diff options
Diffstat (limited to '')
-rw-r--r-- | debian/perl-framework/t/ssl/varlookup.t | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/debian/perl-framework/t/ssl/varlookup.t b/debian/perl-framework/t/ssl/varlookup.t new file mode 100644 index 0000000..e00a143 --- /dev/null +++ b/debian/perl-framework/t/ssl/varlookup.t @@ -0,0 +1,266 @@ +use strict; +use warnings FATAL => 'all'; + +use Apache::Test; +use Apache::TestRequest; +use Apache::TestUtil; +use Apache::TestSSLCA qw(dn dn_oneline); + +unless (have_lwp) { + # bail out early, since the parser below relies on $LWP::VERSION + plan tests => 0, need_lwp; +} + +use Time::localtime; + +my $config = Apache::Test::config(); +my $vars = Apache::Test::vars(); +my $server = $config->server; +my $time = localtime(); + +(my $mmn = $config->{httpd_info}->{MODULE_MAGIC_NUMBER}) =~ s/:\d+$//; + +#Apache::TestRequest::scheme('https'); +local $vars->{scheme} = 'https'; +my $port = $config->port; +my $rfc2253 = have_min_apache_version('2.3.11'); + +my $url = '/test_ssl_var_lookup'; +my(%lookup, @vars); + +my %client_dn = dn('client_ok'); + +my $client_dn = dn_oneline(\%client_dn, $rfc2253); + +my %client_i_dn = dn('ca'); + +my $client_i_dn = dn_oneline(\%client_i_dn, $rfc2253); + +my %server_dn = dn('server'); + +my $dgst = Apache::TestSSLCA::dgst(); + +my $email_field = Apache::TestSSLCA::email_field(); + +my $san_email = "$client_dn{$email_field}"; + +my $san_dns = "$server_dn{CN}"; + +my $san_msupn = $san_email; + +my $san_dnssrv = "_https.$server_dn{CN}"; + +if (not have_min_apache_version('2.4.13')) { + $san_email = $san_dns = "NULL"; +} + +if (not have_min_apache_version('2.4.17') or + Apache::Test::normalize_vstring(Apache::TestSSLCA::version()) < + Apache::Test::normalize_vstring("0.9.8")) { + $san_msupn = $san_dnssrv = "NULL"; +} + +# YYY will be turned into a pattern match: httpd-test/([-\w]+) +# so we can test with different server keys/certs +$server_dn{OU} = 'httpd-test/YYY'; +$server_dn{CN} = $vars->{servername}; + +my $server_dn = dn_oneline(\%server_dn, $rfc2253); + +$server_dn =~ s{(httpd-test.*?)YYY}{$1([-\\w]+)}; +$server_dn{OU} =~ s{(httpd-test.*?)YYY}{$1([-\\w]+)}; + +my %server_i_dn = %client_i_dn; +my $server_i_dn = $client_i_dn; + +my $cert_datefmt = '^\w{3} {1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4} GMT$'; + +while (<DATA>) { + chomp; + s/^\s+//; s/\s+$//; + s/\#.*//; + next unless $_; + my($key, $val) = split /\s+/, $_, 2; + next unless $key and $val; + + if ($val =~ /^\"/) { + $val = eval qq($val); + } + elsif ($val =~ /^\'([^\']+)\'$/) { + $val = $1; + } + else { + $val = eval $val; + } + + die $@ if $@; + + $lookup{$key} = $val; + push @vars, $key; +} + +if (not have_min_apache_version('2.4.32')) { + @vars = grep(!/_RAW/, @vars); +} + +if (not have_min_apache_version('2.5.1')) { + @vars = grep(!/_B64CERT/, @vars); +} + +plan tests => scalar (@vars), need need_lwp, need_module('test_ssl'); + +for my $key (@vars) { + sok { verify($key); }; +} + +sub verify { + my $key = shift; + my @headers; + if ($key eq 'HTTP_REFERER') { + push @headers, Referer => $0; + } + my $str = GET_BODY("$url?$key", cert => 'client_ok', + @headers); + t_cmp($str, $lookup{$key}, "$key"); +} + +__END__ +#http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23 +HTTP_USER_AGENT "libwww-perl/$LWP::VERSION", +HTTP:User-Agent "libwww-perl/$LWP::VERSION", +HTTP_REFERER "$0" +HTTP_COOKIE +HTTP_FORWARDED +HTTP_HOST Apache::TestRequest::hostport() +HTTP_PROXY_CONNECTION +HTTP_ACCEPT + +#standard CGI variables +PATH_INFO +AUTH_TYPE +QUERY_STRING 'QUERY_STRING' +SERVER_SOFTWARE qr(^$server->{version}) +SERVER_ADMIN $vars->{serveradmin} +SERVER_PORT "$port" +SERVER_NAME $vars->{servername} +SERVER_PROTOCOL qr(^HTTP/1\.