ocsp-stapling_tls13multi.test 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522
  1. #!/bin/bash
  2. # ocsp-stapling_tls13multi.test
  3. # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
  4. SCRIPT_DIR="$(dirname "$0")"
  5. # if we can, isolate the network namespace to eliminate port collisions.
  6. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  7. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  8. export NETWORK_UNSHARE_HELPER_CALLED=yes
  9. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  10. fi
  11. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  12. bwrap_path="$(command -v bwrap)"
  13. if [ -n "$bwrap_path" ]; then
  14. export AM_BWRAPPED=yes
  15. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  16. fi
  17. unset AM_BWRAPPED
  18. fi
  19. if [[ -z "${RETRIES_REMAINING-}" ]]; then
  20. export RETRIES_REMAINING=2
  21. fi
  22. if ! ./examples/client/client -V | grep -q 4; then
  23. tls13=no
  24. else
  25. tls13=yes
  26. fi
  27. if ! ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
  28. dtls13=no
  29. else
  30. dtls13=yes
  31. fi
  32. if [[ ("$tls13" == "no") && ("$dtls13" == "no") ]]; then
  33. echo 'skipping ocsp-stapling_tls13multi.test because TLS1.3 is not available.' 1>&2
  34. exit 77
  35. fi
  36. if ! ./examples/client/client -V | grep -q 4; then
  37. tls13=no
  38. echo 'skipping ocsp-stapling_tls13multi.test because TLS1.3 is not available.' 1>&2
  39. exit 77
  40. else
  41. tls13=yes
  42. fi
  43. if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
  44. IPV6_SUPPORTED=yes
  45. else
  46. IPV6_SUPPORTED=no
  47. fi
  48. if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
  49. if [[ "$IPV6_SUPPORTED" == "no" ]]; then
  50. echo 'Skipping IPV6 test in environment lacking IPV6 support.'
  51. exit 77
  52. fi
  53. LOCALHOST='[::1]'
  54. LOCALHOST_FOR_NC='-6 ::1'
  55. else
  56. LOCALHOST='127.0.0.1'
  57. LOCALHOST_FOR_NC='127.0.0.1'
  58. fi
  59. PARENTDIR="$PWD"
  60. # create a unique workspace directory ending in PID for the script instance ($$)
  61. # to make this instance orthogonal to any others running, even on same repo.
  62. # TCP ports are also carefully formed below from the PID, to minimize conflicts.
  63. #WORKSPACE="${PARENTDIR}/workspace.pid$$"
  64. #mkdir "${WORKSPACE}" || exit $?
  65. WORKSPACE="$(mktemp -d -p ${PARENTDIR})"
  66. cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
  67. cd "$WORKSPACE" || exit $?
  68. ln -s ../examples
  69. CERT_DIR="certs/ocsp"
  70. ready_file1="$WORKSPACE"/wolf_ocsp_s2_readyF1$$
  71. ready_file2="$WORKSPACE"/wolf_ocsp_s2_readyF2$$
  72. ready_file3="$WORKSPACE"/wolf_ocsp_s2_readyF3$$
  73. ready_file4="$WORKSPACE"/wolf_ocsp_s2_readyF4$$
  74. ready_file5="$WORKSPACE"/wolf_ocsp_s2_readyF5$$
  75. printf '%s\n' "ready file 1: $ready_file1"
  76. printf '%s\n' "ready file 2: $ready_file2"
  77. printf '%s\n' "ready file 3: $ready_file3"
  78. printf '%s\n' "ready file 4: $ready_file4"
  79. printf '%s\n' "ready file 5: $ready_file5"
  80. test_cnf="ocsp_s2.cnf"
  81. wait_for_readyFile(){
  82. counter=0
  83. while [ ! -s $1 -a "$counter" -lt 20 ]; do
  84. if [[ -n "${2-}" ]]; then
  85. if ! kill -0 $2 2>&-; then
  86. echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
  87. exit 1
  88. fi
  89. fi
  90. echo -e "waiting for ready file..."
  91. sleep 0.1
  92. counter=$((counter+ 1))
  93. done
  94. if test -e $1; then
  95. echo -e "found ready file, starting client..."
  96. else
  97. echo -e "NO ready file at $1 -- ending test..."
