App-CamelPKI
view release on metacpan or search on metacpan
lib/App/CamelPKI/SysV/Apache.pm view on Meta::CPAN
my $req = http_request_prepare
('https://localhost:12345/t/php/ssl_vars.php');
my $response = http_request_execute($req);
die $response->content unless $response->is_success;
like($response->content, qr/HTTPS.* = on/);
like($response->content, qr/SSL_CLIENT_VERIFY.* = NONE/);
my %opts = (-certificate => $test_entity_certs{"rsa1024"},
-key => $test_keys_plaintext{"rsa1024"});
$req = http_request_prepare
('https://localhost:12345/t/php/ssl_vars.php', %opts);
$response = http_request_execute($req, %opts);
die $response->content unless $response->is_success;
like($response->content, qr/HTTPS.* = on/);
like($response->content, qr/SSL_CLIENT_VERIFY.* = SUCCESS/);
like($response->content, qr/SSL_CLIENT_S_DN.* = .*CN=John Doe/);
};
};
use App::CamelPKI::Test qw(certificate_chain_ok);
use App::CamelPKI::CertTemplate;
=head2 SHA-256 authentication failure regression suite
Trying to authenticate to an I<App::CamelPKI::SysV::Apache> instance using
SHA256 client certificates used to elicit a cryptic error message.
This is because mod_ssl only knows about the hash algorithms from the
TLsv1 suite out of the box (and SHA256 is not one of these). The
following two tests exercise that.
The current solution is to add a "PerlModule Crypt::OpenSSL::CA" that
calls C<OpenSSL_add_all_digests()> as a side effect, but we need to
find a better way lest every server in Camel-PKI have to contain a
mod_perl just for that.
=cut
sub make_bogus_keypair_using_hash {
my ($hash, $admincertfile, $adminkeyfile) = @_;
write_file($adminkeyfile, $test_keys_plaintext{"rsa1024"});
my $qualifier = ($hash =~ m/sha.*256/i) ? "_sha256" : "";
write_file($admincertfile, $test_entity_certs{"rsa1024$qualifier"});
}
sub ok_connect_no_hiccups {
my ($webserver, $admincertfile, $adminkeyfile) = @_;
$webserver->tail_error_logfile;
local @LWP::Protocol::http::EXTRA_SOCK_OPTS;
@LWP::Protocol::http::EXTRA_SOCK_OPTS =
(SSL_use_cert => 1,
SSL_cert_file => $admincertfile, SSL_key_file => $adminkeyfile);
my $ua = new LWP::UserAgent;
my $port = $webserver->https_port;
my $response = $ua->get("https://localhost:$port/no/such/uri");
is($response->code, 404, "500 would be bad") or
diag $response->content;
unlike($webserver->tail_error_logfile,
qr/certificate signature failure/, <<"EXPLANATION");
``certificate signature failure'' is the message one gets when mod_ssl
attempts to validate a certificate whose hash algorithm it doesn't
know about.
EXPLANATION
}
my $sha256directory = fresh_directory;
END { App::CamelPKI::SysV::Apache->load($sha256directory)->stop()
if defined $sha256directory; }
test "witness experiment: authenticating with hand-made".
" sha1 client certificates" => sub {
make_apache_operational($sha256directory);
my $webserver = App::CamelPKI::SysV::Apache->load($sha256directory);
$webserver->has_camel_pki(0);
$webserver->start();
mkdir(my $keysdir = catdir(My::Tests::Below->tempdir, "sha1keys"));
my $admincertfile = catfile($keysdir, "admin.pem");
my $adminkeyfile = catfile($keysdir, "admin.key");
make_bogus_keypair_using_hash("sha1", $admincertfile, $adminkeyfile);
ok_connect_no_hiccups($webserver, $admincertfile, $adminkeyfile);
};
test "REGRESSION: authenticating with sha256 client certificates" => sub {
make_apache_operational($sha256directory);
my $webserver = App::CamelPKI::SysV::Apache->load($sha256directory);
$webserver->has_camel_pki(0);
$webserver->start();
mkdir(my $keysdir = catdir(My::Tests::Below->tempdir, "sha256keys"));
my $admincertfile = catfile($keysdir, "admin.pem");
my $adminkeyfile = catfile($keysdir, "admin.key");
make_bogus_keypair_using_hash("sha256", $admincertfile, $adminkeyfile);
ok_connect_no_hiccups($webserver, $admincertfile, $adminkeyfile);
};
};
=end internals
=cut
( run in 0.615 second using v1.01-cache-2.11-cpan-39bf76dae61 )