbUr}+FyA{zBnlugm>%A+>0ShDUy?wy_50fW16FtOzz{lMZMLBO4<6+N-r>yZ&V z9`xg(g1I6iP3fKfFJ0uJ@CRd75u|9G1Zgd6d>49=CL^GFKJ=~%(oo08ubZ_X+We2| z_Fi!xWD0`X@5%=&>HDtp7#dZWqNJgs6BBQq-n5voN?k>H;c)nr-jv$-ae16G%r=XG zk&P=qulUJx?WC*z3bZ7qxdOTuj!L%Scz%_YJ-`$2V*W_&6S((MpHHChleGgzf1Y&| zJWfWSDgpus00e>r$OQuXHj3=sRn@i@FUV34+3Qy--xT6QkK?l>F!IVI6T%dUglSvO zScoR+)a#LW#&grI|H*3B$21q@0MvMRlF8ZAEYCy^)A>%9;{7EXzNU&c_0;z@w}k~A zlC`C+5J??DM#nb!b|lpDV^$Ple<8hg5=5UUnhwp$Zzx`9a8yQ0Qj_8i1v0zv6u+=x znA-p_k?C9L_UDWw+R_n+9*kCG+heaa{!dA*H%Xq$*weX=SR+8mwU}DP583Dn>iGyx z$#lz{JOAH$T*gzae5oe>dHPMZR6m=!&C_!+*0LuhUH4bWg;&ts& zz@=8Lz`fm#L4LAj1PU%#jqG+2mIOuf9se-X4N*P!r0!(5_Cf38S!Sl>sgx*`f7VD7QnE_G=*cI=V8 zo=7n8PT!YfI|V1B{)i`<3?qxq4&i9WdLvjx#nUd1Yf{i~HA>m=9Io4w}M~iLah20t|dX(26H_n0EYF3mNF~8I$_Vq&pBSdQ> zemc54cpbCdrIx<4W1C_7L3Q6z1UsSu(L)*n)41m0w{OPa*O(rW0$S@m>Y!3*U*8C= zdl+6}*$metEZtQNe;l>K6k{HUy0{|n##Z5;a!y?cKAOra$cb6%E{d7&$0VuAZ7sW0a!QRL@8jX;_+I9p9-Ic*BwE%ybqaenbkx{Um2$$$b6`rB$AofBMJJ`~7HsfTu)df?sNo zWTpza^Zy%9seUGT0}-RINq&G*GTK%4G3v<4FJ14Z{wk*GKuVs5g1E=OdyE)@(s(dQ z0$7_VUI!YxZZQ6MVm^478T@RpaS_t-B$WAzzI(|K#btqWZq`r{(K2L#X{nOy=G(%u zgaBWdR6Imoe^iY=f;_-Ske`KtkUR(tiRSHal`qOD9IBbaY}BAoxr(xal={&JLRbGHN64{K}Ql1R#gL#Thid7kNk1;?%@8c zTXV248(Ue&@RhAigemyOybaY%Rd=EQ&NJ-nD)JBo>r$QdFzS}n|ANi#UUd_79QnmS zask!-e>u`+jPTXD_HQU_PF1ts1K91vIna6i{7EfVZ1aOgojZmh#yEEZ1TSuvS8je9 zUKrUPF=IPG2`AMZjZvH$F*7>5V2QxC^rG_dDRppU+Zm%zJ4Sq9OJkZ4*|%iXd{r?e zFe3&DDuzgg_YDCF6)_eB6eTN&7Q9M`!hE-BWT8f|6rMKM zTU&41i^$^;`Tn2?oZN<{I*Vnyjwo7V48cTv9V<|O+^?%y76<(f(SKZY-Q}ghbwCNc zP06k>ymH2|z~}<`zW@a8hy{)@$c#``dP+k1H6Y?Ig@5|n?;EK$oBDJWU|j{G-09Mv z>D$l|PHZPt2<&PIFZc1GI*shP$AO+;Ive!^XyvHJZ{p=p1ia91oSI?2#Q1goKbDn+ zzTDyJK)QwcJV58|?YtdpP`lp46K9YS*Fi;5HQ(}VmbAf+0@=Vzd3xsWxL;KU+8Ut? ze9cfU@qeWSZ8BNACF#0(RQmRmNkEQH3GK*mZ0K0g_o*_QnMY_BZ=&x*DT>E!3j*T=sw^w}BEd;ImLyLJCh zh#+B5=BmFq%m?}ye!!!?`77`fCk$>og98JIY!!6kcnx*=-H=3@12^8Me*vMU&c=>D z!CnC*eR_xO8GflUYb7)qPCnNu_Q_INhDXCXJ9o~rEetJ^r+0)IR}~yAOC)11LmQ^` z-61?ebvu@AoMM9r0mP-$6ehc#06qUJf1Qbh7U`qleGgze|=Kt z!vHxjl>!0?00e>r$WHp;8iWf7*6CNoEAxpT<)y=A{EzzH{KhY}&X-vD+`#$XFBKpS z@*x(ng>xA}!?@<9xJC>(R*@Qcw|bo=5inoDOAVeZsZp%BOC+B`E0cPhC~Kio8fer< z6M*!Otj#moj3u(HON@A zi6IjEg{D8Mh3v?iqps=J>z_{$8uc)I54U=G?#cR6lQaZg?StKG2 zJB8XFhN(eGN)qnzIR-H+b@lT-?tz#mKu(JF5-DGNUwqs`Mt56nkmq7PYMZJ)HtqGJtDxm53IUMRr);vvKl}6-mAqHW{!#y zaL?m@5;pwhxqh>Jf4Ekp-q?lxF9jjh`YVW;6quYNelZ!EF^8%|D0?K&GY1QgX<(p| zRr7-}aJr)|kz*A0W&w1kBP%uWrMFxOCv)}C!&=<)Rys;INdG5m$7{9kpANjoN`Au_ z0cv0pf0Bh*Q5del7LK#nnks;SzvDMho(mu6_Z5~orWW5@Y<`exC$ooojBoPdLK`Dv z`D!^qOu~Te8)~sYA1!+^zYEeNZFMs`(PJ8^^sJ_?YSB1r5#>iBTVn>eDeL zFe3&DDuzgg_YDCF6)_eB6!LaaWQxqozG=8IJYdOgK_|HCLO?JvFd;Ar1_dh)0|FWa o00b05u$a&TKZAr;q+sM+ft!^nF*6+m2(vIu)Noe!@&W<~02-`FCjbBd diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx index 1d3b164749e162132c09db195443db7cb4ed4187..586fc3551daa11489b2aa2b74b71b1eaf2233772 100644 GIT binary patch delta 2214 zcmV;X2wC^760H)DU4N9M&tqONt4;y}2mpYB14!{($R<6VY?rQa%hj0i?d#Tq=}K{n ze@U1ni9w`#;^aS6F*Quw4Auqw&o_4qhw*?06?Eqy!{Sz(`<_g9tB~}Wo(huHX3w~~ zITa3t@{!xOABc0{Q8;;x|6)!|b7TJBAnykqCplq;Pmi{lE`NpxMQ#HhZ>48q*_Ldr z!bFbL3bxT?SfC=~`oal0J0@kvGHFf;ck}%$RM&zzOYck$hS6LFkiK$oVNK;o08x<54rk9_QGl*S0OAJz3L4XB&vYt?0|3mj4JSqV(al2gG)84%qFmQRtoiV z$O>irs$K@NiGOGDB~F_mRI3V!