  98. exit 1
  99. fi
  100. }
  101. remove_single_rF(){
  102. if test -e $1; then
  103. printf '%s\n' "removing ready file: $1"
  104. rm $1
  105. fi
  106. }
  107. #create a configure file for cert generation with the port 0 solution
  108. create_new_cnf() {
  109. echo "Random Ports Selected: $1 $2 $3 $4"
  110. cat <<- EOF > $test_cnf
  111. #
  112. # openssl configuration file for OCSP certificates
  113. #
  114. # Extensions to add to a certificate request (intermediate1-ca)
  115. [ v3_req1 ]
  116. basicConstraints = CA:false
  117. subjectKeyIdentifier = hash
  118. authorityKeyIdentifier = keyid:always,issuer:always
  119. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  120. authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1
  121. # Extensions to add to a certificate request (intermediate2-ca)
  122. [ v3_req2 ]
  123. basicConstraints = CA:false
  124. subjectKeyIdentifier = hash
  125. authorityKeyIdentifier = keyid:always,issuer:always
  126. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  127. authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2
  128. # Extensions to add to a certificate request (intermediate3-ca)
  129. [ v3_req3 ]
  130. basicConstraints = CA:false
  131. subjectKeyIdentifier = hash
  132. authorityKeyIdentifier = keyid:always,issuer:always
  133. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  134. authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3
  135. # Extensions for a typical CA
  136. [ v3_ca ]
  137. basicConstraints = CA:true
  138. subjectKeyIdentifier = hash
  139. authorityKeyIdentifier = keyid:always,issuer:always
  140. keyUsage = keyCertSign, cRLSign
  141. authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4
  142. # OCSP extensions.
  143. [ v3_ocsp ]
  144. basicConstraints = CA:false
  145. subjectKeyIdentifier = hash
  146. authorityKeyIdentifier = keyid:always,issuer:always
  147. extendedKeyUsage = OCSPSigning
  148. EOF
  149. mv $test_cnf $CERT_DIR/$test_cnf
  150. cd $CERT_DIR
  151. CURR_LOC="$PWD"
  152. printf '%s\n' "echo now in $CURR_LOC"
  153. ./renewcerts-for-test.sh $test_cnf
  154. cd $WORKSPACE
  155. }
  156. remove_ready_file(){
  157. if test -e $ready_file1; then
  158. printf '%s\n' "removing ready file: $ready_file1"
  159. rm $ready_file1
  160. fi
  161. if test -e $ready_file2; then
  162. printf '%s\n' "removing ready file: $ready_file2"
  163. rm $ready_file2
  164. fi
  165. if test -e $ready_file3; then
  166. printf '%s\n' "removing ready file: $ready_file3"
  167. rm $ready_file3
  168. fi
  169. if test -e $ready_file4; then
  170. printf '%s\n' "removing ready file: $ready_file4"
  171. rm $ready_file4
  172. fi
  173. if test -e $ready_file5; then
  174. printf '%s\n' "removing ready file: $ready_file5"
  175. rm $ready_file5
  176. fi
  177. }
  178. cleanup()
  179. {
  180. exit_status=$?
  181. for i in $(jobs -pr)
  182. do
  183. kill -s KILL "$i"
  184. done
  185. remove_ready_file
  186. rm $CERT_DIR/$test_cnf
  187. cd "$PARENTDIR" || return 1
  188. rm -r "$WORKSPACE" || return 1
  189. if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
  190. echo "retrying..."
  191. RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
  192. exec $0 "$@"
  193. fi
  194. }
  195. trap cleanup EXIT INT TERM HUP
  196. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  197. # check if supported key size is large enough to handle 4096 bit RSA
  198. size="$(./examples/client/client '-?' | grep "Max RSA key")"
  199. size="${size//[^0-9]/}"
  200. if [ ! -z "$size" ]; then
  201. printf 'check on max key size of %d ...' $size
  202. if [ $size -lt 4096 ]; then
  203. printf '%s\n' "4096 bit RSA keys not supported"
  204. exit 0
  205. fi
  206. printf 'OK\n'
  207. fi
  208. #get four unique ports
  209. # choose consecutive ports based on the PID, skipping any that are
  210. # already bound, to avoid the birthday problem in case other
  211. # instances are sharing this host.
  212. get_first_free_port() {
  213. local ret="$1"
  214. while :; do
  215. if [[ "$ret" -ge 65536 ]]; then
  216. ret=1024
  217. fi
  218. if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
  219. break
  220. fi
  221. ret=$((ret+1))
  222. done
  223. echo "$ret"
  224. return 0
  225. }
  226. base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
  227. port1=$(get_first_free_port $base_port)
  228. port2=$(get_first_free_port $((port1 + 1)))
  229. port3=$(get_first_free_port $((port2 + 1)))
  230. port4=$(get_first_free_port $((port3 + 1)))
  231. port5=$(get_first_free_port $((port4 + 1)))
  232. # 1:
  233. ./examples/server/server -R $ready_file1 -p $port1 &
  234. server_pid1=$!
