ocsp-stapling.test 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450
  1. #!/bin/bash
  2. # ocsp-stapling.test
  3. # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
  4. # Note, this script makes connection(s) to the public Internet.
  5. SCRIPT_DIR="$(dirname "$0")"
  6. if [[ -z "${RETRIES_REMAINING-}" ]]; then
  7. export RETRIES_REMAINING=2
  8. fi
  9. if ! ./examples/client/client -V | grep -q 3; then
  10. echo 'skipping ocsp-stapling.test because TLS1.2 is not available.' 1>&2
  11. exit 77
  12. fi
  13. if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
  14. IPV6_SUPPORTED=yes
  15. else
  16. IPV6_SUPPORTED=no
  17. fi
  18. if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
  19. if [[ "$IPV6_SUPPORTED" == "no" ]]; then
  20. echo 'Skipping IPV6 test in environment lacking IPV6 support.'
  21. exit 77
  22. fi
  23. LOCALHOST='[::1]'
  24. LOCALHOST_FOR_NC='::1'
  25. V4V6=6
  26. V4V6_FLAG=-6
  27. else
  28. LOCALHOST='127.0.0.1'
  29. LOCALHOST_FOR_NC='127.0.0.1'
  30. if [[ "$IPV6_SUPPORTED" == "yes" ]]; then
  31. V4V6_FLAG=-4
  32. else
  33. V4V6_FLAG=
  34. fi
  35. V4V6=4
  36. fi
  37. PARENTDIR="$PWD"
  38. # create a unique workspace directory ending in PID for the script instance ($$)
  39. # to make this instance orthogonal to any others running, even on same repo.
  40. # TCP ports are also carefully formed below from the PID, to minimize conflicts.
  41. WORKSPACE="${PARENTDIR}/workspace.pid$$"
  42. mkdir "${WORKSPACE}" || exit $?
  43. cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
  44. cd "$WORKSPACE" || exit $?
  45. ln -s ../examples
  46. CERT_DIR="./certs/ocsp"
  47. ready_file="$WORKSPACE"/wolf_ocsp_s1_readyF$$
  48. ready_file2="$WORKSPACE"/wolf_ocsp_s1_readyF2$$
  49. printf '%s\n' "ready file: \"$ready_file\""
  50. test_cnf="ocsp_s1.cnf"
  51. wait_for_readyFile(){
  52. counter=0
  53. while [ ! -s "$1" -a "$counter" -lt 20 ]; do
  54. if [[ -n "${2-}" ]]; then
  55. if ! kill -0 $2 2>&-; then
  56. echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
  57. exit 1
  58. fi
  59. fi
  60. echo -e "waiting for ready file..."
  61. sleep 0.1
  62. counter=$((counter+ 1))
  63. done
  64. if test -e "$1"; then
  65. echo -e "found ready file, starting client..."
  66. else
  67. echo -e "NO ready file at \"$1\" -- ending test..."
