Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 6594baf645
Branches Tags
openssl
/
test
/
recipes
/
82-test_ocsp_cert_chain.t

82-test_ocsp_cert_chain.t 4.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 
  1. #! /usr/bin/env perl
    2. 

  2. # Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3. #
    4. 

  4. # Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5. # this file except in compliance with the License.  You can obtain a copy
    6. 

  6. # in the file LICENSE in the source distribution or at
    7. 

  7. # https://www.openssl.org/source/license.html
    8. 

  8. 

  9. use strict;
    10. 

  10. use warnings;
    11. 

  11. 

  12. use IPC::Open3;
    13. 

  13. use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/;
    14. 

  14. use OpenSSL::Test::Utils;
    15. 

  15. use Symbol 'gensym';
    16. 

  16. 

  17. my $test_name = "test_ocsp_cert_chain";
    18. 

  18. setup($test_name);
    19. 

  19. 

  20. plan skip_all => "$test_name requires OCSP support"
    21. 

  21.     if disabled("ocsp");
    22. 

  22. plan skip_all => "$test_name requires EC cryptography"
    23. 

  23.     if disabled("ec");
    24. 

  24. plan skip_all => "$test_name requires sock enabled"
    25. 

  25.     if disabled("sock");
    26. 

  26. plan skip_all => "$test_name requires TLS enabled"
    27. 

  27.     if alldisabled(available_protocols("tls"));
    28. 

  28. plan skip_all => "$test_name is not available Windows or VMS"
    29. 

  29.     if $^O =~ /^(VMS|MSWin32|msys)$/;
    30. 

  30. 

  31. plan tests => 3;
    32. 

  32. 

  33. my $shlib_wrap   = bldtop_file("util", "shlib_wrap.sh");
    34. 

  34. my $apps_openssl = bldtop_file("apps", "openssl");
    35. 

  35. 

  36. my $index_txt             = srctop_file("test", "ocsp-tests", "index.txt");
    37. 

  37. my $ocsp_pem              = srctop_file("test", "ocsp-tests", "ocsp.pem");
    38. 

  38. my $intermediate_cert_pem = srctop_file("test", "ocsp-tests", "intermediate-cert.pem");
    39. 

  39. 

  40. my $server_pem            = srctop_file("test", "ocsp-tests", "server.pem");
    41. 

  41. 

  42. sub run_test {
    43. 

  43. 

  44.     # this test starts two servers that listen on respective ports.
    45. 

  45.     # that can be problematic since the ports may not be available
    46. 

  46.     # (e.g. when multiple instances of the test are run on the same
    47. 

  47.     # machine).
    48. 

  48. 

  49.     # to avoid this, we specify port 0 when staring each server, which
    50. 

  50.     # causes the OS to provide a random unused port.
    51. 

  51. 

  52.     # using a random port with s_server is straightforward.  doing so
    53. 

  53.     # with the ocsp responder required some investigation because the
    54. 

  54.     # url for the ocsp responder is usually included in the server's
    55. 

  55.     # cert (normally, in the authority-information-access extension,
    56. 

  56.     # and it would be complicated to change that when the test
    57. 

  57.     # executes).  however, s_server has an option "-status_url" that
    58. 

  58.     # can be used to specify a fallback url when no url is specified
    59. 

  59.     # in the cert.  that is what we do here.
    60. 

  60. 

  61.     # openssl ocsp -port 0 -index index.txt -rsigner ocsp.pem -CA intermediate-cert.pem
    62. 

  62.     my @ocsp_cmd = ("ocsp", "-port", "0", "-index", $index_txt, "-rsigner", $ocsp_pem, "-CA", $intermediate_cert_pem);
    63. 

  63.     my $ocsp_pid = open3(my $ocsp_i, my $ocsp_o, my $ocsp_e = gensym, $shlib_wrap, $apps_openssl, @ocsp_cmd);
    64. 

  64. 

  65.     ## ipv4
    66. 

