123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395 |
- #!/bin/bash
- # ocsp-stapling.test
- ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
- if [ $? -eq 0 ]; then
- echo "TLS 1.2 or lower required"
- echo "Skipped"
- exit 0
- fi
- WORKSPACE=`pwd`
- CERT_DIR="certs/ocsp"
- resume_port=0
- ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$
- ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$
- ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$
- ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$
- ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$
- printf '%s\n' "ready file 1: $ready_file1"
- printf '%s\n' "ready file 2: $ready_file2"
- printf '%s\n' "ready file 3: $ready_file3"
- printf '%s\n' "ready file 4: $ready_file4"
- printf '%s\n' "ready file 5: $ready_file5"
- test_cnf="ocsp_s2.cnf"
- copy_originals() {
- cd $CERT_DIR
- cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
- cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
- cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
- cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
- cp root-ca-cert.pem bak-root-ca-cert.pem
- cp server1-cert.pem bak-server1-cert.pem
- cp server2-cert.pem bak-server2-cert.pem
- cp server3-cert.pem bak-server3-cert.pem
- cp server4-cert.pem bak-server4-cert.pem
- cp server5-cert.pem bak-server5-cert.pem
- cd $WORKSPACE
- }
- restore_originals() {
- cd $CERT_DIR
- mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
- mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
- mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
- mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
- mv bak-root-ca-cert.pem root-ca-cert.pem
- mv bak-server1-cert.pem server1-cert.pem
- mv bak-server2-cert.pem server2-cert.pem
- mv bak-server3-cert.pem server3-cert.pem
- mv bak-server4-cert.pem server4-cert.pem
- mv bak-server5-cert.pem server5-cert.pem
- }
- wait_for_readyFile(){
- counter=0
- while [ ! -s $1 -a "$counter" -lt 20 ]; do
- echo -e "waiting for ready file..."
- sleep 0.1
- counter=$((counter+ 1))
- done
- if test -e $1; then
- echo -e "found ready file, starting client..."
- else
- echo -e "NO ready file ending test..."
- exit 1
- fi
- }
- remove_single_rF(){
- if test -e $1; then
- printf '%s\n' "removing ready file: $1"
- rm $1
- fi
- }
- #create a configure file for cert generation with the port 0 solution
- create_new_cnf() {
- copy_originals
- printf '%s\n' "Random Port Selected: $RPORTSELECTED"
- printf '%s\n' "#" > $test_cnf
- printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
- printf '%s\n' "#" >> $test_cnf
- printf '%s\n' "" >> $test_cnf
- printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
- printf '%s\n' "[ v3_req1 ]" >> $test_cnf
- printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
- printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
- printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
- printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
- printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
- printf '%s\n' "" >> $test_cnf
- printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
- printf '%s\n' "[ v3_req2 ]" >> $test_cnf
- printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
- printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
- printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
- printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
- printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf
- printf '%s\n' "" >> $test_cnf
- printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
- printf '%s\n' "[ v3_req3 ]" >> $test_cnf
- printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
- printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
- printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
- printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
- printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf
- printf '%s\n' "" >> $test_cnf
- printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
- printf '%s\n' "[ v3_ca ]" >> $test_cnf
- printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
- printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
- printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
- printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
- printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf
- printf '%s\n' "" >> $test_cnf
- printf '%s\n' "# OCSP extensions." >> $test_cnf
- printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
- printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
- printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
- printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
- printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
- mv $test_cnf $CERT_DIR/$test_cnf
- cd $CERT_DIR
- CURR_LOC=`pwd`
- printf '%s\n' "echo now in $CURR_LOC"
- ./renewcerts-for-test.sh $test_cnf
- cd $WORKSPACE
- }
- remove_ready_file(){
- if test -e $ready_file1; then
- printf '%s\n' "removing ready file: $ready_file1"
- rm $ready_file1
- fi
- if test -e $ready_file2; then
- printf '%s\n' "removing ready file: $ready_file2"
- rm $ready_file2
- fi
- if test -e $ready_file3; then
- printf '%s\n' "removing ready file: $ready_file3"
- rm $ready_file3
- fi
- if test -e $ready_file4; then
- printf '%s\n' "removing ready file: $ready_file4"
- rm $ready_file4
- fi
- if test -e $ready_file5; then
- printf '%s\n' "removing ready file: $ready_file5"
- rm $ready_file5
- fi
- }
- cleanup()
- {
- for i in $(jobs -pr)
- do
- kill -s HUP "$i"
- done
- remove_ready_file
- rm $CERT_DIR/$test_cnf
- restore_originals
- }
- trap cleanup EXIT INT TERM HUP
- [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
- # check if supported key size is large enough to handle 4096 bit RSA
- size=`./examples/client/client -? | grep "Max RSA key"`
- size=`echo ${size//[^0-9]/}`
- if [ ! -z "$size" ]; then
- printf 'check on max key size of %d ...' $size
- if [ $size -lt 4096 ]; then
- printf '%s\n' "4096 bit RSA keys not supported"
- exit 0
- fi
- printf 'OK\n'
- fi
- #get four unique ports
- # 1:
- ./examples/server/server -R $ready_file1 -p $resume_port &
- wait_for_readyFile $ready_file1
- if [ ! -f $ready_file1 ]; then
- printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
- exit 1
- fi
- # 2:
- ./examples/server/server -R $ready_file2 -p $resume_port &
- wait_for_readyFile $ready_file2
- if [ ! -f $ready_file2 ]; then
- printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
- exit 1
- fi
- # 3:
- ./examples/server/server -R $ready_file3 -p $resume_port &
- wait_for_readyFile $ready_file3
- if [ ! -f $ready_file3 ]; then
- printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
- exit 1
- fi
- # 4:
- ./examples/server/server -R $ready_file4 -p $resume_port &
- wait_for_readyFile $ready_file4
- if [ ! -f $ready_file4 ]; then
- printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
- exit 1
- else
- RPORTSELECTED1=`cat $ready_file1`
- RPORTSELECTED2=`cat $ready_file2`
- RPORTSELECTED3=`cat $ready_file3`
- RPORTSELECTED4=`cat $ready_file4`
- printf '%s\n' "------------- PORTS ---------------"
- printf '%s' "Random ports selected: $RPORTSELECTED1 $RPORTSELECTED2"
- printf '%s\n' " $RPORTSELECTED3 $RPORTSELECTED4"
- printf '%s\n' "-----------------------------------"
- # Use client connections to cleanly shutdown the servers
- ./examples/client/client -p $RPORTSELECTED1
- ./examples/client/client -p $RPORTSELECTED2
- ./examples/client/client -p $RPORTSELECTED3
- ./examples/client/client -p $RPORTSELECTED4
- create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \
- $RPORTSELECTED4
- fi
- sleep 1
- # setup ocsp responders
- # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
- # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
- # purposes!
