xref: /php-src/ext/curl/tests/curl_setopt_ssl.phpt (revision 25c09939)
1--TEST--
2CURLOPT_SSL* basic client auth tests
3--EXTENSIONS--
4curl
5--SKIPIF--
6<?php
7if (!function_exists("proc_open")) die("skip no proc_open");
8exec('openssl version', $out, $code);
9if ($code > 0) die("skip couldn't locate openssl binary");
10if (PHP_OS_FAMILY === 'Windows') die('skip not for Windows');
11if (PHP_OS_FAMILY === 'Darwin') die('skip Fails intermittently on macOS');
12if (PHP_OS === 'FreeBSD') die('skip proc_open seems to be stuck on FreeBSD');
13$curl_version = curl_version();
14if ($curl_version['version_number'] < 0x074700) {
15    die("skip: blob options not supported for curl < 7.71.0");
16}
17?>
18--FILE--
19<?php
20
21function check_error(CurlHandle $ch) {
22    if (curl_errno($ch) !== 0) {
23        echo "CURL ERROR: " . curl_errno($ch) . "\n";
24    }
25}
26
27function check_response($response, $clientCertSubject) {
28    if (strpos($response, $clientCertSubject) === false) {
29        echo "client cert subject not in response\n";
30    } else {
31        echo "client cert subject in response\n";
32    }
33}
34
35$clientCertSubject = "Subject: C=US, ST=TX, L=Clientlocation, O=Clientcompany, CN=clientname/emailAddress=test@example.com";
36
37// load server cert
38$serverCertPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_servercert.pem';
39$serverCert = file_get_contents($serverCertPath);
40
41// load server key
42$serverKeyPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_serverkey.pem';
43$serverKey = file_get_contents($serverKeyPath);
44
45// load client cert
46$clientCertPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_clientcert.pem';
47$clientCert = file_get_contents($clientCertPath);
48
49// load client key
50$clientKeyPath = __DIR__ . DIRECTORY_SEPARATOR . 'curl_setopt_ssl_clientkey.pem';
51$clientKey = file_get_contents($clientKeyPath);
52
53if ($serverCert === false
54    || $serverKey === false
55    || $clientCert === false
56    || $clientKey === false
57) {
58    die('failed to load test certs and keys for files');
59}
60
61$port = 14430;
62
63// set up local server
64$cmd = "openssl s_server -key $serverKeyPath -cert $serverCertPath -accept $port -www -CAfile $clientCertPath -verify_return_error -Verify 1";
65$process = proc_open($cmd, [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]], $pipes);
66
67if ($process === false) {
68    die('failed to start server');
69}
70try {
71    // Give the server time to start
72    sleep(1);
73
74    echo "case 1: client cert and key from string\n";
75    $ch = curl_init("https://127.0.0.1:$port/");
76    var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, $clientCert));
77    var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, $clientKey));
78    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false));
79    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
80    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
81
82    $response = curl_exec($ch);
83    check_response($response, $clientCertSubject);
84    check_error($ch);
85    curl_close($ch);
86
87    echo "\n";
88    echo "case 2: empty client cert and key from string\n";
89    $ch = curl_init("https://127.0.0.1:$port/");
90    var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, ''));
91    var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, $clientKey));
92    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false));
93    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
94    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
95
96    $response = curl_exec($ch);
97    check_response($response, $clientCertSubject);
98    check_error($ch);
99    curl_close($ch);
100
101    echo "\n";
102    echo "case 3: client cert and empty key from string\n";
103    $ch = curl_init("https://127.0.0.1:$port/");
104    var_dump(curl_setopt($ch, CURLOPT_SSLCERT_BLOB, $clientCert));
105    var_dump(curl_setopt($ch, CURLOPT_SSLKEY_BLOB, ''));
106    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false));
107    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
108    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
109
110    $response = curl_exec($ch);
111    check_response($response, $clientCertSubject);
112    check_error($ch);
113    curl_close($ch);
114
115    echo "\n";
116    echo "case 4: client cert and key from file\n";
117    $ch = curl_init("https://127.0.0.1:$port/");
118    var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath));
119    var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath));
120    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false));
121    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
122    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
123
124    $response = curl_exec($ch);
125    check_response($response, $clientCertSubject);
126    check_error($ch);
127    curl_close($ch);
128
129    echo "\n";
130    echo "case 5: issuer cert from file\n";
131    $ch = curl_init("https://127.0.0.1:$port/");
132    var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath));
133    var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT, $serverCertPath));
134    var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath));
135    var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath));
136    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true));
137    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
138    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
139
140    $response = curl_exec($ch);
141    check_response($response, $clientCertSubject);
142    check_error($ch);
143    curl_close($ch);
144
145    echo "\n";
146    echo "case 6: issuer cert from string\n";
147    $ch = curl_init("https://127.0.0.1:$port/");
148    var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath));
149    var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT_BLOB, $serverCert));
150    var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath));
151    var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath));
152    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true));
153    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
154    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
155
156    $response = curl_exec($ch);
157    check_response($response, $clientCertSubject);
158    check_error($ch);
159    curl_close($ch);
160
161    echo "\n";
162    echo "case 7: empty issuer cert from string\n";
163    $ch = curl_init("https://127.0.0.1:$port/");
164    var_dump(curl_setopt($ch, CURLOPT_CAINFO, $serverCertPath));
165    var_dump(curl_setopt($ch, CURLOPT_ISSUERCERT_BLOB, ''));
166    var_dump(curl_setopt($ch, CURLOPT_SSLCERT, $clientCertPath));
167    var_dump(curl_setopt($ch, CURLOPT_SSLKEY, $clientKeyPath));
168    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true));
169    var_dump(curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false));
170    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
171
172    $response = curl_exec($ch);
173    check_response($response, $clientCertSubject);
174    check_error($ch);
175    curl_close($ch);
176
177} finally {
178    // clean up server process
179    proc_terminate($process);
180    proc_close($process);
181}
182
183?>
184--EXPECT--
185case 1: client cert and key from string
186bool(true)
187bool(true)
188bool(true)
189bool(true)
190client cert subject in response
191
192case 2: empty client cert and key from string
193bool(true)
194bool(true)
195bool(true)
196bool(true)
197client cert subject not in response
198CURL ERROR: 58
199
200case 3: client cert and empty key from string
201bool(true)
202bool(true)
203bool(true)
204bool(true)
205client cert subject not in response
206CURL ERROR: 58
207
208case 4: client cert and key from file
209bool(true)
210bool(true)
211bool(true)
212bool(true)
213client cert subject in response
214
215case 5: issuer cert from file
216bool(true)
217bool(true)
218bool(true)
219bool(true)
220bool(true)
221bool(true)
222client cert subject in response
223
224case 6: issuer cert from string
225bool(true)
226bool(true)
227bool(true)
228bool(true)
229bool(true)
230bool(true)
231client cert subject in response
232
233case 7: empty issuer cert from string
234bool(true)
235bool(true)
236bool(true)
237bool(true)
238bool(true)
239bool(true)
240client cert subject not in response
241CURL ERROR: 83
242