&J3evj42Ln>%d5ZN(D-ZI0PuJe39{5Y5?xQ3!U8XmsC4ViJZRE??{zO;!y@vW!8f4T7 zJ0I=O8uI~GTIkKEg0r__iFt;F0``QTH7zl?*p>fwrIsNn+e@{fN6@9wopOAq2s{Bd~f61{4V1$seMyx043z!zf_TzGJi&Ovj#pnHL6u7SB2fN^pa?9o2E|X=JqI zZ*u);<&&h8;X`zuv$}Ch7;qwg0_~g;4<0oBW>;T;I~(hKFm^vMg+ysd=hU_4`9n&L z%w7`6#h-Qyyef*Ymi#bX^&Jame`sXK)gx+x1MNvjW+yDT;|~m6yZKYKFF0L2U4e>U zdBDr)rfwe*1%b94)G1l9r1e^*k9IFRmJd|_SdVXK+dzJ0PG~G`ApBFqleGgzf89TI zcuFeD&H@4m00e>r$fsZmU)biwm0Ae&Wd~baM$&&v)@>Nmzk<4y(R^X}dDF%ofj_`R zn2v_Aq$Aa+^jT#BHfI(> zRaBg)N#?BA&4nHJctM|T1cQ<-nAYO^u6=*#Akg*2qDcQkQo$%Iqqu1+5U6BGH<>OCgyp9Gue z?euG{F~NA8(wvLpe{NBQeGr;!)w5y9dPw&S!~d~q!m=5IOu9MB{kF76TVf3t#%Ves z&v7uBn96J_X+GS;qNrD4%NlTwV|O|K9|L^}XdV=ql#w(snpIs@2okb ze77Lt1$SQXgO`45jj!nCyJ*P~I2AP77qCc2aTUv{F1&bEf9vM!u@rVnyvKao!#61N zre9AC4Mh+lY25!Glt%=JWW2~;0nlpxIkT+fF6PDprD|pCb?|J+SukF8=c-yJ5?_eJzX>-=$$4KukcE9{#+j7QKypB~~!3ymo3qFr@12 z)CLXXlbhnYj&|v~F&x#Y9OUc*9x(E^4*?f$)PrTK=Kkx4fiMBqz%3=Hwjv&Is<4@3Ko-C1t=~~zhiWdJJ8`}P?=16 z!)-C8&&|Ype7)1K7LhTAMW;dxiR$}iZlFusR7(hE3aLGTJEQ$KL=}E>*KFIJ1$Np^ zJ5-X(0>Q^{XY=^voDVb>ajasW90>k!Q0+E>1b_ZY$^wmR$ZW`a=({Rr>7R81b>O!Q z1XetAN=+N1CeBiJK}h`Wc+E^NWn$hR13WQ|n0P-kMyM-%{jk=GGpYTVGU_-+A)3S< zJ4(4Iu#0V`)rC~e`Y)NCm$gknP&P1El}1ol^0>My+>CYKiSN`B3^&DU1T))ww z>0Ue*QOXsg)STn4+M<6Wf-$~c>|B(mw>5HE1oe?S4)-b#{XL(o=y!}2C~5di*8?Qq znViGGqMly+r$U>CG#3O|ml_#?3QwROY%)m>nW0vXgpy)@O$F=J12rwBHYRLp&ts*K5 zn}Hi8j_5EF##bN2El3M8o~9jWe?-#w!$X0j3UsPEUlg(-T{Y7fpk6g49@v4Yc6P(v zRu`bhpEVYVI1aSQhHaJ33TVCzyA&O`!7SXh@Ct*JUm7#9Q(3Try zsc+4@&YabR!oc!kvQj9x^)m9v2!Wq#mc9pp+Q5~=ka69}@quwi>b$OSf1?qS9iFU* z5~M_bx%KZG`SNM4qPb@o1;6zxJ_Xu7*eRc!{ZxLf)5Y`5qPh6ze)YInn=S)#tU-BuW_Od&Eov>3)wzEmCZeKYj>j%iihbqdraQ??Jc zx$a5L+Ar(`P0I4X7D!GybTOu#P9^IthLsr;U#Tr4i+vc7&l}I{e>of5kG*6*K;^dS zV#86i7oV6RW6C{dJc405|1;GlQOJI^D`u55K87muw7YW&#Yt&VS=?TC;w;uV zFBhwcZdanCd->jde~8ipn_QOpqt9lS{qog_vX2N-=Ct0xH5r;(UUMK^ z3cVlWIaiN(BQh?oXxVKf>a6HS7YL`*&qDj1BGtj+t@YPm99FHx?F6juE(6|6j4u$p ziX%7sVX_j<1$_KjTeS_27haH6J#^`_FNzf&edce#iL2-9e=wEEe8t~d$e>-8-Fu5R zbx$=jAjZtS{Wr&gkS0T;Gf*+Cld}legQ*xP9ZB{LX7~A8Dg7|O+Q9KJ=%z_6>!9>E z(8@G(XR`ov?1erYhO?}ugq%H0xv3Vv4kG@r%ve5`i-vw)w6e@)c7 zvD$*q21wPV1U)V^(xVzf2q`B%BBhc(i9L6C^Y1f%dF#!RF; zL+dGgytz2@g#Pp~0Xgj1H_yu;5E@X8g=sGQ?Dowfe{W_nMP|aB#>6(-Xl2nu1~fyJ z-$m|Jk9Yh&%{8O5s#?K2S(iP repeat_each() * (blocks() + 6); +plan tests => repeat_each() * (blocks() + 14); our $CWD = cwd(); $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); +$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8'; our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; our $TEST_NGINX_HTML_DIR = $ENV{TEST_NGINX_HTML_DIR}; log_level 'debug'; -no_long_string(); - sub read_file { my $infile = shift; open my $in, $infile @@ -27,6 +26,9 @@ sub read_file { $cert; } +our $TestCertificate = read_file("t/cert/test.crt"); +our $TestCertificateKey = read_file("t/cert/test.key"); +our $TestCRL = read_file("t/cert/test.crl"); our $clientKey = read_file("t/cert/ca-client-server/client.key"); our $clientUnsecureKey = read_file("t/cert/ca-client-server/client.unsecure.key"); our $clientCrt = read_file("t/cert/ca-client-server/client.crt"); @@ -50,7 +52,7 @@ init_by_lua_block { end local lrucache = require "resty.lrucache" - local c, err = lrucache.new(1) + local c, err = lrucache.new(10) if not c then return error("failed to create the cache: " .. (err or "unknown")) end @@ -65,10 +67,22 @@ init_by_lua_block { c:set("sslctx", ssl_ctx) + local system_cert = read_file("/etc/pki/tls/cert.pem") + local cert_store, err = ssl.create_x509_store(system_cert) + if cert_store == nil then + return ngx.say(err) + end + + c:set("cert_store", cert_store) + function lrucache_getsslctx() return c:get("sslctx") end + function lrucache_getcertstore() + return c:get("cert_store") + end + function get_response_body(response) for k, v in ipairs(response) do if #v == 0 then @@ -79,8 +93,10 @@ init_by_lua_block { return nil, "CRLF not found" end - function https_get(host, port, path, ssl_ctx) + function https_get(host, port, domain, path, ssl_ctx, verify) local sock = ngx.socket.tcp() + domain = domain or "server" + verify = verify or false local ok, err = sock:connect(host, port) if not ok then @@ -92,12 +108,12 @@ init_by_lua_block { return nil, err end - local sess, err = sock:sslhandshake() + local sess, err = sock:sslhandshake(nil, domain, verify) if not sess then return nil, err end - local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: server\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: " .. domain .. "\\r\\nConnection: close\\r\\n\\r\\n" local bytes, err = sock:send(req) if not bytes then return nil, err @@ -121,6 +137,7 @@ init_by_lua_block { return response end } + server { listen 1983 ssl; server_name server; @@ -154,6 +171,12 @@ server { ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) } } + + location /cipher { + content_by_lua_block { + ngx.say(ngx.var.ssl_cipher) + } + } } _EOS_ our $user_files = <<_EOS_; @@ -182,10 +205,18 @@ _EOS_ add_block_preprocessor(sub { my $block = shift; - $block->set_value("http_config", $http_config); - $block->set_value("user_files", $user_files); + if (!defined $block->http_config) { + $block->set_value("http_config", $http_config); + } + + if (!defined $block->user_files) { + $block->set_value("user_files", $user_files); + } }); + +no_shuffle(); +no_long_string(); run_tests(); __DATA__ @@ -226,7 +257,7 @@ no options found return err end - local response, err = https_get('127.0.0.1', 1983, '/protocol', ssl_ctx) + local response, err = https_get('127.0.0.1', 1983, 'server', '/protocol', ssl_ctx) if not response then return err @@ -303,7 +334,7 @@ error:0B080074:x509 certificate routines:X509_check_private_key:key values misma ngx.say("failed to init ssl ctx: ", err) return end - local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + local response = https_get("127.0.0.1", 1983, "server", "/cert", ssl_ctx) ngx.say(get_response_body(response)) } } @@ -320,7 +351,7 @@ GET /t location /t { content_by_lua_block { local ssl_ctx = lrucache_getsslctx() - local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + local response = https_get("127.0.0.1", 1983, "server", "/cert", ssl_ctx) ngx.say(get_response_body(response)) } } @@ -329,3 +360,436 @@ GET /t --- response_body eval "$::clientCrtMd5 " + + + +=== TEST 6: ssl ctx - set error ciphers +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + ciphers = "ECDHE-RSA-AES256-SHA-openresty", + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "server", "/ciphers", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body +failed to init ssl ctx: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match + + + +=== TEST 7: ssl ctx - set right ciphers +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + ciphers = "ECDHE-RSA-AES256-SHA", + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "server", "/cipher", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body +ECDHE-RSA-AES256-SHA + + + +=== TEST 8: ssl ctx - set ca cert +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local ca = read_file("$TEST_NGINX_HTML_DIR/ca.crt") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + ca = ca + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "server", "/", ssl_ctx) + ngx.say(get_response_body(response)) + + local no_ca_ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response, err = https_get("127.0.0.1", 1983, "server", "/", no_ca_ssl_ctx, true) + ngx.say(err) + } + } +--- request +GET /t +--- response_body +foo +20: unable to get local issuer certificate + + + +=== TEST 9: ssl ctx - set crl +--- http_config + lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;../lua-resty-lrucache/lib/?.lua;"; + server { + listen 1985 ssl; + server_name test.com; + ssl_certificate ../html/test.crt; + ssl_certificate_key ../html/test.key; + + location / { + content_by_lua_block {ngx.say("hello")} + } + } +--- config + location /t { + content_by_lua_block { + require "resty.core" + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + local ssl = require "ngx.ssl" + local crl = read_file("$TEST_NGINX_HTML_DIR/test.crl"); + local server_cert = read_file("$TEST_NGINX_HTML_DIR/test.crt"); + + local ssl_ctx, err = ssl.create_ctx{ + crl = crl, + ca = server_cert, + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + + local sock = ngx.socket.tcp() + local ok, err = sock:connect("127.0.0.1", 1985) + if not ok then + return ngx.say(err) + end + + local ok, err = sock:setsslctx(ssl_ctx) + if not ok then + return ngx.say(err) + end + + local sess, err = sock:sslhandshake(nil, "test.com", true) + return ngx.say("sslhandshake:", err) + } + } + +--- request +GET /t +--- response_body +sslhandshake:12: CRL has expired +--- user_files eval +">>> test.key +$::TestCertificateKey +>>> test.crt +$::TestCertificate +>>> test.crl +$::TestCRL" + + + +=== TEST 10: ssl ctx - set cert store +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local ca = read_file("$TEST_NGINX_HTML_DIR/ca.crt") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local no_cert_store_ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + } + + if no_cert_store_ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response, err = https_get("127.0.0.1", 1983, "server", "/", + no_cert_store_ssl_ctx, true) + ngx.say(err) + + local cert_store, err = ssl.create_x509_store(ca) + if cert_store == nil then + return