\d$) +REMOTE_IDENT +REMOTE_ADDR $vars->{remote_addr} +REMOTE_HOST +REMOTE_USER +DOCUMENT_ROOT $vars->{documentroot} +REQUEST_METHOD 'GET' +REQUEST_URI $url + +#mod_ssl specific variables +TIME_YEAR $time->year()+1900 +TIME_MON sprintf "%02d", $time->mon()+1 +TIME_DAY sprintf "%02d", $time->mday() +TIME_WDAY $time->wday() +TIME +TIME_HOUR +TIME_MIN +TIME_SEC + +IS_SUBREQ 'false' +API_VERSION "$mmn" +THE_REQUEST qr(^GET $url\?THE_REQUEST HTTP/1\.\d$) +REQUEST_SCHEME $vars->{scheme} +REQUEST_FILENAME +HTTPS 'on' +ENV:THE_ARGS 'ENV:THE_ARGS' + +#XXX: should use Net::SSLeay to parse the certs +#rather than just pattern match and hardcode + +SSL_CLIENT_M_VERSION qr(^\d+$) +SSL_SERVER_M_VERSION qr(^\d+$) +SSL_CLIENT_M_SERIAL qr(^[0-9A-F]+$) +SSL_SERVER_M_SERIAL qr(^[0-9A-F]+$) +SSL_PROTOCOL qr((TLS|SSL)v([1-3]|1\.[0-3])$) +SSL_CLIENT_V_START qr($cert_datefmt); +SSL_SERVER_V_START qr($cert_datefmt); +SSL_SESSION_ID +SSL_CLIENT_V_END qr($cert_datefmt); +SSL_SERVER_V_END qr($cert_datefmt); +SSL_CIPHER qr(^[A-Z0-9_-]+$) +SSL_CIPHER_EXPORT 'false' +SSL_CIPHER_ALGKEYSIZE qr(^\d+$) +SSL_CIPHER_USEKEYSIZE qr(^\d+$) +SSL_SECURE_RENEG qr(^(false|true)$) + +SSL_CLIENT_S_DN "$client_dn" +SSL_SERVER_S_DN qr(^$server_dn$) +SSL_CLIENT_S_DN_C "$client_dn{C}" +SSL_SERVER_S_DN_C "$server_dn{C}" +SSL_CLIENT_S_DN_ST "$client_dn{ST}" +SSL_SERVER_S_DN_ST "$server_dn{ST}" +SSL_CLIENT_S_DN_L "$client_dn{L}" +SSL_SERVER_S_DN_L "$server_dn{L}" +SSL_CLIENT_S_DN_O "$client_dn{O}" +SSL_SERVER_S_DN_O "$server_dn{O}" +SSL_CLIENT_S_DN_OU "$client_dn{OU}" +SSL_SERVER_S_DN_OU qr(^$server_dn{OU}) +SSL_CLIENT_S_DN_CN "$client_dn{CN}" +SSL_SERVER_S_DN_CN "$server_dn{CN}" +SSL_CLIENT_S_DN_T +SSL_SERVER_S_DN_T +SSL_CLIENT_S_DN_I +SSL_SERVER_S_DN_I +SSL_CLIENT_S_DN_G +SSL_SERVER_S_DN_G +SSL_CLIENT_S_DN_S +SSL_SERVER_S_DN_S +SSL_CLIENT_S_DN_D +SSL_SERVER_S_DN_D +SSL_CLIENT_S_DN_UID +SSL_SERVER_S_DN_UID +SSL_CLIENT_S_DN_Email "$client_dn{$email_field}" +SSL_SERVER_S_DN_Email "$server_dn{$email_field}" +SSL_CLIENT_SAN_Email_0 "$san_email" +SSL_SERVER_SAN_DNS_0 "$san_dns" +SSL_CLIENT_SAN_OTHER_msUPN_0 "$san_msupn" +SSL_SERVER_SAN_OTHER_dnsSRV_0 "$san_dnssrv" + +SSL_CLIENT_I_DN "$client_i_dn" +SSL_SERVER_I_DN "$server_i_dn" +SSL_CLIENT_I_DN_C "$client_i_dn{C}" +SSL_SERVER_I_DN_C "$server_i_dn{C}" +SSL_CLIENT_I_DN_ST "$client_i_dn{ST}" +SSL_SERVER_I_DN_ST "$server_i_dn{ST}" +SSL_CLIENT_I_DN_L "$client_i_dn{L}" +SSL_SERVER_I_DN_L "$server_i_dn{L}" +SSL_CLIENT_I_DN_O "$client_i_dn{O}" +SSL_SERVER_I_DN_O "$server_i_dn{O}" +SSL_CLIENT_I_DN_OU "$client_i_dn{OU}" +SSL_SERVER_I_DN_OU "$server_i_dn{OU}" +SSL_CLIENT_I_DN_CN "$client_i_dn{CN}" +SSL_SERVER_I_DN_CN "$server_i_dn{CN}" +SSL_SERVER_I_DN_CN_RAW "$server_i_dn{CN}" +SSL_SERVER_I_DN_CN_0_RAW "$server_i_dn{CN}" +SSL_CLIENT_I_DN_T +SSL_SERVER_I_DN_T +SSL_CLIENT_I_DN_I +SSL_SERVER_I_DN_I +SSL_CLIENT_I_DN_G +SSL_SERVER_I_DN_G +SSL_CLIENT_I_DN_S +SSL_SERVER_I_DN_S +SSL_CLIENT_I_DN_D +SSL_SERVER_I_DN_D +SSL_CLIENT_I_DN_UID +SSL_SERVER_I_DN_UID +SSL_CLIENT_I_DN_Email "$client_i_dn{$email_field}" +SSL_SERVER_I_DN_Email "$server_i_dn{$email_field}" +SSL_CLIENT_A_SIG "${dgst}WithRSAEncryption" +SSL_SERVER_A_SIG "${dgst}WithRSAEncryption" +SSL_CLIENT_A_KEY 'rsaEncryption' +SSL_SERVER_A_KEY qr(^[rd]saEncryption$) +SSL_CLIENT_CERT qr(^-----BEGIN CERTIFICATE-----) +SSL_SERVER_CERT qr(^-----BEGIN CERTIFICATE-----) +SSL_CLIENT_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$) +SSL_SERVER_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$) +SSL_CLIENT_VERIFY 'SUCCESS' +SSL_VERSION_LIBRARY +SSL_VERSION_INTERFACE + |