EXTRA_INSTALL = contrib/sslinfo

subdir = src/test/ssl

top_builddir = ../../..

include$(top_builddir)/src/Makefile.global

=================

NOTE: You must have given the --enable-tap-tests argument to configure.

Also, to use "make installcheck", you must have built and installed

contrib/sslinfo in addition to the core code.

Run

make check

# An OpenSSL format CSR config file for creating a client certificate.

#

# The certificate is for user "ssltestuser" and intends to test client

# certificate with extensions.

[ req ]

distinguished_name = req_distinguished_name

req_extensions = client_ext

prompt = no

[ req_distinguished_name ]

CN = ssltestuser

[ client_ext ]

basicConstraints = critical,CA:false

extendedKeyUsage = clientAuth

-----BEGIN CERTIFICATE-----

MIIDezCCAmOgAwIBAgIIICEREAQyQQAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE

Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNs

aWVudCBjZXJ0czAeFw0yMTExMTAwMzMyNDFaFw00OTAzMjgwMzMyNDFaMBYxFDAS

BgNVBAMMC3NzbHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

AQEArCHikkEQLFITbn3ZfO8X2RW3fELeaImgy8W4Pkkc4LxdHCWjdCML/vtE/ZVu

Op74qrQQWT0HKXFVUiZLbjAgV2PONS6VFHhc3sTFxuTaBnVdY+K98hoFnXskINt/

wgwUhRcRZuKPcZvEHiqF6e3g3lQa99l1nVKPGPLOCvVhSgoV0Gwgxok0t7s25BCV

ZmpMAwSTxpeviLF0e2MsttuyClQ4nuD92EHZX3BuG0WNPLxiwikV96uMffpMRGsx

uiAHzD5ykYM7/b3eU0bjfi0J0qcfTSeytqFuRCNEukJpmtUmyYGqsFJ7HN7ejCY7

ObAlBn8h+4bgwBRaeZDZLTMaYQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwEwYD

VR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFPPv1n7k1Vd9BBC4eoGWPZwVz2Lx

MFkGA1UdIwRSMFChRKRCMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBmb3IgUG9z

dGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlggggIQMDFBIHATANBgkq

hkiG9w0BAQsFAAOCAQEAtqIeTmUhtHyCt5k2yx88F0dKshYq4Z+LQI+agyZ1fRE6

Ux5p+SBGbzvc+NcUvc7yGG6w2G/nTVnGwSHN9NtQa2T2XbHJysJ/dwCfmRsachKz

4kCp0zAHEDrEmZua0sy5BLwwVCk5WNBR0lZ35WmIEuRA+5G/2lCywtrb9W4YnbAM

nH7BtZE8qPbK4OicB40I2NXz6KhG3755oKN03VC1IaX9JFQxf37ac7jVK5bsjfaF

0xCAeuDN6wDiVHZj6q1GhhmNLzaF5zmU2e/cI1nTI5tfGKnygavlZIz2VvAlcypt

YZdMDy69VbTWUa57UPCspghgvm5M2/Hjmz50CXGMvw==

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsIeKSQRAsUhNu

fdl87xfZFbd8Qt5oiaDLxbg+SRzgvF0cJaN0Iwv++0T9lW46nviqtBBZPQcpcVVS

JktuMCBXY841LpUUeFzexMXG5NoGdV1j4r3yGgWdeyQg23/CDBSFFxFm4o9xm8Qe

KoXp7eDeVBr32XWdUo8Y8s4K9WFKChXQbCDGiTS3uzbkEJVmakwDBJPGl6+IsXR7

Yyy227IKVDie4P3YQdlfcG4bRY08vGLCKRX3q4x9+kxEazG6IAfMPnKRgzv9vd5T

RuN+LQnSpx9NJ7K2oW5EI0S6Qmma1SbJgaqwUnsc3t6MJjs5sCUGfyH7huDAFFp5

kNktMxphAgMBAAECggEAQlVWkmUHXgUNHvXZo8chyhMP4A+G1QNAl3Zs73fObJ66

RPgOOtmsrEjZh92XmnibvHDiofkeMu7NYfiG9gIO3I6GL0Fxyu8tXt22l9SmXnnJ

EQ6Wg19azZrgS9c6ryVnnPhMSPlDLRVJaRSbAZCdqSABOoUvSX7AzWz4UQnJwbVp

c9Le7DbXcD4IIhi+D2o6k46oGTm+P8kEAbw73tN7NmxBudwMhvGup3HlDNypbwPJ

0aWR+nxZbaAVnmYiENX7L68R9rweqDES8AgV030L4YF022C8TAuBLeCjuEQucdp4

+ZcNUzAF2G1NN/VUpjBKK08+Pu0C0vV+fDrKWK+QnwKBgQC74THLylX/+7TJC24U

LXu/z5BjkejUr4GLHTZG9edGgaoSiKikXdseCI/RiDVXvtQ7kstFYflOZ+XGuc4l

GVAN52uRqg7uXw0R8F8bKpal08j4Rhe4rXKvH5h9hSeozOlxq7jrQ2xk96Guu3k7

ujqkkVoPX+dnwUVN6elWrMIUpwKBgQDqiwqaKk7Pmkqc5et4WKvKFLKYuTU/qOO6

fVEqGlgbLGNf+DVgKcTl5AVyhqtedh1hin0ij/dDHoYOmynmbe/zguSxF7kYUxdJ

STwWpQt/ccaWMfqgrjxXpWsPc1fRWgmACAaum04GXmBeZ4z0rVT4blwAVddgoLL8

q4lrSNbRtwKBgQClv4jnyaxPNecLCmtln66xzFMMlJe8ssztRqswtRYA7Ll2ultV

DnwVpeYDK1AsBe1EVT/BCSshEaXzyM3lisxGR+htTIL5pp9oORAeblcTGqEM7wFU

aqhneM9VxRf04jn8j0uHOicxeAmKllfg6m1768NxFuGWdjpG/1pcnfJmtwKBgAF8

Nen6AJvB710E+7O8ZAIYlXTwH00y5ZZFuuDYX9x0MIDoEnZ0bUHDauFpxuYHO3Jl

rRst7DPpmpG3G9HQumdBWe9hJhPoWsplA1NlYihBcS98S4j+8XTgoEftxA2YU10T

L++lHh5eNKAEadkWy+Xy1PRPltiOy/NbprgeMvYLAoGAKpt7DHcK8B0JdOnEzTuz

7mT6xRt2C9IASCiv92Fx1BPiPy4l9ukT4CJza/wpSpH3xyeB37afe0kQyU8lDrCF

iMU3RNTzTftwqO8GgtgntgW8ZKe9fuqzm9VLMQFyL+zdqEfGG6ROS8ipYLx9pn6x

FHc3UsmLmK0hfCr9B4Yo+C0=

-----END PRIVATE KEY-----

server-multiple-alt-names\

server-no-names\

server-revoked

CLIENTS := client client-dn client-revoked

CLIENTS := client client-dn client-revoked client_ext

use strict;

use warnings;

use PostgreSQL::Test::Cluster;

use PostgreSQL::Test::Utils;

use Test::More;

use File::Copy;

use FindBin;

use lib$FindBin::RealBin;

use SSLServer;

if ($ENV{with_ssl}ne'openssl')

{

planskip_all=>'OpenSSL not supported by this build';

}

{

plantests=> 13;

}

my$SERVERHOSTADDR ='127.0.0.1';

my$SERVERHOSTCIDR ='127.0.0.1/32';

my$common_connstr;

my$client_tmp_key ="${PostgreSQL::Test::Utils::tmp_check}/client_ext.key";

copy("ssl/client_ext.key",$client_tmp_key)

ordie"couldn't copy ssl/client_ext.key to$client_tmp_key for permissions change:$!";

chmod 0600,$client_tmp_key

ordie"failed to change permissions on$client_tmp_key:$!";

note"setting up data directory";

my$node = PostgreSQL::Test::Cluster->new('primary');

$node->init;

$ENV{PGHOST} =$node->host;

$ENV{PGPORT} =$node->port;

$node->start;

configure_test_server_for_ssl($node,$SERVERHOSTADDR,$SERVERHOSTCIDR,

'trust',extensions=> [qw(sslinfo) ]);

switch_server_cert($node,'server-revoked');

$common_connstr =

"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR" .

"user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key";

$node->connect_ok(

$common_connstr,

"certificate authorization succeeds with correct client cert in PEM format",

);

my$result;

$result =$node->safe_psql("certdb","SELECT ssl_is_used();",

connstr=>$common_connstr);

is($result,'t',"ssl_is_used() for TLS connection");

$result =$node->safe_psql("certdb","SELECT ssl_version();",

connstr=>$common_connstr ." ssl_min_protocol_version=TLSv1.2" .

"ssl_max_protocol_version=TLSv1.2");

is($result,'TLSv1.2',"ssl_version() correctly returning TLS protocol");

$result =$node->safe_psql("certdb",

"SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();",

connstr=>$common_connstr);

is($result,'t',"ssl_cipher() compared with pg_stat_ssl");

$result =$node->safe_psql("certdb","SELECT ssl_client_cert_present();",

connstr=>$common_connstr);

is($result,'t',"ssl_client_cert_present() for connection with cert");

$result =$node->safe_psql("trustdb","SELECT ssl_client_cert_present();",

connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .

"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");

is($result,'f',"ssl_client_cert_present() for connection without cert");

$result =$node->safe_psql("certdb",

"SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();",

connstr=>$common_connstr);

is($result,'t',"ssl_client_serial() compared with pg_stat_ssl");

$result =$node->psql("certdb","SELECT ssl_client_dn_field('invalid');",

connstr=>$common_connstr);

is($result,'3',"ssl_client_dn_field() for an invalid field");

$result =$node->safe_psql("trustdb","SELECT ssl_client_dn_field('commonName');",

connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .

"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");

is($result,'',"ssl_client_dn_field() for connection without cert");

$result =$node->safe_psql("certdb",

"SELECT '/CN=' || ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",

connstr=>$common_connstr);

is($result,'t',"ssl_client_dn_field() for commonName");

$result =$node->safe_psql("certdb",

"SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",

connstr=>$common_connstr);

is($result,'t',"ssl_issuer_dn() for connection with cert");

$result =$node->safe_psql("certdb",

"SELECT '/CN=' || ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",

connstr=>$common_connstr);

is($result,'t',"ssl_issuer_field() for commonName");

$result =$node->safe_psql("certdb",

"SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';",

connstr=>$common_connstr);

is($result,'CA:FALSE|t','extract extension from cert');