  68. exit 1
  69. fi
  70. }
  71. remove_single_rF(){
  72. if test -e "$1"; then
  73. printf '%s\n' "removing ready file: \"$1\""
  74. rm "$1"
  75. fi
  76. }
  77. #create a configure file for cert generation with the port 0 solution
  78. create_new_cnf() {
  79. printf '%s\n' "Random Port Selected: $1"
  80. printf '%s\n' "#" > $test_cnf
  81. printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
  82. printf '%s\n' "#" >> $test_cnf
  83. printf '%s\n' "" >> $test_cnf
  84. printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
  85. printf '%s\n' "[ v3_req1 ]" >> $test_cnf
  86. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  87. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  88. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  89. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  90. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
  91. printf '%s\n' "" >> $test_cnf
  92. printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
  93. printf '%s\n' "[ v3_req2 ]" >> $test_cnf
  94. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  95. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  96. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  97. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  98. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
  99. printf '%s\n' "" >> $test_cnf
  100. printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
  101. printf '%s\n' "[ v3_req3 ]" >> $test_cnf
  102. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  103. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  104. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  105. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  106. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
  107. printf '%s\n' "" >> $test_cnf
  108. printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
  109. printf '%s\n' "[ v3_ca ]" >> $test_cnf
  110. printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
  111. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  112. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  113. printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
  114. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
  115. printf '%s\n' "" >> $test_cnf
  116. printf '%s\n' "# OCSP extensions." >> $test_cnf
  117. printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
  118. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  119. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  120. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  121. printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
  122. mv $test_cnf $CERT_DIR/$test_cnf
  123. cd $CERT_DIR
  124. CURR_LOC="$PWD"
  125. printf '%s\n' "echo now in $CURR_LOC"
  126. ./renewcerts-for-test.sh $test_cnf
  127. cd "$WORKSPACE"
  128. }
  129. remove_ready_file() {
  130. if test -e "$ready_file"; then
  131. printf '%s\n' "removing ready file"
  132. rm "$ready_file"
  133. fi
  134. if test -e "$ready_file2"; then
  135. printf '%s\n' "removing ready file: \"$ready_file2\""
  136. rm "$ready_file2"
  137. fi
  138. }
  139. cleanup()
  140. {
  141. exit_status=$?
  142. for i in $(jobs -pr)
  143. do
  144. kill -s HUP "$i"
  145. done
  146. remove_ready_file
  147. rm $CERT_DIR/$test_cnf
  148. cd "$PARENTDIR" || return 1
  149. rm -r "$WORKSPACE" || return 1
  150. if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
  151. echo "retrying..."
  152. RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
  153. exec $0 "$@"
  154. fi
  155. }
  156. trap cleanup EXIT INT TERM HUP
  157. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  158. ./examples/client/client '-?' 2>&1 | grep -- 'Client not compiled in!'
  159. if [ $? -eq 0 ]; then
  160. exit 0
  161. fi
  162. # check if supported key size is large enough to handle 4096 bit RSA
  163. size="$(./examples/client/client '-?' | grep "Max RSA key")"
  164. size="${size//[^0-9]/}"
  165. if [ ! -z "$size" ]; then
  166. printf 'check on max key size of %d ...' $size
  167. if [ $size -lt 4096 ]; then
  168. printf '%s\n' "4096 bit RSA keys not supported"
  169. exit 0
  170. fi
  171. printf 'OK\n'
  172. fi
  173. # choose consecutive ports based on the PID, skipping any that are
  174. # already bound, to avoid the birthday problem in case other
  175. # instances are sharing this host.
  176. get_first_free_port() {
  177. local ret="$1"
  178. while :; do
  179. if [[ "$ret" -ge 65536 ]]; then
  180. ret=1024
  181. fi
  182. if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then
  183. break
  184. fi
  185. ret=$((ret+1))
  186. done
  187. echo "$ret"
  188. return 0
  189. }
  190. base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
  191. port1=$(get_first_free_port $base_port)
  192. port2=$(get_first_free_port $((port1 + 1)))
  193. port3=$(get_first_free_port $((port2 + 1)))
  194. # test interop fail case
  195. ready_file=$PWD/wolf_ocsp_readyF$$
  196. printf '%s\n' "ready file: \"$ready_file\""
  197. ./examples/server/server -b -p $port1 -o -R "$ready_file" &
  198. wolf_pid=$!
  199. wait_for_readyFile "$ready_file" $wolf_pid $port1
  200. if [ ! -f "$ready_file" ]; then
  201. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  202. exit 1
  203. else
  204. # should fail if ocspstapling is also enabled
  205. OPENSSL_OUTPUT=$(echo "hi" | openssl s_client -status $V4V6_FLAG -connect "${LOCALHOST}:$port1" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1)
  206. OPENSSL_RESULT=$?
  207. echo "$OPENSSL_OUTPUT"
  208. fgrep -q 'self signed certificate in certificate chain' <<< "$OPENSSL_OUTPUT"
  209. FGREP_RESULT=$?
  210. if [ $OPENSSL_RESULT -eq 0 -a $FGREP_RESULT -ne 0 ]; then
  211. printf '%s\n' "Expected verification error from s_client is missing."