ngx.say(err) + end + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + cert_store = cert_store + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "server", "/", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body +20: unable to get local issuer certificate +foo + + + +=== TEST 11: ssl ctx - set cert store with system cert +--- config + resolver $TEST_NGINX_RESOLVER; + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local ca = read_file("/etc/pki/tls/cert.pem") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local no_cert_store_ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + } + + if no_cert_store_ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + + local response, err = https_get("openresty.org", 443, "openresty.org", "/", + no_cert_store_ssl_ctx, true) + + ngx.say(err) + + local cert_store, err = ssl.create_x509_store(ca) + if cert_store == nil then + return ngx.say(err) + end + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + cert_store = cert_store + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response, err = https_get("openresty.org", 443, "openresty.org", "/", ssl_ctx, true) + if not err then + ngx.say("success") + else + ngx.say("failed") + end + } + } +--- request +GET /t +--- response_body +20: unable to get local issuer certificate +success + + + +=== TEST 12: ssl ctx - set cert store with lrucache +--- config + resolver $TEST_NGINX_RESOLVER; + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local ca = read_file("/etc/pki/tls/cert.pem") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local cert_store = lrucache_getcertstore() + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + cert_store = cert_store + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response, err = https_get("openresty.org", 443, "openresty.org", "/", ssl_ctx, true) + if not err then + ngx.say("success") + else + ngx.say("failed") + end + } + } +--- request +GET /t +--- response_body +success + + + +=== TEST 13: ssl ctx - set cert store self-signed and system cert +--- config +--- config + resolver $TEST_NGINX_RESOLVER; + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local system_cert = read_file("/etc/pki/tls/cert.pem") + local local_cert = read_file("$TEST_NGINX_HTML_DIR/ca.crt") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local cert_store, err = ssl.create_x509_store(local_cert, system_cert) + if cert_store == nil then + return ngx.say(err) + end + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + cert_store = cert_store + } + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + + local response, err = https_get("openresty.org", 443, "openresty.org", "/", ssl_ctx, true) + if not err then + ngx.say("openresty.org success") + else + ngx.say("openresty.org failed: ", err) + end + local response, err = https_get("127.0.0.1", 1983, "server", "/", ssl_ctx, true) + if not err then + ngx.say("self-signed success") + else + ngx.say("self-signed failed: ", err) + end + } + } +--- request +GET /t +--- response_body +openresty.org success +self-signed success +--- timeout: 5 + + + +=== TEST 14: ssl ctx - cert store init