REGTESTS: ssl: test the issuers-chain-path keyword

Add a reg-test which test the completion of the issuers-chain-path
keyword

Note that it could be interesting to have the loading of a .ocsp
combined with this, but our pki for OCSP tests lacks
the SubjectKeyIdentifier extensions.

reg-tests/ssl/issuers-chain-path/ca/ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDuTCCAqGgAwIBAgIUQQtTP1aDfRAnDdjKkaUT2py2fmswDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCRlIxDjAMBgNVBAcTBVBhcmlzMR0wGwYDVQQKExRIQVBy
+b3h5IFRlY2hub2xvZ2llczEkMCIGA1UEAxMbSEFQcm94eSBSb290IFRlc3QgQXV0
+aG9yaXR5MB4XDTIzMDkyMDE2MjQwMFoXDTMzMDkxNzE2MjQwMFowYzELMAkGA1UE
+BhMCRlIxDjAMBgNVBAcTBVBhcmlzMR0wGwYDVQQKExRIQVByb3h5IFRlY2hub2xv
+Z2llczElMCMGA1UEAxMcSEFQcm94eSBUZXN0IEludGVybWVkaWF0ZSBDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJXZfTPAWzNIh1EM3BRlO63BBpX5
+xDMb4yOP2Ntxe9mZHsI5dTRGgZygswZQV4LgKd7B868OEbaDGOjTwvDJI28foS1n
+almhniH/sQamCpeMEX9brRyJ1ev2mTLM1XkAhKmzGRRbGi+A8M6pIMaOLmn8gvsE
+ekfatzOG3wQamJDXLa/L4/Pd2GI+cb2wOLRtIHxuAocL+Dgy+LIa1q3slGyboU9X
+ZJcOjTa705H4FWbhVJ4KV0dI6iSXtO9xG/8RkuY9VyZh39pqU9aQxLWFUyy0coec
+b7RzyUrVDlTvmV9X2fotWmAnQfUk+4wc5/rhOSFNg1lowKt7MB/NjsPOmE8CAwEA
+AaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0O
+BBYEFHr9tGo8KeCWI09L6wA8+zwp7FEMMB8GA1UdIwQYMBaAFB4wopglmOnetKea
+jkq9OymofpZfMA0GCSqGSIb3DQEBCwUAA4IBAQDQamqX11VfTB5USqAL1E0/qHqG
+WivOWX2K5lCfbalg7Fqlm1d0hKffPODD3RAOU7UhP9B1xc9NRBgbNPEEMu/O92PS
+C5H8WxGoKfa4TuX8JfhhpUGpRelFFHU7mVVyMh7RDQmfFdxC8ej8+iTvBXtacMhh
+VWokTIakyFCj7u/qcQKhpzoTDq9VRE+lmOFYzMtHqk+qGVXDgG8z/e7z5UP98ttI
+XXsQ50Mi6ow8P118eRjJI01DZUu8QnYt/+jhqAFipS2OjyV4Jlq+wGZ4xB9gonlf
+lTdqR19oFnIFi30boIB33MRxz9qWZy7ay5jUV6jGauymQI/1waPtv/KIjXzt
+-----END CERTIFICATE-----
+