  212. remove_single_rF "$ready_file"
  213. exit 1
  214. fi
  215. remove_single_rF "$ready_file"
  216. wait $wolf_pid
  217. if [ $? -ne 1 ]; then
  218. printf '%s\n' "wolfSSL server unexpected fail value"
  219. exit 1
  220. fi
  221. fi
  222. # create a port to use with openssl ocsp responder
  223. ./examples/server/server -b -p $port2 -R "$ready_file" &
  224. wolf_pid2=$!
  225. wait_for_readyFile "$ready_file" $wolf_pid2 $port2
  226. if [ ! -f "$ready_file" ]; then
  227. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  228. exit 1
  229. else
  230. printf '%s\n' "Random port selected: $port2"
  231. # Use client connection to shutdown the server cleanly
  232. ./examples/client/client -p $port2
  233. create_new_cnf $port2
  234. fi
  235. sleep 0.1
  236. # is our desired server there? - login.live.com doesn't answers PING
  237. #./scripts/ping.test $server 2
  238. # client test against the server
  239. server=login.live.com
  240. #ca=certs/external/baltimore-cybertrust-root.pem
  241. ca=./certs/external/ca_collection.pem
  242. if [[ "$V4V6" == "4" ]]; then
  243. ./examples/client/client -C -h $server -p 443 -A $ca -g -W 1
  244. RESULT=$?
  245. [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
  246. else
  247. echo "Skipping OCSP test on $server (IPv6 test client)"
  248. fi
  249. # Test with example server
  250. ./examples/server/server '-?' 2>&1 | grep -- 'Server not compiled in!'
  251. if [ $? -eq 0 ]; then
  252. exit 0
  253. fi
  254. # setup ocsp responder
  255. # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
  256. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  257. # purposes!
  258. openssl ocsp -port $port2 -nmin 1 \
  259. -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
  260. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  261. -rkey certs/ocsp/ocsp-responder-key.pem \
  262. -CA certs/ocsp/intermediate1-ca-cert.pem \
  263. "$@" &
  264. sleep 0.1
  265. # "jobs" is not portable for posix. Must use bash interpreter!
  266. [ $(jobs -r | wc -l) -ne 1 ] && \
  267. printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
  268. printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
  269. # client test against our own server - GOOD CERT
  270. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  271. -k certs/ocsp/server1-key.pem -p $port3 &
  272. wolf_pid3=$!
  273. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  274. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
  275. RESULT=$?
  276. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
  277. printf '%s\n\n' "Test PASSED!"
  278. printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
  279. # client test against our own server - REVOKED CERT
  280. remove_single_rF "$ready_file2"
  281. ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
  282. -k certs/ocsp/server2-key.pem -p $port3 &
  283. wolf_pid3=$!
  284. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  285. sleep 0.1
  286. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $port3
  287. RESULT=$?
  288. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 2 succeeded $RESULT" \
  289. && exit 1
  290. printf '%s\n\n' "Test successfully REVOKED!"
  291. if ./examples/client/client -V | grep -q 4; then
  292. printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
  293. # client test against our own server - GOOD CERT
  294. remove_single_rF "$ready_file2"
  295. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  296. -k certs/ocsp/server1-key.pem -v 4 \
  297. -p $port3 &
  298. wolf_pid3=$!
  299. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  300. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
  301. -p $port3
  302. RESULT=$?
  303. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
  304. printf '%s\n\n' "Test PASSED!"
  305. printf '%s\n\n' "------------- TEST CASE 4 SHOULD PASS --------------------"
  306. # client test against our own server, must staple - GOOD CERT
  307. remove_single_rF "$ready_file2"
  308. ./examples/server/server -c certs/ocsp/server1-cert.pem -R "$ready_file2" \
  309. -k certs/ocsp/server1-key.pem -v 4 \
  310. -p $port3 &
  311. wolf_pid3=$!
