diff options
-rw-r--r-- | lib/ssl/test/ssl_dist_SUITE.erl | 414 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 3 |
2 files changed, 92 insertions, 325 deletions
diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl index 59e187aeae..3b0c4d8c09 100644 --- a/lib/ssl/test/ssl_dist_SUITE.erl +++ b/lib/ssl/test/ssl_dist_SUITE.erl @@ -56,17 +56,7 @@ verify_fun_fail/0, verify_fun_fail/1, verify_fun_pass/0, - verify_fun_pass/1, - crl_check_pass/0, - crl_check_pass/1, - crl_check_fail/0, - crl_check_fail/1, - crl_check_best_effort/0, - crl_check_best_effort/1, - crl_cache_check_pass/0, - crl_cache_check_pass/1, - crl_cache_check_fail/0, - crl_cache_check_fail/1 + verify_fun_pass/1 ]). %% Apply export @@ -80,19 +70,9 @@ connect_options_test/3, verify_fun_fail_test/3, verify_fun_pass_test/3, - crl_check_fail_test/3, - crl_check_best_effort_test/3, - crl_check_pass_test/3, - crl_cache_check_fail_test/3, - crl_cache_check_pass_test/3, verify_pass_always/3, verify_fail_always/3]). -%% CRL API --export([lookup/2, - select/2, - fresh_crl/2 - ]). -define(DEFAULT_TIMETRAP_SECS, 240). -define(AWAIT_SSL_NODE_UP_TIMEOUT, 30000). @@ -119,14 +99,11 @@ all() -> connect_options, use_interface, verify_fun_fail, - verify_fun_pass, - crl_check_pass, - crl_check_fail, - crl_check_best_effort, - crl_cache_check_pass, - crl_cache_check_fail]. + verify_fun_pass + ]. init_per_suite(Config0) -> + _ = end_per_suite(Config0), try crypto:start() of ok -> %% Currently no ct function avilable for is_cover! @@ -142,12 +119,11 @@ init_per_suite(Config0) -> {skip, "Crypto did not start"} end. -end_per_suite(Config) -> - application:stop(crypto), - Config. +end_per_suite(_Config) -> + application:stop(crypto). init_per_testcase(plain_verify_options = Case, Config) when is_list(Config) -> - SslFlags = setup_dist_opts([{many_verify_opts, true} | Config]), + SslFlags = setup_tls_opts(Config), Flags = case os:getenv("ERL_FLAGS") of false -> os:putenv("ERL_FLAGS", SslFlags), @@ -184,32 +160,30 @@ basic(Config) when is_list(Config) -> %%-------------------------------------------------------------------- payload() -> - [{doc,"Test that send a lot of data between the ssl distributed noes"}]. + [{doc,"Test that send a lot of data between the ssl distributed nodes"}]. payload(Config) when is_list(Config) -> gen_dist_test(payload_test, Config). %%-------------------------------------------------------------------- plain_options() -> - [{doc,"Test specifying additional options"}]. + [{doc,"Test specifying tls options not related to certificate verification"}]. plain_options(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt server_secure_renegotiate true " + TLSOpts = "-ssl_dist_opt server_secure_renegotiate true " "client_secure_renegotiate true " - "server_reuse_sessions true client_reuse_sessions true " - "client_verify verify_none server_verify verify_none " - "server_depth 1 client_depth 1 " "server_hibernate_after 500 client_hibernate_after 500", - gen_dist_test(plain_options_test, [{additional_dist_opts, DistOpts} | Config]). + gen_dist_test(plain_options_test, [{tls_only_basic_opts, TLSOpts} | Config]). %%-------------------------------------------------------------------- plain_verify_options() -> - [{doc,"Test specifying additional options"}]. + [{doc,"Test specifying tls options including certificate verification options"}]. plain_verify_options(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt server_secure_renegotiate true " + TLSOpts = "-ssl_dist_opt server_secure_renegotiate true " "client_secure_renegotiate true " + "server_hibernate_after 500 client_hibernate_after 500" "server_reuse_sessions true client_reuse_sessions true " - "server_hibernate_after 500 client_hibernate_after 