1--TEST-- 2CURLOPT_SSL* basic client auth tests 3--EXTENSIONS-- 4curl 5--SKIPIF-- 6<?php 7if (!function_exists("proc_open")) die("skip no proc_open"); 8exec('openssl version', $out, $code); 9if ($code > 0) die("skip couldn't locate openssl binary"); 10if (PHP_OS_FAMILY === 'Windows') die('skip not for Windows'); 11if (PHP_OS_FAMILY === 'Darwin') die('skip Fails intermittently on macOS'); 12if (PHP_OS === 'FreeBSD') die('skip proc_open seems to be stuck on FreeBSD'); 13$curl_version = curl_version(); 14if ($curl_version['version_number'] < 0x074700) { 15 die("skip: blob options not supported for curl < 7.71.0"); 16} 17?> 18--FILE-- 19<?php 20 21function check_error(CurlHandle $ch) { 22 if (curl_errno($ch) !== 0) { 23 echo "CURL ERROR: " . curl_errno($ch) . "\n"; 24 } 25} 26 27function check_response($response, $clientCertSubject) { 28 if (strpos($response, $clientCertSubject) === false) { 29 echo "client cert subject not in response\n"; 30 } else { 31 echo "client cert subject in response\n"; 32 } 33} 34 35$clientCertSubject = "Subject: C=US, ST=TX, L=Clientlocation, O=Clientcompany, CN=clientname/emailAddress=test@example.com"; 36 37// load server cert 38$serverCertPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_servercert.pem'; 39$serverCert = file_get_contents($serverCertPath); 40 41// load server key 42$serverKeyPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_serverkey.pem'; 43$serverKey = file_get_contents($serverKeyPath); 44 45// load client cert 46$clientCertPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_clientcert.pem'; 47$clientCert = file_get_contents($clientCertPath); 48 49// load client key 50$clientKeyPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_clientkey.pem'; 51$clientKey = file_get_contents($clientKeyPath); 52 53if ($serverCert === false 54 || $serverKey === false 55 || $clientCert === false 56 || $clientKey === false 57) { 58 die('failed to load test certs and keys for files'); 59} 60 61$port = 14430; 62 63// set up local server 64$cmd = "openssl s_server -key $serverKeyPath -cert $serverCertPath -accept $port -www -CAfile $clientCertPath -verify_return_error -Verify 1"; 65$process = proc_open($cmd, [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]], $pipes); 66 67if ($process === false) { 68 die('failed to start server'); 69} 70try { 71 // Give the server time to start 72 sleep(1); 73 74 echo "case 1: client cert and key from string\n"; 75 $ch = curl_init("https://127.0.0.1:$port/"); 76 var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, $clientCert)); 77 var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, $clientKey)); 78 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false)); 79 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 80 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 81 82 $response = curl_exec($ch); 83 check_response($response, $clientCertSubject); 84 check_error($ch); 85 curl_close($ch); 86 87 echo "\n"; 88 echo "case 2: empty client cert and key from string\n"; 89 $ch = curl_init("https://127.0.0.1:$port/"); 90 var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, '')); 91 var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, $clientKey)); 92 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false)); 93 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 94 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 95 96 $response = curl_exec($ch); 97 check_response($response, $clientCertSubject); 98 check_error($ch); 99 curl_close($ch); 100 101 echo "\n"; 102 echo "case 3: client cert and empty key from string\n"; 103 $ch = curl_init("https://127.0.0.1:$port/"); 104 var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, $clientCert)); 105 var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, '')); 106 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false)); 107 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 108 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 109 110 $response = curl_exec($ch); 111 check_response($response, $clientCertSubject); 112 check_error($ch); 113 curl_close($ch); 114 115 echo "\n"; 116 echo "case 4: client cert and key from file\n"; 117 $ch = curl_init("https://127.0.0.1:$port/"); 118 var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath)); 119 var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath)); 120 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false)); 121 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 122 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 123 124 $response = curl_exec($ch); 125 check_response($response, $clientCertSubject); 126 check_error($ch); 127 curl_close($ch); 128 129 echo "\n"; 130 echo "case 5: issuer cert from file\n"; 131 $ch = curl_init("https://127.0.0.1:$port/"); 132 var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath)); 133 var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT, $serverCertPath)); 134 var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath)); 135 var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath)); 136 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true)); 137 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 138 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 139 140 $response = curl_exec($ch); 141 check_response($response, $clientCertSubject); 142 check_error($ch); 143 curl_close($ch); 144 145 echo "\n"; 146 echo "case 6: issuer cert from string\n"; 147 $ch = curl_init("https://127.0.0.1:$port/"); 148 var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath)); 149 var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT_BLOB, $serverCert)); 150 var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath)); 151 var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath)); 152 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true)); 153 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 154 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 155 156 $response = curl_exec($ch); 157 check_response($response, $clientCertSubject); 158 check_error($ch); 159 curl_close($ch); 160 161 echo "\n"; 162 echo "case 7: empty issuer cert from string\n"; 163 $ch = curl_init("https://127.0.0.1:$port/"); 164 var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath)); 165 var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT_BLOB, '')); 166 var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath)); 167 var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath)); 168 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true)); 169 var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false)); 170 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 171 172 $response = curl_exec($ch); 173 check_response($response, $clientCertSubject); 174 check_error($ch); 175 curl_close($ch); 176 177} finally { 178 // clean up server process 179 proc_terminate($process); 180 proc_close($process); 181} 182 183?> 184--EXPECT-- 185case 1: client cert and key from string 186bool(true) 187bool(true) 188bool(true) 189bool(true) 190client cert subject in response 191 192case 2: empty client cert and key from string 193bool(true) 194bool(true) 195bool(true) 196bool(true) 197client cert subject not in response 198CURL ERROR: 58 199 200case 3: client cert and empty key from string 201bool(true) 202bool(true) 203bool(true) 204bool(true) 205client cert subject not in response 206CURL ERROR: 58 207 208case 4: client cert and key from file 209bool(true) 210bool(true) 211bool(true) 212bool(true) 213client cert subject in response 214 215case 5: issuer cert from file 216bool(true) 217bool(true) 218bool(true) 219bool(true) 220bool(true) 221bool(true) 222client cert subject in response 223 224case 6: issuer cert from string 225bool(true) 226bool(true) 227bool(true) 228bool(true) 229bool(true) 230bool(true) 231client cert subject in response 232 233case 7: empty issuer cert from string 234bool(true) 235bool(true) 236bool(true) 237bool(true) 238bool(true) 239bool(true) 240client cert subject not in response 241CURL ERROR: 83 242
