1require 'test/unit'
2require 'open-uri'
3require 'stringio'
4require 'webrick'
5begin
6  require 'openssl'
7  require 'webrick/https'
8rescue LoadError
9end
10require 'webrick/httpproxy'
11
12class TestOpenURISSL < Test::Unit::TestCase
13end
14
15class TestOpenURISSL
16  NullLog = Object.new
17  def NullLog.<<(arg)
18  end
19
20  def with_https
21    Dir.mktmpdir {|dr|
22      srv = WEBrick::HTTPServer.new({
23        :DocumentRoot => dr,
24        :ServerType => Thread,
25        :Logger => WEBrick::Log.new(NullLog),
26        :AccessLog => [[NullLog, ""]],
27        :SSLEnable => true,
28        :SSLCertificate => OpenSSL::X509::Certificate.new(SERVER_CERT),
29        :SSLPrivateKey => OpenSSL::PKey::RSA.new(SERVER_KEY),
30        :BindAddress => '127.0.0.1',
31        :Port => 0})
32      _, port, _, host = srv.listeners[0].addr
33      begin
34        srv.start
35        yield srv, dr, "https://#{host}:#{port}"
36      ensure
37        srv.shutdown
38        until srv.status == :Stop
39          sleep 0.1
40        end
41      end
42    }
43  end
44
45  def setup
46    @proxies = %w[http_proxy HTTP_PROXY https_proxy HTTPS_PROXY ftp_proxy FTP_PROXY no_proxy]
47    @old_proxies = @proxies.map {|k| ENV[k] }
48    @proxies.each {|k| ENV[k] = nil }
49  end
50
51  def teardown
52    @proxies.each_with_index {|k, i| ENV[k] = @old_proxies[i] }
53  end
54
55  def test_validation
56    with_https {|srv, dr, url|
57      cacert_filename = "#{dr}/cacert.pem"
58      open(cacert_filename, "w") {|f| f << CA_CERT }
59      srv.mount_proc("/data", lambda { |req, res| res.body = "ddd" } )
60      open("#{url}/data", :ssl_ca_cert => cacert_filename) {|f|
61        assert_equal("200", f.status[0])
62        assert_equal("ddd", f.read)
63      }
64      open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE) {|f|
65        assert_equal("200", f.status[0])
66        assert_equal("ddd", f.read)
67      }
68      assert_raise(OpenSSL::SSL::SSLError) { open("#{url}/data") {} }
69    }
70  end
71
72  def test_proxy
73    with_https {|srv, dr, url|
74      cacert_filename = "#{dr}/cacert.pem"
75      open(cacert_filename, "w") {|f| f << CA_CERT }
76      cacert_directory = "#{dr}/certs"
77      Dir.mkdir cacert_directory
78      hashed_name = "%08x.0" % OpenSSL::X509::Certificate.new(CA_CERT).subject.hash
79      open("#{cacert_directory}/#{hashed_name}", "w") {|f| f << CA_CERT }
80      prxy = WEBrick::HTTPProxyServer.new({
81        :ServerType => Thread,
82        :Logger => WEBrick::Log.new(NullLog),
83        :AccessLog => [[sio=StringIO.new, WEBrick::AccessLog::COMMON_LOG_FORMAT]],
84        :BindAddress => '127.0.0.1',
85        :Port => 0})
86      _, p_port, _, p_host = prxy.listeners[0].addr
87      begin
88        prxy.start
89        srv.mount_proc("/proxy", lambda { |req, res| res.body = "proxy" } )
90        open("#{url}/proxy", :proxy=>"http://#{p_host}:#{p_port}/", :ssl_ca_cert => cacert_filename) {|f|