500", - gen_dist_test(plain_verify_options_test, [{additional_dist_opts, DistOpts} | Config]). + "server_depth 1 client_depth 1 ", + gen_dist_test(plain_verify_options_test, [{tls_verify_opts, TLSOpts} | Config]). %%-------------------------------------------------------------------- nodelay_option() -> @@ -239,7 +213,7 @@ listen_port_options(Config) when is_list(Config) -> PortOpt1 = "-kernel inet_dist_listen_min " ++ integer_to_list(Port1) ++ " inet_dist_listen_max " ++ integer_to_list(Port1), - try start_ssl_node([{additional_dist_opts, PortOpt1} | Config]) of + try start_ssl_node([{tls_verify_opts, PortOpt1} | proplists:delete(tls_verify_opts, Config)]) of #node_handle{} -> %% If the node was able to start, it didn't take the port %% option into account. @@ -254,7 +228,7 @@ listen_port_options(Config) when is_list(Config) -> %% Try again, now specifying a high max port. PortOpt2 = "-kernel inet_dist_listen_min " ++ integer_to_list(Port1) ++ " inet_dist_listen_max 65535", - NH2 = start_ssl_node([{additional_dist_opts, PortOpt2} | Config]), + NH2 = start_ssl_node([{tls_verify_opts, PortOpt2} | proplists:delete(tls_verify_opts, Config)]), try Node2 = NH2#node_handle.nodename, @@ -300,7 +274,7 @@ use_interface(Config) when is_list(Config) -> Options = "-kernel inet_dist_use_interface " ++ IpString, %% Start a node, and get the port number it's listening on. - NH1 = start_ssl_node([{additional_dist_opts, Options} | Config]), + NH1 = start_ssl_node([{tls_verify_opts, Options} | Config]), try Node1 = NH1#node_handle.nodename, @@ -330,89 +304,24 @@ use_interface(Config) when is_list(Config) -> verify_fun_fail() -> [{doc,"Test specifying verify_fun with a function that always fails"}]. verify_fun_fail(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt " - "server_verify verify_peer server_verify_fun " + AddTLSVerifyOpts = "-ssl_dist_opt " + "server_verify_fun " "\"{ssl_dist_SUITE,verify_fail_always,{}}\" " - "client_verify verify_peer client_verify_fun " + "client_verify_fun " "\"{ssl_dist_SUITE,verify_fail_always,{}}\" ", - gen_dist_test(verify_fun_fail_test, [{additional_dist_opts, DistOpts} | Config]). + gen_dist_test(verify_fun_fail_test, [{tls_verify_opts, AddTLSVerifyOpts} | Config]). %%-------------------------------------------------------------------- verify_fun_pass() -> [{doc,"Test specifying verify_fun with a function that always succeeds"}]. verify_fun_pass(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt " - "server_verify verify_peer server_verify_fun " + AddTLSVerifyOpts = "-ssl_dist_opt " + "server_verify_fun " "\"{ssl_dist_SUITE,verify_pass_always,{}}\" " - "server_fail_if_no_peer_cert true " - "client_verify verify_peer client_verify_fun " + "client_verify_fun " "\"{ssl_dist_SUITE,verify_pass_always,{}}\" ", - gen_dist_test(verify_fun_pass_test, [{additional_dist_opts, DistOpts} | Config]). - - -%%-------------------------------------------------------------------- -crl_check_pass() -> - [{doc,"Test crl_check with non-revoked certificate"}]. -crl_check_pass(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt client_crl_check true", - NewConfig = - [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config, - gen_dist_test(crl_check_pass_test, NewConfig). - -%%-------------------------------------------------------------------- -crl_check_fail() -> - [{doc,"Test crl_check with revoked certificate"}]. -crl_check_fail(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt client_crl_check true", - NewConfig = - [{many_verify_opts, true}, - %% The server uses a revoked certificate. - {server_cert_dir, "revoked"}, - {additional_dist_opts, DistOpts}] ++ Config, - gen_dist_test(crl_check_fail_test, NewConfig). - -%%-------------------------------------------------------------------- -crl_check_best_effort() -> - [{doc,"Test