and free +--- config +--- config + resolver $TEST_NGINX_RESOLVER; + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local local_cert = read_file("$TEST_NGINX_HTML_DIR/ca.crt") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local cert_store, err = ssl.create_x509_store(local_cert) + if cert_store == nil then + return ngx.say(err) + end + cert_store = nil + collectgarbage("collect") + } + } +--- request +GET /t +--- ignore_response +--- grep_error_log eval: qr/lua ssl x509 store (?:init|free): [0-9A-F]+:\d+/ +--- grep_error_log_out eval +qr/^lua ssl x509 store init: ([0-9A-F]+):1 +lua ssl x509 store free: ([0-9A-F]+):1 +$/ + + + +=== TEST 15: ssl ctx - cert store init and up reference then free +--- config + resolver $TEST_NGINX_RESOLVER; + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local local_cert = read_file("$TEST_NGINX_HTML_DIR/ca.crt") + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local cert_store, err = ssl.create_x509_store(local_cert) + if cert_store == nil then + return ngx.say(err) + end + + local ssl_ctx, err = ssl.create_ctx{ + priv_key = priv_key, + cert = cert, + cert_store = cert_store + } + + cert_store = nil + collectgarbage("collect") + ssl_ctx = nil + collectgarbage("collect") + } + } +--- request +GET /t +--- ignore_response +--- grep_error_log eval: qr/lua ssl (?:x509 store|ctx) (?:init|free|up reference|x509 store reference): [0-9A-F]+:\d+/ +--- grep_error_log_out eval +qr/^lua ssl x509 store init: ([0-9A-F]+):1 +lua ssl ctx init: ([0-9A-F]+):1 +lua ssl x509 store up reference: ([0-9A-F]+):2 +lua ssl x509 store free: ([0-9A-F]+):2 +lua ssl ctx x509 store reference: ([0-9A-F]+):1 +lua ssl ctx free: ([0-9A-F]+):1 +$/ From bfca881f8524427897986540265e7e6d0d9bf1c4 Mon Sep 17 00:00:00 2001 From: detailyang Date: Thu, 1 Jun 2017 15:32:44 +0800 Subject: [PATCH 20/23] tests: ssl-ctx throw error when open file failed --- t/ssl-ctx.t | 3 +++ 1 file changed, 3 insertions(+) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index c1788c215..749c87f84 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -46,6 +46,9 @@ init_by_lua_block { function read_file(file) local f = io.open(file, "rb") + if f == nil then + return error(file) + end local content = f:read("*all") f:close() return content From 91c58e174076ca4e8eac67325707417a0a4842b0 Mon Sep 17 00:00:00 2001 From: detailyang Date: Thu, 1 Jun 2017 16:09:55 +0800 Subject: [PATCH 21/23] tests: support ubuntu system certs --- t/ssl-ctx.t | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 749c87f84..4f451e276 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -26,6 +26,13 @@ sub read_file { $cert; } +our $system_cert_path = "/etc/pki/tls/cert.pem"; + +if (-e "/usr/local/share/ca-certificates") { + $system_cert_path = "/usr/local/share/ca-certificates"; +} + +our $SystemCerts = read_file($system_cert_path); our $TestCertificate = read_file("t/cert/test.crt"); our $TestCertificateKey = read_file("t/cert/test.key"); our $TestCRL = read_file("t/cert/test.crl"); @@ -70,7 +77,7 @@ init_by_lua_block { c:set("sslctx", ssl_ctx) - local system_cert = read_file("/etc/pki/tls/cert.pem") + local