wolfssl/scripts/ocsp-stapling2.test

#!/bin/bash
# ocsp-stapling.test


./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -eq 0 ]; then
    echo "TLS 1.2 or lower required"
    echo "Skipped"
    exit 0
fi


WORKSPACE=`pwd`
CERT_DIR="certs/ocsp"

resume_port=0
ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$
ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$
ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$
ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$
ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$
printf '%s\n' "ready file 1:  $ready_file1"
printf '%s\n' "ready file 2:  $ready_file2"
printf '%s\n' "ready file 3:  $ready_file3"
printf '%s\n' "ready file 4:  $ready_file4"
printf '%s\n' "ready file 5:  $ready_file5"

test_cnf="ocsp_s2.cnf"

copy_originals() {
    cd $CERT_DIR
    cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
    cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
    cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
    cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
    cp root-ca-cert.pem bak-root-ca-cert.pem
    cp server1-cert.pem bak-server1-cert.pem
    cp server2-cert.pem bak-server2-cert.pem
    cp server3-cert.pem bak-server3-cert.pem
    cp server4-cert.pem bak-server4-cert.pem
    cp server5-cert.pem bak-server5-cert.pem
    cd $WORKSPACE
}

restore_originals() {
    cd $CERT_DIR
    mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
    mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
    mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
    mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
    mv bak-root-ca-cert.pem root-ca-cert.pem
    mv bak-server1-cert.pem server1-cert.pem
    mv bak-server2-cert.pem server2-cert.pem
    mv bak-server3-cert.pem server3-cert.pem
    mv bak-server4-cert.pem server4-cert.pem
    mv bak-server5-cert.pem server5-cert.pem
}

wait_for_readyFile(){

    counter=0

    while [ ! -s $1 -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    if test -e $1; then
        echo -e "found ready file, starting client..."
    else
        echo -e "NO ready file ending test..."
        exit 1
    fi

}

remove_single_rF(){
    if test -e $1; then
        printf '%s\n' "removing ready file: $1"
        rm $1
    fi
}

#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
    copy_originals

    printf '%s\n' "Random Port Selected: $RPORTSELECTED"

    printf '%s\n' "#" > $test_cnf
    printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
    printf '%s\n' "#" >> $test_cnf
    printf '%s\n' "" >> $test_cnf
    printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
    printf '%s\n' "[ v3_req1 ]" >> $test_cnf
    printf '%s\n' "basicConstraints       = CA:false" >> $test_cnf
    printf '%s\n' "subjectKeyIdentifier   = hash" >> $test_cnf
    printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
    printf '%s\n' "keyUsage               = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
    printf '%s\n' "authorityInfoAccess    = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
    printf '%s\n' "" >> $test_cnf
    printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
    printf '%s\n' "[ v3_req2 ]" >> $test_cnf
    printf '%s\n' "basicConstraints       = CA:false" >> $test_cnf
    printf '%s\n' "subjectKeyIdentifier   = hash" >> $test_cnf
    printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
    printf '%s\n' "keyUsage               = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
    printf '%s\n' "authorityInfoAccess    = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf
    printf '%s\n' "" >> $test_cnf
    printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
    printf '%s\n' "[ v3_req3 ]" >> $test_cnf
    printf '%s\n' "basicConstraints       = CA:false" >> $test_cnf
    printf '%s\n' "subjectKeyIdentifier   = hash" >> $test_cnf
    printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
    printf '%s\n' "keyUsage               = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
    printf '%s\n' "authorityInfoAccess    = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf
    printf '%s\n' "" >> $test_cnf
    printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
    printf '%s\n' "[ v3_ca ]" >> $test_cnf
    printf '%s\n' "basicConstraints       = CA:true" >> $test_cnf
    printf '%s\n' "subjectKeyIdentifier   = hash" >> $test_cnf
    printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
    printf '%s\n' "keyUsage               = keyCertSign, cRLSign" >> $test_cnf
    printf '%s\n' "authorityInfoAccess    = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf
    printf '%s\n' "" >> $test_cnf
    printf '%s\n' "# OCSP extensions." >> $test_cnf
    printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
    printf '%s\n' "basicConstraints       = CA:false" >> $test_cnf
    printf '%s\n' "subjectKeyIdentifier   = hash" >> $test_cnf
    printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
    printf '%s\n' "extendedKeyUsage       = OCSPSigning" >> $test_cnf

    mv $test_cnf $CERT_DIR/$test_cnf
    cd $CERT_DIR
    CURR_LOC=`pwd`
    printf '%s\n' "echo now in $CURR_LOC"
    ./renewcerts-for-test.sh $test_cnf
    cd $WORKSPACE
}

remove_ready_file(){
    if test -e $ready_file1; then
        printf '%s\n' "removing ready file: $ready_file1"
        rm $ready_file1
    fi
    if test -e $ready_file2; then
        printf '%s\n' "removing ready file: $ready_file2"
        rm $ready_file2
    fi
    if test -e $ready_file3; then
        printf '%s\n' "removing ready file: $ready_file3"
        rm $ready_file3
    fi
    if test -e $ready_file4; then
        printf '%s\n' "removing ready file: $ready_file4"
        rm $ready_file4
    fi
    if test -e $ready_file5; then
        printf '%s\n' "removing ready file: $ready_file5"
        rm $ready_file5
    fi
}

cleanup()
{
    for i in $(jobs -pr)
    do
        kill -s HUP "$i"
    done
    remove_ready_file
    rm $CERT_DIR/$test_cnf
    restore_originals
}
trap cleanup EXIT INT TERM HUP