specifying crl_check as best_effort"}]. -crl_check_best_effort(Config) when is_list(Config) -> - DistOpts = "-ssl_dist_opt " - "server_verify verify_peer server_crl_check best_effort", - NewConfig = - [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config, - gen_dist_test(crl_check_best_effort_test, NewConfig). - -%%-------------------------------------------------------------------- -crl_cache_check_pass() -> - [{doc,"Test specifying crl_check with custom crl_cache module"}]. -crl_cache_check_pass(Config) when is_list(Config) -> - PrivDir = ?config(priv_dir, Config), - NodeDir = filename:join([PrivDir, "Certs"]), - DistOpts = "-ssl_dist_opt " - "client_crl_check true " - "client_crl_cache " - "\"{ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}\"", - NewConfig = - [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config, - gen_dist_test(crl_cache_check_pass_test, NewConfig). - -%%-------------------------------------------------------------------- -crl_cache_check_fail() -> - [{doc,"Test custom crl_cache module with revoked certificate"}]. -crl_cache_check_fail(Config) when is_list(Config) -> - PrivDir = ?config(priv_dir, Config), - NodeDir = filename:join([PrivDir, "Certs"]), - DistOpts = "-ssl_dist_opt " - "client_crl_check true " - "client_crl_cache " - "\"{ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}\"", - NewConfig = - [{many_verify_opts, true}, - %% The server uses a revoked certificate. - {server_cert_dir, "revoked"}, - {additional_dist_opts, DistOpts}] ++ Config, - - gen_dist_test(crl_cache_check_fail_test, NewConfig). + gen_dist_test(verify_fun_pass_test, [{tls_verify_opts, AddTLSVerifyOpts} | Config]). %%-------------------------------------------------------------------- %%% Internal functions ----------------------------------------------- @@ -573,7 +482,7 @@ do_listen_options(Prio, Config) -> end, Options = "-kernel inet_dist_listen_options " ++ PriorityString, - gen_dist_test(listen_options_test, [{prio, Prio}, {additional_dist_opts, Options} | Config]). + gen_dist_test(listen_options_test, [{prio, Prio}, {tls_only_basic_opts, Options} | Config]). listen_options_test(NH1, NH2, Config) -> Prio = proplists:get_value(prio, Config), @@ -605,7 +514,7 @@ do_connect_options(Prio, Config) -> Options = "-kernel inet_dist_connect_options " ++ PriorityString, gen_dist_test(connect_options_test, - [{prio, Prio}, {additional_dist_opts, Options} | Config]). + [{prio, Prio}, {tls_only_basic_opts, Options} | Config]). connect_options_test(NH1, NH2, Config) -> Prio = proplists:get_value(prio, Config), @@ -662,58 +571,7 @@ verify_fun_pass_test(NH1, NH2, _) -> [{verify_pass_always_ran, true}] = apply_on_ssl_node(NH2, fun () -> ets:tab2list(verify_fun_ran) end). -crl_check_fail_test(NH1, NH2, Config) -> - Node2 = NH2#node_handle.nodename, - - PrivDir = ?config(priv_dir, Config), - cache_crls_on_ssl_nodes(PrivDir, ["erlangCA", "otpCA"], [NH1, NH2]), - - %% The server's certificate is revoked, so connection fails. - pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end), - - [] = apply_on_ssl_node(NH1, fun () -> nodes() end), - [] = apply_on_ssl_node(NH2, fun () -> nodes() end). -crl_check_best_effort_test(NH1, NH2, _Config) -> - %% We don't have the correct CRL at hand, but since crl_check is - %% best_effort, we accept it anyway. - Node1 = NH1#node_handle.nodename, - Node2 = NH2#node_handle.nodename, - - pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end), - - [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end), - [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end). - -crl_check_pass_test(NH1, NH2, Config) -> - Node1 = NH1#node_handle.nodename, - Node2 = NH2#node_handle.nodename, - - PrivDir = ?config(priv_dir, Config), - cache_crls_on_ssl_nodes(PrivDir, ["erlangCA", "otpCA"], [NH1, NH2]), - - %% The server's certificate is not revoked, so connection succeeds. - pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end), - - [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end), - [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end). - -crl_cache_check_pass_test(NH1, NH2, _) -> - Node1 = NH1#node_handle.nodename, - Node2 = NH2#node_handle.nodename, - - pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end), - - [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end), - [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end). - - -crl_cache_check_fail_test(NH1, NH2, _) -> - Node2 = NH2#node_handle.nodename, - pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end), - - [] = apply_on_ssl_node(NH1, fun () -> nodes() end), - [] = apply_on_ssl_node(NH2, fun () -> nodes() end). get_socket_priorities() -> [Priority || {ok,[{priority,Priority}]} <- @@ -723,36 +581,16 @@ inet_ports() -> [Port || Port <- erlang:ports(), element(2, erlang:port_info(Port, name)) =:= "tcp_inet"]. -%% -%% test_server side api -%% - start_ssl_node(Config) -> start_ssl_node(Config, ""). start_ssl_node(Config, XArgs) -> Name = mk_node_name(Config), - SSL = proplists:get_value(ssl_opts, Config), - SSLDistOpts = setup_dist_opts(Config), + App = proplists:get_value(app_opts, Config), + SSLOpts = setup_tls_opts(Config), start_ssl_node_name( - Name, SSL ++ " " ++ SSLDistOpts ++ XArgs). - -cache_crls_on_ssl_nodes(PrivDir, CANames, NHs) -> - [begin - File = filename:join([PrivDir, "Certs", CAName, "crl.pem"]), - {ok, PemBin} = file:read_file(File), - PemEntries = public_key:pem_decode(PemBin), - CRLs = [ CRL || {'CertificateList', CRL, not_encrypted} - <- PemEntries], - ok = apply_on_ssl_node(NH, ssl_manager, insert_crls, - ["no_distribution_point", CRLs, dist]) - end - || NH <- NHs, CAName <- CANames], - ok. + Name, App ++ " " ++ SSLOpts ++ XArgs). -%% -%% command line creation -%% mk_node_name(Config) -> N = erlang:unique_integer([positive]), @@ -763,107 +601,51 @@ mk_node_name(Config) -> ++ "_" ++ integer_to_list(N). -%% -%% Setup ssl dist info -%% - -rand_bin(N) -> - rand_bin(N, []). - -rand_bin(0, Acc) -> - Acc; -rand_bin(N, Acc) -> - rand_bin(N-1, [rand:uniform(256)-1|Acc]). - -make_randfile(Dir) -> - {ok, IoDev} = file:open(filename:join([Dir, "RAND"]), [write]), - ok = file:write(IoDev, rand_bin(1024)), - file:close(IoDev). - -append_files(FileNames, ResultFileName) -> - {ok, ResultFile} = file:open(ResultFileName, [write]), - do_append_files(FileNames, ResultFile). - -do_append_files([], RF) -> - ok = file:close(RF); -do_append_files([F|Fs], RF) -> - {ok, Data} = file:read_file(F), - ok = file:write(RF, Data), - do_append_files(Fs, RF). - setup_certs(Config) -> PrivDir = proplists:get_value(priv_dir, Config), - NodeDir = filename:join([PrivDir, "Certs"]), - RGenDir = filename:join([NodeDir, "rand_gen"]), - ok = file:make_dir(NodeDir), - ok = file:make_dir(RGenDir), - make_randfile(RGenDir), - [Hostname|_] = string:split(net_adm:localhost(), ".", all), - {ok, _} = make_certs:all(RGenDir, NodeDir, [{hostname,Hostname}]), - SDir = filename:join([NodeDir, "server"]), - SC = filename:join([SDir, "cert.pem"]), - SK = filename:join([SDir, "key.pem"]), - SKC = filename:join([SDir, "keycert.pem"]), - append_files([SK, SC], SKC), - CDir = filename:join([NodeDir, "client"]), - CC = filename:join([CDir, "cert.pem"]), - CK = filename:join([CDir, "key.pem"]), - CKC = filename:join([CDir, "keycert.pem"]), - append_files([CK, CC], CKC). - -setup_dist_opts(Config) -> + DerConfig = public_key:pkix_test_data(#{server_chain => #{root => rsa_root_key(1), + intermediates => [rsa_intermediate(2)], + peer => rsa_peer_key(3)}, + client_chain => #{root => rsa_root_key(1), + intermediates => [rsa_intermediate(5)], + peer => rsa_peer_key(6)}}), + ClientBase = filename:join([PrivDir, "rsa"]), + SeverBase = filename:join([PrivDir, "rsa"]), + + _ = x509_test:gen_pem_config_files(DerConfig, ClientBase, SeverBase). + +setup_tls_opts(Config) -> PrivDir = proplists:get_value(priv_dir, Config), - DataDir = proplists:get_value(data_dir, Config), - Dhfile = filename:join([DataDir, "dHParam.pem"]), - NodeDir = filename:join([PrivDir, "Certs"]), - SDir = filename:join([NodeDir, proplists:get_value(server_cert_dir, Config, "server")]), - CDir = filename:join([NodeDir, proplists:get_value(client_cert_dir, Config, "client")]), - SC = filename:join([SDir, "cert.pem"]), - SK = filename:join([SDir, "key.pem"]), - SKC = filename:join([SDir, "keycert.pem"]), - SCA = filename:join([CDir, "cacerts.pem"]), - CC = filename:join([CDir, "cert.pem"]), - CK = filename:join([CDir, "key.pem"]), - CKC = filename:join([CDir, "keycert.pem"]), - CCA = filename:join([SDir, "cacerts.pem"]), - - DistOpts = case proplists:get_value(many_verify_opts, Config, false) of - false -> - "-proto_dist inet_tls " - ++ "-ssl_dist_opt server_certfile " ++ SKC ++ " " - ++ "-ssl_dist_opt client_certfile " ++ CKC ++ " "; - true -> - case os:type() of - {win32, _} -> - "-proto_dist inet_tls " - ++ "-ssl_dist_opt server_certfile " ++ SKC ++ " " - ++ "-ssl_dist_opt server_cacertfile " ++ SCA ++ " " - ++ "-ssl_dist_opt server_verify verify_peer " - ++ "-ssl_dist_opt server_fail_if_no_peer_cert true " - ++ "-ssl_dist_opt server_ciphers DHE-RSA-AES256-SHA\:DHE-RSA-AES128-SHA " - ++ "-ssl_dist_opt server_dhfile " ++ Dhfile ++ " " - ++ "-ssl_dist_opt client_certfile " ++ CKC ++ " " - ++ "-ssl_dist_opt client_cacertfile " ++ CCA ++ " " - ++ "-ssl_dist_opt client_verify verify_peer " - ++ "-ssl_dist_opt client_ciphers DHE-RSA-AES256-SHA\:DHE-RSA-AES128-SHA "; - _ -> - "-proto_dist inet_tls " - ++ "-ssl_dist_opt server_certfile " ++ SC ++ " " - ++ "-ssl_dist_opt server_keyfile " ++ SK ++ " " - ++ "-ssl_dist_opt server_cacertfile " ++ SCA ++ " " - ++ "-ssl_dist_opt server_verify verify_peer " - ++ "-ssl_dist_opt server_fail_if_no_peer_cert true " - ++ "-ssl_dist_opt server_ciphers DHE-RSA-AES256-SHA\:DHE-RSA-AES128-SHA " - ++ "-ssl_dist_opt server_dhfile " ++ Dhfile ++ " " - ++ "-ssl_dist_opt client_certfile " ++ CC ++ " " - ++ "-ssl_dist_opt client_keyfile " ++ CK ++ " " - ++ "-ssl_dist_opt client_cacertfile " ++ CCA ++ " " - ++ "-ssl_dist_opt client_verify verify_peer " - ++ "-ssl_dist_opt client_ciphers DHE-RSA-AES256-SHA\:DHE-RSA-AES128-SHA " - end - end, - MoreOpts = proplists:get_value(additional_dist_opts, Config, []), - DistOpts ++ MoreOpts. + SC = filename:join([PrivDir, "rsa_server_cert.pem"]), + SK = filename:join([PrivDir, "rsa_server_key.pem"]), + SCA = filename:join([PrivDir, "rsa_server_cacerts.pem"]), + CC = filename:join([PrivDir, "rsa_client_cert.pem"]), + CK = filename:join([PrivDir, "rsa_client_key.pem"]), + CCA = filename:join([PrivDir, "rsa_client_cacerts.pem"]), + + case proplists:get_value(tls_only_basic_opts, Config, []) of + [_|_] = BasicOpts -> %% No verify but server still need to have cert + "-proto_dist inet_tls " ++ "-ssl_dist_opt server_certfile " ++ SC ++ " " + ++ "-ssl_dist_opt server_keyfile " ++ SK ++ " " ++ BasicOpts; + [] -> %% Verify + case proplists:get_value(tls_verify_opts, Config, []) of + [_|_] -> + BasicVerifyOpts = "-proto_dist inet_tls " + ++ "-ssl_dist_opt server_certfile " ++ SC ++ " " + ++ "-ssl_dist_opt server_keyfile " ++ SK ++ " " + ++ "-ssl_dist_opt server_cacertfile " ++ SCA ++ " " + ++ "-ssl_dist_opt server_verify verify_peer " + ++ "-ssl_dist_opt server_fail_if_no_peer_cert true " + ++ "-ssl_dist_opt client_certfile " ++ CC ++ " " + ++ "-ssl_dist_opt client_keyfile " ++ CK ++ " " + ++ "-ssl_dist_opt client_cacertfile " ++ CCA ++ " " + ++ "-ssl_dist_opt client_verify verify_peer ", + BasicVerifyOpts ++ proplists:get_value(tls_verify_opts, Config, []); + _ -> %% No verify, no extra opts + "-proto_dist inet_tls " ++ "-ssl_dist_opt server_certfile " ++ SC ++ " " + ++ "-ssl_dist_opt server_keyfile " ++ SK ++ " " + end + end. %% %% Start scripts etc... @@ -914,20 +696,16 @@ add_ssl_opts_config(Config) -> SSL_VSN]), ok = file:close(RelFile), ok = systools:make_script(Script, []), - [{ssl_opts, "-boot " ++ Script} | Config] + [{app_opts, "-boot " ++ Script} | Config] catch _:_ -> - [{ssl_opts, "-pa \"" ++ filename:dirname(code:which(ssl))++"\""} + [{app_opts, "-pa \"" ++ filename:dirname(code:which(ssl))++"\""} | add_comment_config( "Bootscript wasn't used since the test wasn't run on an " "installed OTP system.", Config)] end. -%% -%% Add common comments to config -%% - add_comment_config(Comment, []) -> [{comment, Comment}]; add_comment_config(Comment, [{comment, OldComment} | Cs]) -> @@ -935,9 +713,6 @@ add_comment_config(Comment, [{comment, OldComment} | Cs]) -> add_comment_config(Comment, [C|Cs]) -> [C|add_comment_config(Comment, Cs)]. -%% -%% Call when test case success -%% success(Config) -> case lists:keysearch(comment, 1, Config) of @@ -965,6 +740,7 @@ verify_fail_always(_Certificate, _Event, _State) -> Parent = self(), spawn( fun() -> + catch ets:delete(verify_fun_ran), ets:new(verify_fun_ran, [public, named_table]), ets:insert(verify_fun_ran, {verify_fail_always_ran, true}), Parent ! go_ahead, @@ -979,6 +755,7 @@ verify_pass_always(_Certificate, _Event, State) -> Parent = self(), spawn( fun() -> + catch ets:delete(verify_fun_ran), ets:new(verify_fun_ran, [public, named_table]), ets:insert(verify_fun_ran, {verify_pass_always_ran, true}), Parent ! go_ahead, @@ -987,28 +764,6 @@ verify_pass_always(_Certificate, _Event, State) -> receive go_ahead -> ok end, {valid, State}. -%% ssl_crl_cache_api callbacks -lookup(_DistributionPoint, _DbHandle) -> - not_available. - -select({rdnSequence, NameParts}, {NodeDir, _}) -> - %% Extract the CN from the issuer name... - [CN] = [CN || - [#'AttributeTypeAndValue'{ - type = ?'id-at-commonName', - value = <<_, _, CN/binary>>}] <- NameParts], - %% ...and use that as the directory name to find the CRL. - error_logger:info_report([{found_cn, CN}]), - CRLFile = filename:join([NodeDir, CN, "crl.pem"]), - {ok, PemBin} = file:read_file(CRLFile), - PemEntries = public_key:pem_decode(PemBin), - CRLs = [ CRL || {'CertificateList', CRL, not_encrypted} - <- PemEntries], - CRLs. - -fresh_crl(_DistributionPoint, CRL) -> - CRL. - localhost_ip(InetVer) -> {ok, Addr} = inet:getaddr(net_adm:localhost(), InetVer), Addr. @@ -1026,3 +781,16 @@ localhost_ipstr(InetVer) -> inet_ver() -> inet. + +rsa_root_key(N) -> + %% As rsa keygen is not guaranteed to be fast + [{key, ssl_test_lib:hardcode_rsa_key(N)}]. + +rsa_peer_key(N) -> + %% As rsa keygen is not guaranteed to be fast + [{key, ssl_test_lib:hardcode_rsa_key(N)}]. + +rsa_intermediate(N) -> + [{key, ssl_test_lib:hardcode_rsa_key(N)}]. + + diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 1268a14eb0..3437cf6e35 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -1296,8 +1296,7 @@ cert_options(Config) -> {server_bad_key, [{ssl_imp, new},{cacertfile, ServerCaCertFile}, {certfile, ServerCertFile}, {keyfile, BadKeyFile}]} | Config]. - - + make_dsa_cert(Config) -> CryptoSupport = crypto:supports(), case proplists:get_bool(dss, proplists:get_value(public_keys, CryptoSupport)) of |