ocsp-stapling-with-ca-as-responder.test 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231
  1. #!/bin/bash
  2. # ocsp-stapling.test
  3. ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
  4. if [ $? -eq 0 ]; then
  5. echo "TLS 1.2 or lower required"
  6. echo "Skipped"
  7. exit 0
  8. fi
  9. WORKSPACE=`pwd`
  10. CERT_DIR="./certs/ocsp"
  11. resume_port=0
  12. ready_file=`pwd`/wolf_ocsp_s1_readyF$$
  13. ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
  14. printf '%s\n' "ready file: $ready_file"
  15. test_cnf="ocsp_s_w_ca_a_r.cnf"
  16. copy_originals() {
  17. cd $CERT_DIR
  18. cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
  19. cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
  20. cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
  21. cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
  22. cp root-ca-cert.pem bak-root-ca-cert.pem
  23. cp server1-cert.pem bak-server1-cert.pem
  24. cp server2-cert.pem bak-server2-cert.pem
  25. cp server3-cert.pem bak-server3-cert.pem
  26. cp server4-cert.pem bak-server4-cert.pem
  27. cp server5-cert.pem bak-server5-cert.pem
  28. cd $WORKSPACE
  29. }
  30. restore_originals() {
  31. cd $CERT_DIR
  32. mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
  33. mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
  34. mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
  35. mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
  36. mv bak-root-ca-cert.pem root-ca-cert.pem
  37. mv bak-server1-cert.pem server1-cert.pem
  38. mv bak-server2-cert.pem server2-cert.pem
  39. mv bak-server3-cert.pem server3-cert.pem
  40. mv bak-server4-cert.pem server4-cert.pem
  41. mv bak-server5-cert.pem server5-cert.pem
  42. }
  43. wait_for_readyFile(){
  44. counter=0
  45. while [ ! -s $1 -a "$counter" -lt 20 ]; do
  46. echo -e "waiting for ready file..."
  47. sleep 0.1
  48. counter=$((counter+ 1))
  49. done
  50. if test -e $1; then
  51. echo -e "found ready file, starting client..."
  52. else
  53. echo -e "NO ready file ending test..."
  54. exit 1
  55. fi
  56. }
  57. remove_single_rF(){
  58. if test -e $1; then
  59. printf '%s\n' "removing ready file: $1"
  60. rm $1
  61. fi
  62. }
  63. #create a configure file for cert generation with the port 0 solution
  64. create_new_cnf() {
  65. copy_originals
  66. printf '%s\n' "Random Port Selected: $RPORTSELECTED"
  67. printf '%s\n' "#" > $test_cnf
  68. printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
  69. printf '%s\n' "#" >> $test_cnf
  70. printf '%s\n' "" >> $test_cnf
  71. printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
  72. printf '%s\n' "[ v3_req1 ]" >> $test_cnf
  73. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  74. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  75. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  76. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  77. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
  78. printf '%s\n' "" >> $test_cnf
  79. printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
  80. printf '%s\n' "[ v3_req2 ]" >> $test_cnf
  81. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  82. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  83. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  84. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  85. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
  86. printf '%s\n' "" >> $test_cnf
  87. printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
  88. printf '%s\n' "[ v3_req3 ]" >> $test_cnf
  89. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  90. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  91. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  92. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  93. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
  94. printf '%s\n' "" >> $test_cnf
  95. printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
  96. printf '%s\n' "[ v3_ca ]" >> $test_cnf
  97. printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
  98. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  99. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  100. printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
  101. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
  102. printf '%s\n' "" >> $test_cnf
  103. printf '%s\n' "# OCSP extensions." >> $test_cnf
  104. printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
  105. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  106. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  107. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  108. printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
  109. mv $test_cnf $CERT_DIR/$test_cnf
  110. cd $CERT_DIR
  111. CURR_LOC=`pwd`
  112. printf '%s\n' "echo now in $CURR_LOC"
  113. ./renewcerts-for-test.sh $test_cnf
  114. cd $WORKSPACE
  115. }
  116. remove_ready_file() {
  117. if test -e $ready_file; then
  118. printf '%s\n' "removing ready file"
  119. rm $ready_file
  120. fi
  121. if test -e $ready_file2; then
  122. printf '%s\n' "removing ready file: $ready_file2"
  123. rm $ready_file2
  124. fi
  125. }
  126. cleanup()
  127. {
  128. for i in $(jobs -pr)
  129. do
  130. kill -s HUP "$i"
  131. done
  132. remove_ready_file
  133. rm $CERT_DIR/$test_cnf
  134. restore_originals
  135. }
  136. trap cleanup EXIT INT TERM HUP
  137. server=login.live.com
  138. ca=certs/external/baltimore-cybertrust-root.pem
  139. [ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1
  140. # create a port 0 port to use with openssl ocsp responder
  141. ./examples/server/server -R $ready_file -p $resume_port &
  142. wait_for_readyFile $ready_file
  143. if [ ! -f $ready_file ]; then
  144. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  145. exit 1
  146. else
  147. RPORTSELECTED=`cat $ready_file`
  148. printf '%s\n' "Random port selected: $RPORTSELECTED"
  149. # Use client connection to shutdown the server cleanly
  150. ./examples/client/client -p $RPORTSELECTED
  151. create_new_cnf $RPORTSELECTED
  152. fi
  153. sleep 1
  154. # is our desired server there? - login.live.com doesn't answers PING
  155. #./scripts/ping.test $server 2
  156. # client test against the server
  157. # external test case was never running, disable for now but retain case in event
  158. # we wish to re-activate in the future.
  159. #./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
  160. #RESULT=$?
  161. #[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
  162. # setup ocsp responder
  163. # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
  164. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  165. # purposes!
  166. openssl ocsp -port $RPORTSELECTED -nmin 1 \
  167. -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
  168. -rsigner certs/ocsp/intermediate1-ca-cert.pem \
  169. -rkey certs/ocsp/intermediate1-ca-key.pem \
  170. -CA certs/ocsp/intermediate1-ca-cert.pem \
  171. $@ \
  172. &
  173. sleep 1
  174. # "jobs" is not portable for posix. Must use bash interpreter!
  175. [ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
  176. printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
  177. # client test against our own server - GOOD CERT
  178. ./examples/server/server -c certs/ocsp/server1-cert.pem \
  179. -k certs/ocsp/server1-key.pem -R $ready_file2 \
  180. -p $resume_port &
  181. wait_for_readyFile $ready_file2
  182. CLI_PORT=`cat $ready_file2`
  183. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
  184. -p $CLI_PORT
  185. RESULT=$?
  186. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
  187. printf '%s\n\n' "Test PASSED!"
  188. printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
  189. # client test against our own server - REVOKED CERT
  190. remove_single_rF $ready_file2
  191. ./examples/server/server -c certs/ocsp/server2-cert.pem \
  192. -k certs/ocsp/server2-key.pem -R $ready_file2 \
  193. -p $resume_port &
  194. wait_for_readyFile $ready_file2
  195. CLI_PORT=`cat $ready_file2`
  196. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
  197. -p $CLI_PORT
  198. RESULT=$?
  199. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  200. printf '%s\n\n' "Test successfully REVOKED!"
  201. exit 0