Migrate some tests to certificate generator

This migrates all the tests using ext/openssl/tests/streams_crypto_method.pem to the certificate generator, so we can easily adjust needed parameters. In particular, this makes the cert security level 2 compatible. However, we still need to downgrade security_level to 1 in a number of tests, because they are testing TLS < 1.2 connections.
author: Nikita Popov <nikita.ppv@gmail.com> 2020-06-18 10:32:33 +0200
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-06-18 10:49:36 +0200
commit: 6b702eea15e34a3d6b81a78b7d7c7fbe16c5d2ae (patch)
tree: c273b1ec30937685a13afe1f6787941960177fc8
parent: 3dfa25833fa44d5fa29bab6d489c9d46cffdb81a (diff)
download: php-git-6b702eea15e34a3d6b81a78b7d7c7fbe16c5d2ae.tar.gz
9 files changed, 106 insertions, 41 deletions
diff --git a/ext/openssl/tests/streams_crypto_method.pem b/ext/openssl/tests/streams_crypto_method.pem
deleted file mode 100644
index 9d754d460d..0000000000
--- a/ext/openssl/tests/streams_crypto_method.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
-MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
-HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN
-MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
-ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB
-ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy
-V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6
-JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S
-S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R
-aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E
-1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
-BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
-NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho
-+Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ
-JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0
-Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw=
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
------END RSA PRIVATE KEY-----
diff --git a/ext/openssl/tests/streams_crypto_method.phpt b/ext/openssl/tests/streams_crypto_method.phpt
index 3816aa1195..15ac171ea1 100644
--- a/ext/openssl/tests/streams_crypto_method.phpt
+++ b/ext/openssl/tests/streams_crypto_method.phpt
@@ -7,11 +7,13 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'streams_crypto_method.pem.tmp';
+
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
@@ -33,6 +35,7 @@ $serverCode = <<<'CODE'
         fclose($client);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $serverUri = "https://127.0.0.1:64321/";
@@ -47,8 +50,16 @@ $clientCode = <<<'CODE'
     echo file_get_contents($serverUri, false, $clientCtx);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('streams_crypto_method', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'streams_crypto_method.pem.tmp');
+?>
 --EXPECT--
 Hello World!
diff --git a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
index 143c4a8c15..ac31192da4 100644
--- a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
+++ b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
@@ -7,12 +7,15 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tls_min_v1.0_max_v1.1_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
         'min_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_0,
         'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_1,
+        'security_level' => 1,
     ]]);
 
     $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -22,12 +25,14 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
     $ctx = stream_context_create(['ssl' => [
         'verify_peer' => false,
         'verify_peer_name' => false,
+        'security_level' => 1,
     ]]);
 
     phpt_wait();
@@ -51,9 +56,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tls_min_v1.0_max_v1.1_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tls_min_v1.0_max_v1.1_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt
index 53f8a972ab..d79e978c10 100644
--- a/ext/openssl/tests/tls_wrapper.phpt
+++ b/ext/openssl/tests/tls_wrapper.phpt
@@ -8,10 +8,13 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tls_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
+        'security_level' => 1,
     ]]);
 
     $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -21,12 +24,14 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
     $ctx = stream_context_create(['ssl' => [
         'verify_peer' => false,
         'verify_peer_name' => false,
+        'security_level' => 1,
     ]]);
 
     phpt_wait();
@@ -50,9 +55,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tls_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tls_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
index d87ca30a9c..b419179b3f 100644
--- a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
+++ b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
@@ -8,10 +8,13 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tls_wrapper_with_tls_v1.3.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
+        'security_level' => 1,
     ]]);
 
     $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -21,12 +24,14 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
     $ctx = stream_context_create(['ssl' => [
         'verify_peer' => false,
         'verify_peer_name' => false,
+        'security_level' => 1,
     ]]);
 
     phpt_wait();
@@ -53,9 +58,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tls_wrapper_with_tls_v1.3', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tls_wrapper_with_tls_v1.3.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tlsv1.0_wrapper.phpt b/ext/openssl/tests/tlsv1.0_wrapper.phpt
index 58ba8168ba..adbe7b6308 100644
--- a/ext/openssl/tests/tlsv1.0_wrapper.phpt
+++ b/ext/openssl/tests/tlsv1.0_wrapper.phpt
@@ -7,10 +7,13 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.0_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
+        'security_level' => 1,
     ]]);
 
     $server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -20,12 +23,14 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
     $ctx = stream_context_create(['ssl' => [
         'verify_peer' => false,
         'verify_peer_name' => false,
+        'security_level' => 1,
     ]]);
 
     phpt_wait();
@@ -40,9 +45,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tlsv1.0_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.0_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tlsv1.1_wrapper.phpt b/ext/openssl/tests/tlsv1.1_wrapper.phpt
index 8be8dd0e8e..c1aaa04919 100644
--- a/ext/openssl/tests/tlsv1.1_wrapper.phpt
+++ b/ext/openssl/tests/tlsv1.1_wrapper.phpt
@@ -7,10 +7,13 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.1_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
+        'security_level' => 1,
     ]]);
 
     $server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -20,12 +23,14 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
     $ctx = stream_context_create(['ssl' => [
         'verify_peer' => false,
         'verify_peer_name' => false,
+        'security_level' => 1,
     ]]);
 
     phpt_wait();
@@ -40,9 +45,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tlsv1.1_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.1_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tlsv1.2_wrapper.phpt b/ext/openssl/tests/tlsv1.2_wrapper.phpt
index 07d81534d7..3a67fe3155 100644
--- a/ext/openssl/tests/tlsv1.2_wrapper.phpt
+++ b/ext/openssl/tests/tlsv1.2_wrapper.phpt
@@ -7,10 +7,12 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.2_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server('tlsv1.2://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -20,6 +22,7 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
@@ -40,9 +43,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tlsv1.2_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.2_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
diff --git a/ext/openssl/tests/tlsv1.3_wrapper.phpt b/ext/openssl/tests/tlsv1.3_wrapper.phpt
index c0e3cf4d72..5c965b5a12 100644
--- a/ext/openssl/tests/tlsv1.3_wrapper.phpt
+++ b/ext/openssl/tests/tlsv1.3_wrapper.phpt
@@ -8,10 +8,12 @@ if (OPENSSL_VERSION_NUMBER < 0x10101000) die("skip OpenSSL v1.1.1 required");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.3_wrapper.pem.tmp';
+
 $serverCode = <<<'CODE'
     $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
     $ctx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server('tlsv1.3://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
@@ -21,6 +23,7 @@ $serverCode = <<<'CODE'
         @stream_socket_accept($server, 3);
     }
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $flags = STREAM_CLIENT_CONNECT;
@@ -41,9 +44,17 @@ $clientCode = <<<'CODE'
     var_dump($client);
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('tlsv1.3_wrapper', $certFile);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'tlsv1.3_wrapper.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)
 bool(false)
author	Nikita Popov <nikita.ppv@gmail.com>	2020-06-18 10:32:33 +0200
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-06-18 10:49:36 +0200
commit	6b702eea15e34a3d6b81a78b7d7c7fbe16c5d2ae (patch)
tree	c273b1ec30937685a13afe1f6787941960177fc8
parent	3dfa25833fa44d5fa29bab6d489c9d46cffdb81a (diff)
download	php-git-6b702eea15e34a3d6b81a78b7d7c7fbe16c5d2ae.tar.gz