  66.     # ACCEPT 0.0.0.0:19254 PID=620007
    67. 

  67.     ## ipv6
    68. 

  68.     # ACCEPT [::]:19254 PID=620007
    69. 

  69.     my $port = "0";
    70. 

  70.     while (<$ocsp_o>) {
    71. 

  71.         print($_);
    72. 

  72.         chomp;
    73. 

  73.         if (/^ACCEPT 0.0.0.0:(\d+)/) {
    74. 

  74.             $port = $1;
    75. 

  75.             last;
    76. 

  76.         } elsif (/^ACCEPT \[::\]:(\d+)/) {
    77. 

  77.             $port = $1;
    78. 

  78.             last;
    79. 

  79.         } else {
    80. 

  80.             last;
    81. 

  81.         }
    82. 

  82.     }
    83. 

  83.     ok($port ne "0", "ocsp server port check");
    84. 

  84.     my $ocsp_port = $port;
    85. 

  85. 

  86.     print("ocsp server ready, listening on port $ocsp_port\n");
    87. 

  87. 

  88.     # openssl s_server -accept 0 -cert server.pem -cert_chain intermediate-cert.pem \
    89. 

  89.     #                  -status_verbose -status_url http://localhost:19254/ocsp
    90. 

  90.     my @s_server_cmd = ("s_server", "-accept", "0", "-cert", $server_pem, "-cert_chain", $intermediate_cert_pem,
    91. 

  91.                         "-status_verbose", "-status_url", "http://localhost:${ocsp_port}/ocsp");
    92. 

  92.     my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e = gensym, $shlib_wrap, $apps_openssl, @s_server_cmd);
    93. 

  93. 

  94.     # ACCEPT 0.0.0.0:45921
    95. 

  95.     # ACCEPT [::]:45921
    96. 

  96.     $port = "0";
    97. 

  97.     while (<$s_server_o>) {
    98. 

  98.         print($_);
    99. 

  99.         chomp;
    100. 

  100.         if (/^ACCEPT 0.0.0.0:(\d+)/) {
    101. 

  101.             $port = $1;
    102. 

  102.             last;
    103. 

  103.         } elsif (/^ACCEPT \[::\]:(\d+)/) {
    104. 

  104.             $port = $1;
    105. 

  105.             last;
    106. 

  106.         } elsif (/^Using default/) {
    107. 

  107.             ;
    108. 

  108.         } else {
    109. 

  109.             last;
    110. 

  110.         }
    111. 

  111.     }
    112. 

  112.     ok($port ne "0", "s_server port check");
    113. 

  113.     my $server_port = $port;
    114. 

  114. 

  115.     print("s_server ready, listening on port $server_port\n");
    116. 

  116. 

  117.     # openssl s_client -connect localhost:45921 -status -verify_return_error
    118. 

  118.     my @s_client_cmd = ("s_client", "-connect", "localhost:$server_port", "-status", "-verify_return_error");
    119. 

  119.     my $s_client_pid = open3(my $s_client_i, my $s_client_o, my $s_client_e = gensym, $shlib_wrap, $apps_openssl, @s_client_cmd);
    120. 

  120. 

  121.     ### the output from s_server that we want to check is written to its stderr
    122. 

  122.     ###    cert_status: ocsp response sent:
    123. 

  123. 

  124.     my $resp = 0;
    125. 

  125.     while (<$s_server_e>) {
    126. 

  126.         print($_);
    127. 

  127.         chomp;
    128. 

  128.         if (/^cert_status: ocsp response sent:/) {
    129. 

  129.             $resp = 1;
    130. 

  130.             last;
    131. 

  131.         }
    132. 

  132.     }
    133. 

  133.     ok($resp == 1, "check s_server sent ocsp response");
    134. 

  134. 

  135.     waitpid($s_client_pid, 0);
    136. 

  136.     kill 'HUP', $s_server_pid, $ocsp_pid;
    137. 

  137. }
    138. 

  138. 

  139. run_test();
    140.