91          assert_equal("200", f.status[0])
92          assert_equal("proxy", f.read)
93        }
94        assert_match(%r[CONNECT #{url.sub(%r{\Ahttps://}, '')} ], sio.string)
95        sio.truncate(0); sio.rewind
96        open("#{url}/proxy", :proxy=>"http://#{p_host}:#{p_port}/", :ssl_ca_cert => cacert_directory) {|f|
97          assert_equal("200", f.status[0])
98          assert_equal("proxy", f.read)
99        }
100        assert_match(%r[CONNECT #{url.sub(%r{\Ahttps://}, '')} ], sio.string)
101        sio.truncate(0); sio.rewind
102      ensure
103        prxy.shutdown
104        until prxy.status == :Stop
105          sleep 0.1
106        end
107      end
108    }
109  end
110
111end if defined?(OpenSSL)
112
113# mkdir demoCA demoCA/private demoCA/newcerts
114# touch demoCA/index.txt
115# echo 00 > demoCA/serial
116# openssl req -new -keyout demoCA/private/cakey.pem -out demoCA/careq.pem
117# openssl ca -out demoCA/cacert.pem -startdate 090101000000Z -enddate 491231235959Z -batch -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
118
119# cp /etc/ssl/openssl.cnf openssl-server.cnf # Debian
120# vi openssl-server.cnf # enable "nsCertType = server"
121# mkdir server
122# openssl genrsa -des3 -out server/server.key 1024
123# openssl rsa -in server/server.key -out server/servernopass.key
124# openssl req -new -days 365 -key server/servernopass.key -out server/csr.pem
125# openssl ca -config openssl-server.cnf -startdate 090101000000Z -enddate 491231235959Z -in server/csr.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out server/cert.pem
126
127# demoCA/cacert.pem => TestOpenURISSL::CA_CERT
128# server/cert.pem => TestOpenURISSL::SERVER_CERT
129# server/servernopass.key => TestOpenURISSL::SERVER_KEY
130
131TestOpenURISSL::CA_CERT = <<'End'
132Certificate:
133    Data:
134        Version: 3 (0x2)
135        Serial Number: 0 (0x0)
136        Signature Algorithm: sha1WithRSAEncryption
137        Issuer: C=JP, ST=Tokyo, O=RubyTest, CN=Ruby Test CA
138        Validity
139            Not Before: Jan  1 00:00:00 2009 GMT
140            Not After : Dec 31 23:59:59 2049 GMT
141        Subject: C=JP, ST=Tokyo, O=RubyTest, CN=Ruby Test CA
142        Subject Public Key Info:
143            Public Key Algorithm: rsaEncryption
144            RSA Public Key: (1024 bit)
145                Modulus (1024 bit):
146                    00:9f:58:19:39:bc:ea:0c:b8:c3:5d:12:a7:d8:20:
147                    6c:53:ac:91:34:c8:b4:db:3f:56:f6:75:b6:6c:23:
148                    80:23:6a:5f:b3:f6:9a:3e:00:b4:16:19:1c:9c:2c:
149                    8d:e8:53:d5:0b:f1:52:3f:7b:60:93:86:ae:89:ab:
150                    20:82:9a:b6:72:14:3c:4d:a9:0b:6c:34:79:9e:d3:
151                    14:82:6d:c9:3b:90:d9:5e:68:6f:8c:b5:d8:09:f4:
152                    6f:3b:22:9f:5e:81:9c:37:df:cf:90:36:65:57:dc:
153                    ad:31:ca:8b:48:92:a7:3c:1e:42:e9:1c:4e:1e:cb:
154                    36:c1:44:4e:ab:9a:b2:73:6d
155                Exponent: 65537 (0x10001)
156        X509v3 extensions:
157            X509v3 Basic Constraints:
158                CA:FALSE
159            Netscape Comment:
160                OpenSSL Generated Certificate
161            X509v3 Subject Key Identifier:
162                24:6F:03:A3:EE:06:51:75:B2:BA:FC:3A:38:59:BF:ED:87:CD:E8:7F
163            X509v3 Authority Key Identifier:
164                keyid:24:6F:03:A3:EE:06:51:75:B2:BA:FC:3A:38:59:BF:ED:87:CD:E8:7F
165
166    Signature Algorithm: sha1WithRSAEncryption
167        13:eb:db:ca:cd:90:f2:09:9e:d9:72:70:5e:42:5d:11:84:ce:
168        00:1d:c4:2f:41:d2:3e:16:e5:d4:97:1f:43:a9:a7:9c:fa:60:
169        c4:35:96:f2:f6:0d:13:6d:0f:36:dd:59:03:08:ee:2e:a6:df:
170        9e:d8:6d:ca:72:8f:02:c2:2b:53:7b:12:7f:55:81:6c:9e:7d:
171        e7:40:7e:f8:f5:75:0d:4b:a0:8d:ee:a4:d9:e8:5f:06:c9:86:
172        66:71:70:6c:41:81:6a:dd:a4:4f:a3:c1:ac:70:d4:78:1b:23:
173        30:2f:a5:ef:98:ee:d4:62:80:fd:bf:d4:7a:9b:8e:2d:18:e5:
174        00:46
175-----BEGIN CERTIFICATE-----
176MIICfzCCAeigAwIBAgIBADANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJKUDEO
177MAwGA1UECBMFVG9reW8xETAPBgNVBAoTCFJ1YnlUZXN0MRUwEwYDVQQDEwxSdWJ5
178IFRlc3QgQ0EwHhcNMDkwMTAxMDAwMDAwWhcNNDkxMjMxMjM1OTU5WjBHMQswCQYD
179VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xETAPBgNVBAoTCFJ1YnlUZXN0MRUwEwYD
180VQQDEwxSdWJ5IFRlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ9Y
181GTm86gy4w10Sp9ggbFOskTTItNs/VvZ1tmwjgCNqX7P2mj4AtBYZHJwsjehT1Qvx
182Uj97YJOGromrIIKatnIUPE2pC2w0eZ7TFIJtyTuQ2V5ob4y12An0bzsin16BnDff
183z5A2ZVfcrTHKi0iSpzweQukcTh7LNsFETquasnNtAgMBAAGjezB5MAkGA1UdEwQC
184MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
185MB0GA1UdDgQWBBQkbwOj7gZRdbK6/Do4Wb/th83ofzAfBgNVHSMEGDAWgBQkbwOj
1867gZRdbK6/Do4Wb/th83ofzANBgkqhkiG9w0BAQUFAAOBgQAT69vKzZDyCZ7ZcnBe
187Ql0RhM4AHcQvQdI+FuXUlx9Dqaec+mDENZby9g0TbQ823VkDCO4upt+e2G3Kco8C
188witTexJ/VYFsnn3nQH749XUNS6CN7qTZ6F8GyYZmcXBsQYFq3aRPo8GscNR4GyMw
189L6XvmO7UYoD9v9R6m44tGOUARg==
190-----END CERTIFICATE-----
191End
192
193TestOpenURISSL::SERVER_CERT = <<'End'
194Certificate:
195    Data:
196        Version: 3 (0x2)
197        Serial Number: 1 (0x1)
198        Signature Algorithm: sha1WithRSAEncryption
199        Issuer: C=JP, ST=Tokyo, O=RubyTest, CN=Ruby Test CA
200        Validity
201            Not Before: Jan  1 00:00:00 2009 GMT
202            Not After : Dec 31 23:59:59 2049 GMT
203        Subject: C=JP, ST=Tokyo, O=RubyTest, CN=127.0.0.1
204        Subject Public Key Info:
205            Public Key Algorithm: rsaEncryption
206            RSA Public Key: (1024 bit)
207                Modulus (1024 bit):
208                    00:bb:bd:74:69:53:58:50:24:79:f2:eb:db:8b:97:
209                    e4:69:a4:dd:48:0c:40:35:62:42:b3:35:8c:96:2a:
210                    62:76:98:b5:2a:e0:f8:78:33:b6:ff:f8:55:bf:44:
211                    69:21:d7:b5:0e:bd:8a:dd:31:1b:88:d5:b4:5e:7a:
212                    82:e0:ba:99:6c:04:76:e9:ff:e6:f8:f5:06:8e:7e:
213                    a4:db:db:eb:43:44:12:a7:ca:ca:2b:aa:5f:83:10:
214                    e2:9e:35:55:e8:e8:af:be:c8:7d:bb:c2:d4:aa:c1:
215                    1c:57:0b:c0:0c:3a:1d:6e:23:a9:03:26:7c:ea:8c:
216                    f0:86:61:ce:f1:ff:42:c7:23
217                Exponent: 65537 (0x10001)
218        X509v3 extensions:
219            X509v3 Basic Constraints:
220                CA:FALSE
221            Netscape Cert Type:
222                SSL Server
223            Netscape Comment:
224                OpenSSL Generated Certificate
225            X509v3 Subject Key Identifier:
226                7F:17:5A:58:88:96:E1:1F:44:EA:FF:AD:C6:2E:90:E2:95:32:DD:F0
227            X509v3 Authority Key Identifier:
228                keyid:24:6F:03:A3:EE:06:51:75:B2:BA:FC:3A:38:59:BF:ED:87:CD:E8:7F
229
230    Signature Algorithm: sha1WithRSAEncryption
231        9a:34:99:ea:76:a2:ed:f0:f7:a7:75:3b:81:fb:75:57:93:c1:
232        27:b6:1e:7a:38:67:95:be:58:42:9a:0a:dd:2b:23:fb:85:42:
233        80:34:bf:b9:0e:9c:5e:5a:dc:2d:25:8c:68:02:a2:c7:7f:c0:
234        eb:f3:e0:61:e2:05:e5:7e:c1:e0:33:1c:76:65:23:2c:25:08:
235        f6:5a:11:b9:d4:f7:e3:80:bb:b0:ce:76:1a:56:22:af:e2:4a:
236        e1:7e:a4:60:f3:fd:9c:53:46:51:57:32:6b:05:53:80:5c:a5:
237        61:93:87:ae:06:a8:a2:ba:4d:a1:b7:1b:0f:8f:82:0a:e8:b3:
238        ea:63
239-----BEGIN CERTIFICATE-----
240MIICkTCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJKUDEO
241MAwGA1UECBMFVG9reW8xETAPBgNVBAoTCFJ1YnlUZXN0MRUwEwYDVQQDEwxSdWJ5
242IFRlc3QgQ0EwHhcNMDkwMTAxMDAwMDAwWhcNNDkxMjMxMjM1OTU5WjBEMQswCQYD
243VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xETAPBgNVBAoTCFJ1YnlUZXN0MRIwEAYD
244VQQDEwkxMjcuMC4wLjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALu9dGlT
245WFAkefLr24uX5Gmk3UgMQDViQrM1jJYqYnaYtSrg+Hgztv/4Vb9EaSHXtQ69it0x
246G4jVtF56guC6mWwEdun/5vj1Bo5+pNvb60NEEqfKyiuqX4MQ4p41Vejor77IfbvC
2471KrBHFcLwAw6HW4jqQMmfOqM8IZhzvH/QscjAgMBAAGjgY8wgYwwCQYDVR0TBAIw
248ADARBglghkgBhvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
249ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/F1pYiJbhH0Tq/63GLpDilTLd
2508DAfBgNVHSMEGDAWgBQkbwOj7gZRdbK6/Do4Wb/th83ofzANBgkqhkiG9w0BAQUF
251AAOBgQCaNJnqdqLt8PendTuB+3VXk8Enth56OGeVvlhCmgrdKyP7hUKANL+5Dpxe
252WtwtJYxoAqLHf8Dr8+Bh4gXlfsHgMxx2ZSMsJQj2WhG51PfjgLuwznYaViKv4krh
253fqRg8/2cU0ZRVzJrBVOAXKVhk4euBqiiuk2htxsPj4IK6LPqYw==
254-----END CERTIFICATE-----
255End
256
257TestOpenURISSL::SERVER_KEY = <<'End'
258Private-Key: (1024 bit)
259modulus:
260    00:bb:bd:74:69:53:58:50:24:79:f2:eb:db:8b:97:
261    e4:69:a4:dd:48:0c:40:35:62:42:b3:35:8c:96:2a:
262    62:76:98:b5:2a:e0:f8:78:33:b6:ff:f8:55:bf:44:
263    69:21:d7:b5:0e:bd:8a:dd:31:1b:88:d5:b4:5e:7a:
264    82:e0:ba:99:6c:04:76:e9:ff:e6:f8:f5:06:8e:7e:
265    a4:db:db:eb:43:44:12:a7:ca:ca:2b:aa:5f:83:10:
266    e2:9e:35:55:e8:e8:af:be:c8:7d:bb:c2:d4:aa:c1:
267    1c:57:0b:c0:0c:3a:1d:6e:23:a9:03:26:7c:ea:8c:
268    f0:86:61:ce:f1:ff:42:c7:23
269publicExponent: 65537 (0x10001)
270privateExponent:
271    00:af:3a:ec:17:0a:f5:d9:07:d2:d3:4c:15:c5:3b:
272    66:b4:bc:6e:d5:ba:a9:8b:aa:45:3b:63:f5:ee:8b:
273    6d:0f:e9:04:e0:1a:cf:8f:d2:25:32:d1:a5:a7:3a:
274    c1:2e:17:5a:25:82:00:c4:e7:fb:1d:42:ea:71:6c:
275    c4:0f:e1:db:23:ff:1e:d6:c8:d6:60:ca:2d:06:fc:
276    54:3c:03:d4:09:96:bb:38:7a:22:a1:61:2c:f7:d0:
277    d0:90:6c:9f:61:ba:61:30:5a:aa:64:ad:43:3a:53:
278    38:e8:ba:cc:8c:51:3e:68:3e:3a:6a:0f:5d:5d:e0:
279    d6:df:f2:54:93:d3:14:22:a1
280prime1:
281    00:e8:ec:11:fe:e6:2b:23:21:29:d5:40:a6:11:ec:
282    4c:ae:4d:08:2a:71:18:ac:d1:3e:40:2f:12:41:59:
283    12:09:e2:f7:c2:d7:6b:0a:96:0a:06:e3:90:6a:4e:
284    b2:eb:25:b7:09:68:e9:13:ab:d0:5a:29:7a:e4:72:
285    1a:ee:46:a0:8b
286prime2:
287    00:ce:57:5e:31:e9:c9:a8:5b:1f:55:af:67:e2:49:
288    2a:af:90:b6:02:c0:32:2f:ca:ae:1e:de:47:81:73:
289    a8:f8:37:53:70:93:24:62:77:d4:b8:80:30:9f:65:
290    26:20:46:ae:5a:65:6e:6d:af:68:4c:8d:e8:3c:f3:
291    d1:d1:d9:6e:c9
292exponent1:
293    03:f1:02:b8:f2:82:26:5d:08:4d:30:83:de:e7:c5:
294    c0:69:53:4b:0c:90:e3:53:c3:1e:e8:ed:01:28:15:
295    b3:0f:21:2c:2d:e3:04:d1:d7:27:98:b0:37:ec:4f:
296    00:c5:a9:9c:42:27:37:8a:ff:c2:96:d3:1a:8c:87:
297    c2:22:75:d3
298exponent2:
299    6f:17:32:ab:84:c7:01:51:2d:e9:9f:ea:3a:36:52:
300    38:fb:9c:42:96:df:6e:43:9c:c3:19:c1:3d:bc:db:
301    77:e7:b1:90:a6:67:ac:6b:ff:a6:e5:bd:47:d3:d9:
302    56:ff:36:d7:8c:4c:8b:d9:28:3a:2f:1c:9d:d4:57:
303    5e:b7:c5:a1
304coefficient:
305    45:50:47:66:56:e9:21:d9:40:0e:af:3f:f2:05:77:
306    ab:e7:08:40:97:88:2a:51:b3:7e:86:b0:b2:03:2e:
307    6d:36:3f:46:42:97:7d:5a:a2:93:6c:05:c2:8b:8b:
308    2d:af:d5:7d:75:e9:70:f0:2d:21:e3:b9:cf:4d:9a:
309    c4:97:e2:79
310-----BEGIN RSA PRIVATE KEY-----
311MIICXAIBAAKBgQC7vXRpU1hQJHny69uLl+RppN1IDEA1YkKzNYyWKmJ2mLUq4Ph4
312M7b/+FW/RGkh17UOvYrdMRuI1bReeoLguplsBHbp/+b49QaOfqTb2+tDRBKnysor
313ql+DEOKeNVXo6K++yH27wtSqwRxXC8AMOh1uI6kDJnzqjPCGYc7x/0LHIwIDAQAB
314AoGBAK867BcK9dkH0tNMFcU7ZrS8btW6qYuqRTtj9e6LbQ/pBOAaz4/SJTLRpac6
315wS4XWiWCAMTn+x1C6nFsxA/h2yP/HtbI1mDKLQb8VDwD1AmWuzh6IqFhLPfQ0JBs
316n2G6YTBaqmStQzpTOOi6zIxRPmg+OmoPXV3g1t/yVJPTFCKhAkEA6OwR/uYrIyEp
3171UCmEexMrk0IKnEYrNE+QC8SQVkSCeL3wtdrCpYKBuOQak6y6yW3CWjpE6vQWil6
3185HIa7kagiwJBAM5XXjHpyahbH1WvZ+JJKq+QtgLAMi/Krh7eR4FzqPg3U3CTJGJ3
3191LiAMJ9lJiBGrlplbm2vaEyN6Dzz0dHZbskCQAPxArjygiZdCE0wg97nxcBpU0sM
320kONTwx7o7QEoFbMPISwt4wTR1yeYsDfsTwDFqZxCJzeK/8KW0xqMh8IiddMCQG8X
321MquExwFRLemf6jo2Ujj7nEKW325DnMMZwT2823fnsZCmZ6xr/6blvUfT2Vb/NteM
322TIvZKDovHJ3UV163xaECQEVQR2ZW6SHZQA6vP/IFd6vnCECXiCpRs36GsLIDLm02
323P0ZCl31aopNsBcKLiy2v1X116XDwLSHjuc9NmsSX4nk=
324-----END RSA PRIVATE KEY-----
325End
326