  235. wait_for_readyFile $ready_file1 $server_pid1 $port1
  236. if [ ! -f $ready_file1 ]; then
  237. printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
  238. exit 1
  239. fi
  240. # 2:
  241. ./examples/server/server -R $ready_file2 -p $port2 &
  242. server_pid2=$!
  243. wait_for_readyFile $ready_file2 $server_pid2 $port2
  244. if [ ! -f $ready_file2 ]; then
  245. printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
  246. exit 1
  247. fi
  248. # 3:
  249. ./examples/server/server -R $ready_file3 -p $port3 &
  250. server_pid3=$!
  251. wait_for_readyFile $ready_file3 $server_pid3 $port3
  252. if [ ! -f $ready_file3 ]; then
  253. printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
  254. exit 1
  255. fi
  256. # 4:
  257. ./examples/server/server -R $ready_file4 -p $port4 &
  258. server_pid4=$!
  259. wait_for_readyFile $ready_file4 $server_pid4 $port4
  260. if [ ! -f $ready_file4 ]; then
  261. printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
  262. exit 1
  263. fi
  264. printf '%s\n' "------------- PORTS ---------------"
  265. printf '%s' "Random ports selected: $port1 $port2"
  266. printf '%s\n' " $port3 $port4"
  267. printf '%s\n' "-----------------------------------"
  268. # Use client connections to cleanly shutdown the servers
  269. ./examples/client/client -p $port1
  270. ./examples/client/client -p $port2
  271. ./examples/client/client -p $port3
  272. ./examples/client/client -p $port4
  273. create_new_cnf $port1 $port2 $port3 \
  274. $port4
  275. sleep 0.1
  276. # setup ocsp responders
  277. # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
  278. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  279. # purposes!
  280. openssl ocsp -port $port1 -nmin 1 \
  281. -index certs/ocsp/index-ca-and-intermediate-cas.txt \
  282. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  283. -rkey certs/ocsp/ocsp-responder-key.pem \
  284. -CA certs/ocsp/root-ca-cert.pem \
  285. "$@" \
  286. &
  287. # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
  288. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  289. # purposes!
  290. openssl ocsp -port $port2 -nmin 1 \
  291. -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
  292. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  293. -rkey certs/ocsp/ocsp-responder-key.pem \
  294. -CA certs/ocsp/intermediate2-ca-cert.pem \
  295. "$@" \
  296. &
  297. # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
  298. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  299. # purposes!
  300. openssl ocsp -port $port3 -nmin 1 \
  301. -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
  302. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  303. -rkey certs/ocsp/ocsp-responder-key.pem \
  304. -CA certs/ocsp/intermediate3-ca-cert.pem \
  305. "$@" \
  306. &
  307. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  308. # purposes!
  309. openssl ocsp -port $port4 -nmin 1 \
  310. -index certs/ocsp/index-ca-and-intermediate-cas.txt \
  311. -rsigner certs/ocsp/ocsp-responder-cert.pem \
  312. -rkey certs/ocsp/ocsp-responder-key.pem \
  313. -CA certs/ocsp/root-ca-cert.pem \
  314. "$@" \
  315. &
  316. sleep 0.1
  317. # "jobs" is not portable for posix. Must use bash interpreter!
  318. [ $(jobs -r | wc -l) -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
  319. printf '\n\n%s\n\n' "All OCSP responders started successfully!"
  320. if [ "$tls13" == "yes" ]; then
  321. printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
  322. # client test against our own server - GOOD CERTS
  323. ./examples/server/server -c certs/ocsp/server3-cert.pem \
  324. -k certs/ocsp/server3-key.pem -R $ready_file5 \
  325. -p $port5 -v 4 &
  326. server_pid5=$!
  327. wait_for_readyFile $ready_file5 $server_pid5 $port5
  328. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  329. -p $port5
  330. RESULT=$?
  331. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
  332. printf '%s\n\n' "Test PASSED!"
  333. printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
  334. # client test against our own server - REVOKED SERVER CERT
  335. remove_single_rF $ready_file5
  336. ./examples/server/server -c certs/ocsp/server4-cert.pem \
  337. -k certs/ocsp/server4-key.pem -R $ready_file5 \
  338. -p $port5 -v 4 &
  339. server_pid5=$!
  340. wait_for_readyFile $ready_file5 $server_pid5 $port5
  341. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  342. -p $port5
  343. RESULT=$?
  344. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  345. printf '%s\n\n' "Test successfully REVOKED!"