[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1

# check if supported key size is large enough to handle 4096 bit RSA
size=`./examples/client/client -? | grep "Max RSA key"`
size=`echo ${size//[^0-9]/}`
if [ ! -z "$size" ]; then
    printf 'check on max key size of %d ...' $size
    if [ $size -lt 4096 ]; then
        printf '%s\n' "4096 bit RSA keys not supported"
        exit 0
    fi
    printf 'OK\n'
fi

#get four unique ports
# 1:
./examples/server/server -R $ready_file1 -p $resume_port &
wait_for_readyFile $ready_file1
if [ ! -f $ready_file1 ]; then
    printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
    exit 1
fi
# 2:
./examples/server/server -R $ready_file2 -p $resume_port &
wait_for_readyFile $ready_file2
if [ ! -f $ready_file2 ]; then
    printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
    exit 1
fi
# 3:
./examples/server/server -R $ready_file3 -p $resume_port &
wait_for_readyFile $ready_file3
if [ ! -f $ready_file3 ]; then
    printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
    exit 1
fi
# 4:
./examples/server/server -R $ready_file4 -p $resume_port &
wait_for_readyFile $ready_file4
if [ ! -f $ready_file4 ]; then
    printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
    exit 1
else
    RPORTSELECTED1=`cat $ready_file1`
    RPORTSELECTED2=`cat $ready_file2`
    RPORTSELECTED3=`cat $ready_file3`
    RPORTSELECTED4=`cat $ready_file4`
    printf '%s\n' "------------- PORTS ---------------"
    printf '%s' "Random ports selected: $RPORTSELECTED1 $RPORTSELECTED2"
    printf '%s\n' " $RPORTSELECTED3 $RPORTSELECTED4"
    printf '%s\n' "-----------------------------------"
    # Use client connections to cleanly shutdown the servers
    ./examples/client/client -p $RPORTSELECTED1
    ./examples/client/client -p $RPORTSELECTED2
    ./examples/client/client -p $RPORTSELECTED3
    ./examples/client/client -p $RPORTSELECTED4
    create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \
                   $RPORTSELECTED4
fi
sleep 1

# setup ocsp responders
# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED1 -nmin 1                \
    -index   certs/ocsp/index-ca-and-intermediate-cas.txt \
    -rsigner certs/ocsp/ocsp-responder-cert.pem           \
    -rkey    certs/ocsp/ocsp-responder-key.pem            \
    -CA      certs/ocsp/root-ca-cert.pem                  \
    $@                                                    \
    &

# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED2 -nmin 1                      \
    -index   certs/ocsp/index-intermediate2-ca-issued-certs.txt \
    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
    -CA      certs/ocsp/intermediate2-ca-cert.pem               \
    $@                                                          \
    &

# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port $RPORTSELECTED3 -nmin 1                      \
    -index   certs/ocsp/index-intermediate3-ca-issued-certs.txt \
    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
    -CA      certs/ocsp/intermediate3-ca-cert.pem               \
    $@                                                          \
    &

sleep 1
# "jobs" is not portable for posix. Must use bash interpreter!
[ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0

printf '\n\n%s\n\n' "All OCSP responders started successfully!"
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
                         -k certs/ocsp/server3-key.pem -R $ready_file5 \
                         -p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"

printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW"
#printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
#remove_single_rF $ready_file5
#./examples/server/server -c certs/ocsp/server3-cert.pem \
#                         -k certs/ocsp/server3-key.pem -R $ready_file5 \
#                         -p $resume_port &
#wait_for_readyFile $ready_file5
#CLI_PORT=`cat $ready_file5`
#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
#                         -p $CLI_PORT
#RESULT=$?
#[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
#printf '%s\n\n' "Test PASSED!"

printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
                         -k certs/ocsp/server4-key.pem -R $ready_file5 \
                         -p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"

printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
                         -k certs/ocsp/server4-key.pem -R $ready_file5 \
                         -p $resume_port &
sleep 1
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"

printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
                         -k certs/ocsp/server5-key.pem -R $ready_file5 \
                         -p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
printf '%s\n\n' "Test PASSED!"

printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
                         -k certs/ocsp/server5-key.pem -R $ready_file5 \
                         -p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem \
                         -k certs/ocsp/server1-key.pem -R $ready_file5 \
                         -p $resume_port -H loadSSL &
wolf_pid=$!
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
echo "test connection" | openssl s_client -status -connect 127.0.0.1:$CLI_PORT -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
wait $wolf_pid
if [ $? -ne 0 ]; then
    printf '%s\n' "Unexpected server result"
    exit 1
fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
                         -k certs/ocsp/server4-key.pem -R $ready_file5 \
                         -p $resume_port -H loadSSL &
wolf_pid=$!
sleep 1
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
                         -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
wait $wolf_pid
if [ $? -ne 1 ]; then
    printf '%s\n' "Unexpected server result"
    exit 1
fi
printf '%s\n\n' "Test successfully REVOKED!"

printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"

exit 0