reg-tests/ssl/issuers-chain-path/server.pem

@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIURbbHd6AXFZoZEmNAwQU1IbkeEjswDQYJKoZIhvcNAQEL
+BQAwYzELMAkGA1UEBhMCRlIxDjAMBgNVBAcTBVBhcmlzMR0wGwYDVQQKExRIQVBy
+b3h5IFRlY2hub2xvZ2llczElMCMGA1UEAxMcSEFQcm94eSBUZXN0IEludGVybWVk
+aWF0ZSBDQTAeFw0yMzA5MjAxNjI2MDBaFw0zMzA5MTcxNjI2MDBaMEUxCzAJBgNV
+BAYTAkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFdGVzdDExFjAUBgNVBAMT
+DXd3dy50ZXN0MS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd
++BTITfrXq7S3+dIUBlXEdNKXZPqSwhcgriVNvDhu0QnBbiqMV96MiEta+NrWvVy3
+VY41Y0pvDS1PrWsnClBMdBFdPkIRpAx20cz3M4lBDi/p14m+JbYvsVhLGDozMEba
+OxMSeidTFDHQq7k0b0sMMvJ2v09RvPaDytWaRtC07nVlZPU0fPQCSw3oZf1K9u9b
+dbuMJOeO2D0/PXezbWrdi3+VuaK47e+1Bijh6Qm8uD8f7SRKGFm26QkV87wKWw8x
+hPnZL1PNWyQNfAzGQf6sjpmahhz+Lva3ywbv5XaUp8ojgw4LOrz1fvC8dDj9wVg1
+3JhWhmwLC/5zG5eY3LuZAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFc8xugp1dGZ
++KqMGcfUmbTYEEurMB8GA1UdIwQYMBaAFHr9tGo8KeCWI09L6wA8+zwp7FEMMBgG
+A1UdEQQRMA+CDXd3dy50ZXN0MS5jb20wDQYJKoZIhvcNAQELBQADggEBAIzfQ//U
+1jqTmdjUNZHOqFvCcc06W9vDUJbeKSyStZnE/J3WHrJeLLNaUV00G93zLLRs6slT
+kZ4eEmUZlPGGz6hFK6d8jSIIxyaw/O5l9Ix/Z5cUMiScHNbiLBiyhy6AvF/NcJYl
+xQ6EUIcOqMxEL0dSRq6ckGZvnyFusPuNgfNeIy0Y1eI30En1mPNGQiu2DP7Ex4Ht
+dAiHT6ITXk43wHyXDqXpt97Rdbq1dNNP6sSkQ8r0IeDi5f/qSsBGbR1a9UoKkJOZ
+OO6IGhEb2XCWc2xquJpUHCOXhzaXj/SmxCDpWVW5tdKNZ96gUlp2Wtf0Rp25yFge
+4mCry3J674p8Oto=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3fgUyE3616u0t/nSFAZVxHTSl2T6ksIXIK4lTbw4btEJwW4q
+jFfejIhLWvja1r1ct1WONWNKbw0tT61rJwpQTHQRXT5CEaQMdtHM9zOJQQ4v6deJ
+viW2L7FYSxg6MzBG2jsTEnonUxQx0Ku5NG9LDDLydr9PUbz2g8rVmkbQtO51ZWT1
+NHz0AksN6GX9SvbvW3W7jCTnjtg9Pz13s21q3Yt/lbmiuO3vtQYo4ekJvLg/H+0k
+ShhZtukJFfO8ClsPMYT52S9TzVskDXwMxkH+rI6ZmoYc/i72t8sG7+V2lKfKI4MO
+Czq89X7wvHQ4/cFYNdyYVoZsCwv+cxuXmNy7mQIDAQABAoIBAAtHSbcLz00aGmqm
+tPfzgnQjA3hR1zGRzx8H+jlC8RMgaAB+GodbB6HYYwvSTTxQDt/55unri6Ks5rp/
+s0weiAn6c89rFGxVC5UV//YnljfKAsE9BHC29dTii/v01TA4qcD483Ui49Ci3A0g
+TJ7PcN7Dz/IcsmkS0uvLaKMYKg6nXu9UnKkLBqThTiLA5I+eZZ4zX862Yurku8NI
+HwbMtBsICbe1H0Ebdc/PPAShB8pvV3nQMGFjADOEYolaByQAltolADmIc5K9E6wL
+SsHzAjGTjarSYdqjZRuoEtQrWQTG1fnvJZBXB8L1Brv9RbrPWN2TW/A1uhUR4qYd
+wuxB1mkCgYEA9ao05RsJzDVc4qLBvDXuqo1WapwnYUyc8Jeq+r5l67Ota1ykQyiQ
+BJZDM/mdFRzZZjMAAMN9cxsDdY7gp0ebN190F443tSxjvlVOGJ/e8UJ+Au+9WEYM
+xZQo5VquU8XlxfwFYtYANMvr7DB8yEr25S7S2v3jZ70NZQDDR6G+5L8CgYEA506s
+JJM/NfP82e6JtSB9fOEcjEeddPCdf2RkB+E3Ppt7AQX5Aje/8VOSiZkIbOap9oLc
+rBd9GrER2m2pahd9DFkSs1td70IM5CwwgYIKyWkCCkLXyMrLpelFEqZsFvWD14Go
+c29NSDOpVfVJkPr46Gym6dBvy1rCMh+/ZrgsPacCgYAXFU0vEeFTzNfTe9OUacTp
+RaqPDektXVOJz9aDBQzynsl2wxe0L8WIiM37vkKiTzmmPriLWdMZ07n5e9lkHnhZ
+NaDk7boSTf95TO6vpaX/KW5JvFkgSES+8/L7yg+DU58JgWrIJK+URmz+nne7IkAc
+vM+XQC/z+XGewfmXa31SZQKBgGSDpHyUXBCXARa2+LJz9vQQYrZ23G6XrOlR98IQ
+1U/ogrA0JzwWe9tjxLb0gFvKdKtBvKEv59Z0gdyYcNlAcb+u6Vh1aMFyw2VX6pAs
+sYFKl29cEqcXsR1c2/45wZjMgclhd5EKGdw5TumimKBe31Eo/fN29024F9FuSF9b
+wyXbAoGBALGIKzPgV7Tt6SbzcCjJGQHlH/RKBcuFJjJS+Qph3w7K3L5b6Y35zPOY
+3+FxT2Z5wAlOGYeF9Qa8K3/VX1l7Vhktu9EcTqM59fMGuTM0mEgwwdFM4oFgRIau
+wmlIuAFmo7OwlsggHuHJ7lDk+r7AoNVW7l7Gd1JnG4CasvymVc3N
+-----END RSA PRIVATE KEY-----

reg-tests/ssl/issuers_chain_path.vtc

@@ -0,0 +1,40 @@
+#REGTEST_TYPE=bug
+# This reg-test checks if the 'issuers-chain-path' work correctly
+#
+varnishtest "Test the issuers-chain-path keyword"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.6)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && openssl_version_atleast(1.1.1)'"
+feature cmd "command -v openssl && command -v socat"
+feature ignore_unknown_macro
+
+haproxy h1 -conf {
+    global
+        stats socket "${tmpdir}/h1/stats" level admin
+        issuers-chain-path "${testdir}/issuers-chain-path/ca/"
+        crt-base "${testdir}/issuers-chain-path"
+
+    defaults
+        mode http
+        option httplog
+        log stderr local0 debug err
+        option logasap
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend ssl-fe
+        bind "${tmpdir}/ssl.sock" ssl crt server.pem
+        http-request return status 200
+} -start
+
+
+# We should have two distinct ocsp responses known that were loaded at build time
+haproxy h1 -cli {
+	send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+	expect ~ ".*Chain Filename.*"
+	send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+	expect ~ ".*Chain Subject.*"
+}
+
+haproxy h1 -wait
+