  312. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  313. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1m -v 4 -F 1 \
  314. -p $port3
  315. RESULT=$?
  316. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 4 failed" && exit 1
  317. printf '%s\n\n' "Test PASSED!"
  318. printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ------------------"
  319. # client test against our own server - REVOKED CERT
  320. remove_single_rF "$ready_file2"
  321. ./examples/server/server -c certs/ocsp/server2-cert.pem -R "$ready_file2" \
  322. -k certs/ocsp/server2-key.pem -v 4 \
  323. -p $port3 &
  324. wolf_pid3=$!
  325. wait_for_readyFile "$ready_file2" $wolf_pid3 $port3
  326. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
  327. -p $port3
  328. RESULT=$?
  329. [ $RESULT -ne 1 ] && \
  330. printf '\n\n%s\n' "Client connection 5 succeeded $RESULT" \
  331. && exit 1
  332. printf '%s\n\n' "Test successfully REVOKED!"
  333. else
  334. echo 'skipping TLS1.3 stapling tests.' 1>&2
  335. fi
  336. # need a unique port since may run the same time as testsuite
  337. generate_port() {
  338. port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
  339. }
  340. # Start OpenSSL server that has no OCSP responses to return
  341. generate_port
  342. openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
  343. openssl_pid=$!
  344. sleep 0.1
  345. printf '%s\n\n' "------------- TEST CASE 6 SHOULD PASS ----------------------"
  346. # client asks for OCSP staple but doesn't fail when none returned
  347. ./examples/client/client -p $port -g -v 3 -W 1
  348. RESULT=$?
  349. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 6 failed" && exit 1
  350. printf '%s\n\n' "Test PASSED!"
  351. printf '%s\n\n' "------------- TEST CASE 7 SHOULD UNKNOWN -------------------"
  352. # client asks for OCSP staple but doesn't fail when none returned
  353. ./examples/client/client -p $port -g -v 3 -W 1m
  354. RESULT=$?
  355. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 7 succeeded $RESULT" \
  356. && exit 1
  357. printf '%s\n\n' "Test PASSED!"
  358. openssl ciphers -tls1_3
  359. openssl_tls13=$?
  360. ./examples/client/client -V | grep -q 4
  361. wolfssl_tls13=$?
  362. if [ "$openssl_tls13" = "0" -a "$wolfssl_tls13" = "0" ]; then
  363. printf '%s\n\n' "------------- TEST CASE 8 SHOULD PASS --------------------"
  364. # client asks for OCSP staple but doesn't fail when none returned
  365. ./examples/client/client -p $port -g -v 4 -W 1
  366. RESULT=$?
  367. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 8 failed" && exit 1
  368. printf '%s\n\n' "Test PASSED!"
  369. printf '%s\n\n' "------------- TEST CASE 9 SHOULD UNKNOWN -----------------"
  370. # client asks for OCSP staple but doesn't fail when none returned
  371. ./examples/client/client -p $port -g -v 4 -W 1m
  372. RESULT=$?
  373. [ $RESULT -ne 1 ] \
  374. && printf '\n\n%s\n' "Client connection 9 succeeded $RESULT" \
  375. && exit 1
  376. printf '%s\n\n' "Test PASSED!"
  377. else
  378. echo -n 'skipping TLS1.3 stapling interoperability test:' 1>&2
  379. if [ "$openssl_tls13" != "0" ]; then
  380. echo -n ' OpenSSL' 1>&2
  381. fi
  382. if [ "$wolfssl_tls13" != "0" ]; then
  383. if [ "$openssl_tls13" != "0" ]; then
  384. echo -n ' and' 1>&2
  385. fi
  386. echo -n ' wolfSSL' 1>&2
  387. fi
  388. echo -n ' missing TLS1.3 support.' 1>&2
  389. fi
  390. printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
  391. exit 0