  346. printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
  347. remove_single_rF $ready_file5
  348. ./examples/server/server -c certs/ocsp/server4-cert.pem \
  349. -k certs/ocsp/server4-key.pem -R $ready_file5 \
  350. -p $port5 &
  351. sleep 0.1
  352. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  353. -p $port5
  354. RESULT=$?
  355. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  356. printf '%s\n\n' "Test successfully REVOKED!"
  357. printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------------"
  358. # client test against our own server - REVOKED INTERMEDIATE CERT
  359. remove_single_rF $ready_file5
  360. ./examples/server/server -c certs/ocsp/server5-cert.pem \
  361. -k certs/ocsp/server5-key.pem -R $ready_file5 \
  362. -p $port5 -v 4 &
  363. server_pid5=$!
  364. wait_for_readyFile $ready_file5 $server_pid5 $port5
  365. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  366. -p $port5
  367. RESULT=$?
  368. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  369. printf '%s\n\n' "Test successfully REVOKED!"
  370. printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ----------------------"
  371. remove_single_rF $ready_file5
  372. ./examples/server/server -c certs/ocsp/server5-cert.pem \
  373. -k certs/ocsp/server5-key.pem -R $ready_file5 \
  374. -p $port5 -v 4 &
  375. server_pid5=$!
  376. wait_for_readyFile $ready_file5 $server_pid5 $port5
  377. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  378. -p $port5
  379. RESULT=$?
  380. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  381. printf '%s\n\n' "Test successfully REVOKED!"
  382. printf '%s\n\n' "------------- TEST CASE 6 LOAD CERT IN SSL -------------------"
  383. remove_single_rF $ready_file5
  384. ./examples/server/server -c certs/ocsp/server1-cert.pem \
  385. -k certs/ocsp/server1-key.pem -R $ready_file5 -v 4 \
  386. -p $port5 -H loadSSL &
  387. server_pid5=$!
  388. wait_for_readyFile $ready_file5 $server_pid5 $port5
  389. echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
  390. RESULT=$?
  391. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
  392. wait $server_pid5
  393. if [ $? -ne 0 ]; then
  394. printf '%s\n' "Unexpected server result"
  395. exit 1
  396. fi
  397. printf '%s\n\n' "Test successful"
  398. printf '%s\n\n' "------------- TEST CASE 7 SHOULD REVOKE ----------------------"
  399. remove_single_rF $ready_file5
  400. ./examples/server/server -c certs/ocsp/server4-cert.pem \
  401. -k certs/ocsp/server4-key.pem -R $ready_file5 \
  402. -p $port5 -H loadSSL -v 4 &
  403. server_pid5=$!
  404. sleep 0.1
  405. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  406. -p $port5
  407. RESULT=$?
  408. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  409. wait $server_pid5
  410. if [ $? -ne 1 ]; then
  411. printf '%s\n' "Unexpected server result"
  412. exit 1
  413. fi
  414. printf '%s\n\n' "Test successfully REVOKED!"
  415. fi
  416. if [ "$dtls13" == "yes" ]; then
  417. printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS ---------------"
  418. # client test against our own server - GOOD CERTS
  419. ./examples/server/server -c certs/ocsp/server3-cert.pem \
  420. -k certs/ocsp/server3-key.pem -R $ \
  421. -p $port5 -u -v 4 &
  422. server_pid5=$!
  423. sleep 0.2
  424. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -u -v 4 \
  425. -p $port5
  426. RESULT=$?
  427. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
  428. printf '%s\n\n' "Test PASSED!"
  429. printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD REVOKE --------------"
  430. # client test against our own server - REVOKED SERVER CERT
  431. remove_single_rF $ready_file5
  432. ./examples/server/server -c certs/ocsp/server4-cert.pem \
  433. -k certs/ocsp/server4-key.pem -R $ready_file5 \
  434. -p $port5 -v 4 &
  435. server_pid5=$!
  436. sleep 0.2
  437. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
  438. -p $port5
  439. RESULT=$?
  440. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  441. printf '%s\n\n' "Test successfully REVOKED!"
  442. fi
  443. # need a unique port since may run the same time as testsuite
  444. generate_port() {
  445. #-------------------------------------------------------------------------#
  446. # Generate a random port number
  447. #-------------------------------------------------------------------------#
  448. if [[ "$OSTYPE" == "linux"* ]]; then
  449. port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
  450. elif [[ "$OSTYPE" == "darwin"* ]]; then
  451. port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
  452. else
  453. echo "Unknown OS TYPE"
  454. exit 1
  455. fi
  456. }
  457. printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
  458. exit 0