#!/usr/bin/env bash # ocsp-stapling.test # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST # Note, this script makes connection(s) to the public Internet. SCRIPT_DIR="$(dirname "$0")" if [[ -z "${RETRIES_REMAINING-}" ]]; then export RETRIES_REMAINING=2 fi if test "$WOLFSSL_EXTERNAL_TEST" == "0"; then echo 'skipping oscp-stapling.test because WOLFSSL_EXTERNAL_TEST is \ defined to the value 0.' exit 77 fi if ! ./examples/client/client -V | grep -q 3; then echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2 exit 77 fi if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then echo 'skipping oscp-stapling.test because WOLFSSL_SNIFFER defined.' exit 77 fi if ./examples/client/client -V | grep -q 4; then tls13=yes fi if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then dtls13=yes fi ./examples/client/client '-?' 2>&1 | grep -- 'Perform multi OCSP stapling for TLS13' if [ $? -eq 0 ]; then tls13multi=yes else tls13multi=no fi if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then IPV6_SUPPORTED=yes else IPV6_SUPPORTED=no fi if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then if [[ "$IPV6_SUPPORTED" == "no" ]]; then echo 'Skipping IPV6 test in environment lacking IPV6 support.' exit 77 fi LOCALHOST='[::1]' LOCALHOST_FOR_NC='::1' V4V6=6 V4V6_FLAG=-6 else LOCALHOST='127.0.0.1' LOCALHOST_FOR_NC='127.0.0.1' if [[ "$IPV6_SUPPORTED" == "yes" ]]; then V4V6_FLAG=-4 else V4V6_FLAG= fi V4V6=4 fi PARENTDIR="$PWD" # create a unique workspace directory ending in PID for the script instance ($$) # to make this instance orthogonal to any others running, even on same repo. # TCP ports are also carefully formed below from the PID, to minimize conflicts. WORKSPACE="${PARENTDIR}/workspace.pid$$" mkdir "${WORKSPACE}" || exit $? cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $? cd "$WORKSPACE" || exit $? ln -s ../examples CERT_DIR="./certs/ocsp" ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$ ready_file2="$WORKSPACE"/wolf_ocsp_s1_readyF2$$ printf '%s\n' "ready file: \"$ready_file\"" test_cnf="ocsp_s1.cnf" wait_for_readyFile(){ counter=0 while [ ! -s "$1" -a "$counter" -lt 20 ]; do if [[ -n "${2-}" ]]; then if ! kill -0 $2 2>&-; then echo "pid $2 for port ${3-} exited before creating ready file. bailing..." exit 1 fi fi echo -e "waiting for ready file..." sleep 0.1 counter=$((counter+ 1)) done if test -e "$1"; then echo -e "found ready file, starting client..." else echo -e "NO ready file at \"$1\" -- ending test..." exit 1 fi } remove_single_rF(){ if test -e "$1"; then printf '%s\n' "removing ready file: \"$1\"" rm "$1" fi } #create a configure file for cert generation with the port 0 solution create_new_cnf() { printf '%s\n' "Random Port Selected: $1" printf '%s\n' "#" > $test_cnf printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf printf '%s\n' "#" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf printf '%s\n' "[ v3_req1 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf printf '%s\n' "[ v3_req2 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf printf '%s\n' "[ v3_req3 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions for a typical CA" >> $test_cnf printf '%s\n' "[ v3_ca ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:true" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# OCSP extensions." >> $test_cnf printf '%s\n' "[ v3_ocsp ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf mv $test_cnf $CERT_DIR/$test_cnf cd $CERT_DIR CURR_LOC="$PWD" printf '%s\n' "echo now in $CURR_LOC" ./renewcerts-for-test.sh $test_cnf cd "$WORKSPACE" } remove_ready_file() { if test -e "$ready_file"; then printf '%s\n' "removing ready file" rm "$ready_file" fi if test -e "$ready_file2"; then printf '%s\n' "removing ready file: \"$ready_file2\"" rm "$ready_file2" fi } cleanup() { exit_status=$? for i in $(jobs -pr) do kill -s KILL "$i" done remove_ready_file rm $CERT_DIR/$test_cnf cd "$PARENTDIR" || return 1 rm -r "$WORKSPACE" || return 1 if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then echo "retrying..." RETRIES_REMAINING=$((RETRIES_REMAINING - 1)) exec $0 "$@" fi } trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 ./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!' if [ $? -eq 0 ]; then exit 0 fi # check if supported key size is large enough to handle 4096 bit RSA size="$(./examples/client/client '-?' | grep "Max RSA key")" size="${size//[^0-9]/}" if [ ! -z "$size" ]; then printf 'check on max key size of %d ...' $size if [ $size -lt 4096 ]; then printf '%s\n' "4096 bit RSA keys not supported" exit 0 fi printf 'OK\n' fi # choose consecutive ports based on the PID, skipping any that are # already bound, to avoid the birthday problem in case other # instances are sharing this host. get_first_free_port() { local ret="$1" while :; do if [[ "$ret" -ge 65536 ]]; then ret=1024 fi if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then break fi ret=$((ret+1)) done echo "$ret" return 0 } base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024)) port1=$(get_first_free_port $base_port) port2=$(get_first_free_port $((port1 + 1))) port3=$(get_first_free_port $((port2 + 1))) # test interop fail case ready_file=$PWD/wolf_ocsp_readyF$$ printf '%s\n' "ready file: \"$ready_file\"" ./examples/server/server -b -p $port1 -o -R "$ready_file" & wolf_pid=$! wait_for_readyFile "$ready_file" $wolf_pid $port1 if [ ! -f "$ready_file" ]; then printf '%s\n' "Failed to create ready file: \"$ready_file\"" exit 1 else # should fail if ocspstapling is also enabled OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -legacy_renegotiation -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1) OPENSSL_RESULT=$? echo "$OPENSSL_OUTPUT" fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" FGREP1_RESULT=$? fgrep -q 'self-signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT" FGREP2_RESULT=$? if [ $OPENSSL_RESULT -eq 0 -a $FGREP1_RESULT -ne 0 -a $FGREP2_RESULT -ne 0 ]; then printf '%s\n' "Expected verification