system_cert = read_file("$system_cert_path") local cert_store, err = ssl.create_x509_store(system_cert) if cert_store == nil then return ngx.say(err) @@ -203,6 +210,8 @@ $caCrt OpenResty >>> wrong.key OpenResty +>>> system.crt +$SystemCerts _EOS_ add_block_preprocessor(sub { @@ -590,7 +599,7 @@ foo location /t { content_by_lua_block { local ssl = require "ngx.ssl" - local ca = read_file("/etc/pki/tls/cert.pem") + local ca = read_file("$TEST_NGINX_HTML_DIR/system.crt") local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) @@ -637,7 +646,7 @@ GET /t --- response_body 20: unable to get local issuer certificate success - +--- timeout: 5 === TEST 12: ssl ctx - set cert store with lrucache @@ -646,7 +655,7 @@ success location /t { content_by_lua_block { local ssl = require "ngx.ssl" - local ca = read_file("/etc/pki/tls/cert.pem") + local ca = read_file("$TEST_NGINX_HTML_DIR/system.crt") local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) @@ -673,7 +682,7 @@ success GET /t --- response_body success - +--- timeout: 5 === TEST 13: ssl ctx - set cert store self-signed and system cert @@ -683,7 +692,7 @@ success location /t { content_by_lua_block { local ssl = require "ngx.ssl" - local system_cert = read_file("/etc/pki/tls/cert.pem") + local system_cert = read_file("$TEST_NGINX_HTML_DIR/system.crt") local local_cert = read_file("$TEST_NGINX_HTML_DIR/ca.crt") local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) From b795d4e19c957b7240073da9791f9be49b50c248 Mon Sep 17 00:00:00 2001 From: detailyang Date: Thu, 1 Jun 2017 16:39:06 +0800 Subject: [PATCH 22/23] tests: add travis certificate path --- t/ssl-ctx.t | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 4f451e276..7f4491fd6 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -28,8 +28,12 @@ sub read_file { our $system_cert_path = "/etc/pki/tls/cert.pem"; -if (-e "/usr/local/share/ca-certificates") { - $system_cert_path = "/usr/local/share/ca-certificates"; +if (-e "/usr/local/share/ca-certificates/ca.crt") { + $system_cert_path = "/usr/local/share/ca-certificates/ca.crt"; +} + +if (-e "/etc/ssl/certs/ca-certificates.crt") { + $system_cert_path = "/etc/ssl/certs/ca-certificates.crt"; } our $SystemCerts = read_file($system_cert_path); From 3f5ce4234fb58836cfa5f6b9309061c44f7a33ad Mon Sep 17 00:00:00 2001 From: detailyang Date: Fri, 2 Jun 2017 10:03:15 +0800 Subject: [PATCH 23/23] tests: ssl-ctx.t style tweaks --- t/ssl-ctx.t | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 7f4491fd6..67c197568 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -742,8 +742,6 @@ self-signed success === TEST 14: ssl ctx - cert store init and free --- config ---- config - resolver $TEST_NGINX_RESOLVER; location /t { content_by_lua_block { local ssl = require "ngx.ssl" @@ -772,7 +770,6 @@ $/ === TEST 15: ssl ctx - cert store init and up reference then free --- config - resolver $TEST_NGINX_RESOLVER; location /t { content_by_lua_block { local ssl = require "ngx.ssl" @@ -809,3 +806,4 @@ lua ssl x509 store free: ([0-9A-F]+):2 lua ssl ctx x509 store reference: ([0-9A-F]+):1 lua ssl ctx free: ([0-9A-F]+):1 $/ +