- openssl ocsp -port $RPORTSELECTED1 -nmin 1 \
- -index certs/ocsp/index-ca-and-intermediate-cas.txt \
- -rsigner certs/ocsp/ocsp-responder-cert.pem \
- -rkey certs/ocsp/ocsp-responder-key.pem \
- -CA certs/ocsp/root-ca-cert.pem \
- $@ \
- &
- # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
- # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
- # purposes!
- openssl ocsp -port $RPORTSELECTED2 -nmin 1 \
- -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
- -rsigner certs/ocsp/ocsp-responder-cert.pem \
- -rkey certs/ocsp/ocsp-responder-key.pem \
- -CA certs/ocsp/intermediate2-ca-cert.pem \
- $@ \
- &
- # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
- # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
- # purposes!
- openssl ocsp -port $RPORTSELECTED3 -nmin 1 \
- -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
- -rsigner certs/ocsp/ocsp-responder-cert.pem \
- -rkey certs/ocsp/ocsp-responder-key.pem \
- -CA certs/ocsp/intermediate3-ca-cert.pem \
- $@ \
- &
- sleep 1
- # "jobs" is not portable for posix. Must use bash interpreter!
- [ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
- printf '\n\n%s\n\n' "All OCSP responders started successfully!"
- printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
- # client test against our own server - GOOD CERTS
- ./examples/server/server -c certs/ocsp/server3-cert.pem \
- -k certs/ocsp/server3-key.pem -R $ready_file5 \
- -p $resume_port &
- wait_for_readyFile $ready_file5
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
- printf '%s\n\n' "Test PASSED!"
- printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW"
- #printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
- #remove_single_rF $ready_file5
- #./examples/server/server -c certs/ocsp/server3-cert.pem \
- # -k certs/ocsp/server3-key.pem -R $ready_file5 \
- # -p $resume_port &
- #wait_for_readyFile $ready_file5
- #CLI_PORT=`cat $ready_file5`
- #./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
- # -p $CLI_PORT
- #RESULT=$?
- #[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
- #printf '%s\n\n' "Test PASSED!"
- printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
- # client test against our own server - REVOKED SERVER CERT
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server4-cert.pem \
- -k certs/ocsp/server4-key.pem -R $ready_file5 \
- -p $resume_port &
- wait_for_readyFile $ready_file5
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
- printf '%s\n\n' "Test successfully REVOKED!"
- printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server4-cert.pem \
- -k certs/ocsp/server4-key.pem -R $ready_file5 \
- -p $resume_port &
- sleep 1
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
- printf '%s\n\n' "Test successfully REVOKED!"
- printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
- # client test against our own server - REVOKED INTERMEDIATE CERT
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server5-cert.pem \
- -k certs/ocsp/server5-key.pem -R $ready_file5 \
- -p $resume_port &
- wait_for_readyFile $ready_file5
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
- printf '%s\n\n' "Test PASSED!"
- printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server5-cert.pem \
- -k certs/ocsp/server5-key.pem -R $ready_file5 \
- -p $resume_port &
- wait_for_readyFile $ready_file5
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
- printf '%s\n\n' "Test successfully REVOKED!"
- printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server1-cert.pem \
- -k certs/ocsp/server1-key.pem -R $ready_file5 \
- -p $resume_port -H loadSSL &
- wolf_pid=$!
- wait_for_readyFile $ready_file5
- CLI_PORT=`cat $ready_file5`
- echo "test connection" | openssl s_client -status -connect 127.0.0.1:$CLI_PORT -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
- RESULT=$?
- [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
- wait $wolf_pid
- if [ $? -ne 0 ]; then
- printf '%s\n' "Unexpected server result"
- exit 1
- fi
- printf '%s\n\n' "Test successful"
- printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
- remove_single_rF $ready_file5
- ./examples/server/server -c certs/ocsp/server4-cert.pem \
- -k certs/ocsp/server4-key.pem -R $ready_file5 \
- -p $resume_port -H loadSSL &
- wolf_pid=$!
- sleep 1
- CLI_PORT=`cat $ready_file5`
- ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
- -p $CLI_PORT
- RESULT=$?
- [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
- wait $wolf_pid
- if [ $? -ne 1 ]; then
- printf '%s\n' "Unexpected server result"
- exit 1
- fi
- printf '%s\n\n' "Test successfully REVOKED!"
- printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
- exit 0
|