error from s_client is missing." remove_single_rF "$ready_file" exit 1 fi remove_single_rF "$ready_file" wait $wolf_pid if [ $? -ne 0 ]; then printf '%s\n' "wolfSSL server unexpected fail" exit 1 fi fi # create a port to use with openssl ocsp responder ./examples/server/server -b -p $port2 -R "$ready_file" & wolf_pid2=$! wait_for_readyFile "$ready_file" $wolf_pid2 $port2 if [ ! -f "$ready_file" ]; then printf '%s\n' "Failed to create ready file: \"$ready_file\"" exit 1 else printf '%s\n' "Random port selected: $port2" # Use client connection to shutdown the server cleanly ./examples/client/client -p $port2 create_new_cnf $port2 fi sleep 0.1 # is our desired server there? - login.live.com doesn't answers PING #./scripts/ping.test $server 2 # client test against the server server=login.live.com #ca=certs/external/baltimore-cybertrust-root.pem ca=./certs/external/ca_collection.pem if [[ "$V4V6" == "4" ]]; then ./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 else echo "Skipping OCSP test on $server (IPv6 test client)" fi # Test with example server ./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!' if [ $? -eq 0 ]; then exit 0 fi # setup ocsp responder # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! openssl ocsp -port $port2 -nmin 1 \ -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ -CA certs/ocsp/intermediate1-ca-cert.pem \ "$@" & sleep 0.1 # "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 1 ] && \ printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERT ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -p $port3 & wolf_pid3=$! wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED CERT remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \ -k certs/ocsp/server2-key.pem -p $port3 & wolf_pid3=$! wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 sleep 0.1 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3 RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test successfully REVOKED!" if [[ ("$tls13" == "yes") && ("$tls13multi" == "no") ]]; then printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------" # client test against our own server - GOOD CERT remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -v 4 \ -p $port3 & wolf_pid3=$! wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ -p $port3 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------" # client test against our own server, must staple - GOOD CERT remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -v 4 \ -p $port3 & wolf_pid3=$! wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \ -p $port3 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------" # client test against our own server - REVOKED CERT remove_single_rF "$ready_file2" ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \ -k certs/ocsp/server2-key.pem -v 4 \ -p $port3 & wolf_pid3=$! wait_for_readyFile "$ready_file2" $wolf_pid3 $port3 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ -p $port3 RESULT=$? [ $RESULT -ne 1 ] && \ printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test successfully REVOKED!" else echo 'skipping TLS1.3 stapling tests.' 1>&2 fi # DTLS 1.2 and 1.3 cases if ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.2'; then printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------" # client test against our own server, must staple - GOOD CERT echo $ready_file2 ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -u -v 3 \ -p $port3 & wolf_pid3=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 3 \ -W 1 -p $port3 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1 printf '%s\n\n' "Test PASSED!" fi if [[ ("$dtls13" == "yes") && ("$tls13multi" == "no") ]]; then printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD PASS -------------------" # client test against our own server, must staple - GOOD CERT ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \ -k certs/ocsp/server1-key.pem -u -v 4 \ -p $port3 & wolf_pid3=$! sleep 0.2 ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -u -v 4 \ -W 1 -p $port3 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1 printf '%s\n\n' "Test PASSED!" fi # need a unique port since may run the same time as testsuite generate_port() { #-------------------------------------------------------------------------# # Generate a random port number #-------------------------------------------------------------------------# if [[ "$OSTYPE" == "linux"* ]]; then port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512)) elif [[ "$OSTYPE" == "darwin"* ]]; then port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512)) else echo "Unknown OS TYPE" exit 1 fi } # Start OpenSSL server that has no OCSP responses to return generate_port openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port & openssl_pid=$! MAX_TIMEOUT=10 until nc -z localhost $port # Wait for openssl to be ready do sleep 0.05 if [ "$MAX_TIMEOUT" == "0" ]; then break fi ((MAX_TIMEOUT--)) done printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 3 -W 1 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 3 -W 1m RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test PASSED!" openssl ciphers -tls1_3 openssl_tls13=$? ./examples/client/client -V | grep -q 4 wolfssl_tls13=$? if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 4 -W 1 RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------" # client asks for OCSP staple but doesn't fail when none returned ./examples/client/client -p $port -g -v 4 -W 1m RESULT=$? [ $RESULT -ne 1 ] \ && printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \ && exit 1 printf '%s\n\n' "Test PASSED!" else echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2 if [ "$openssl_tls13" != "0" ]; then echo -n ' OpenSSL' 1>&2 fi if [ "$wolfssl_tls13" != "0" ]; then if [ "$openssl_tls13" != "0" ]; then echo -n ' and' 1>&2 fi echo -n ' wolfSSL' 1>&2 fi echo -n ' missing TLS1.3 support.' 1>&2 fi printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" exit 0