1
0

ocsp-stapling-with-ca-as-responder.test 9.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270
  1. #!/usr/bin/env bash
  2. # ocsp-stapling-with-ca-as-responder.test
  3. SCRIPT_DIR="$(dirname "$0")"
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  6. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  7. export NETWORK_UNSHARE_HELPER_CALLED=yes
  8. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  9. fi
  10. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  11. bwrap_path="$(command -v bwrap)"
  12. if [ -n "$bwrap_path" ]; then
  13. export AM_BWRAPPED=yes
  14. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  15. fi
  16. unset AM_BWRAPPED
  17. fi
  18. if [[ -z "${RETRIES_REMAINING-}" ]]; then
  19. export RETRIES_REMAINING=2
  20. fi
  21. if ! ./examples/client/client -V | grep -q 3; then
  22. echo 'skipping ocsp-stapling-with-ca-as-responder.test because TLS1.2 is not available.' 1>&2
  23. exit 77
  24. fi
  25. PARENTDIR="$PWD"
  26. # create a unique workspace directory ending in PID for the script instance ($$)
  27. # to make this instance orthogonal to any others running, even on same repo.
  28. # TCP ports are also carefully formed below from the PID, to minimize conflicts.
  29. WORKSPACE="${PARENTDIR}/workspace.pid$$"
  30. mkdir "${WORKSPACE}" || exit $?
  31. cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
  32. cd "$WORKSPACE" || exit $?
  33. ln -s ../examples
  34. CERT_DIR="certs/ocsp"
  35. ready_file="${WORKSPACE}"/wolf_ocsp_s1_readyF$$
  36. ready_file2="${WORKSPACE}"/wolf_ocsp_s1_readyF2$$
  37. printf '%s\n' "ready files: \"$ready_file\" \"$ready_file2\""
  38. test_cnf="ocsp_s_w_ca_a_r.cnf"
  39. wait_for_readyFile(){
  40. counter=0
  41. while [ ! -s "$1" -a "$counter" -lt 20 ]; do
  42. if [[ -n "${2-}" ]]; then
  43. if ! kill -0 $2 2>&-; then
  44. echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
  45. exit 1
  46. fi
  47. fi
  48. echo -e "waiting for ready file..."
  49. sleep 0.1
  50. counter=$((counter+ 1))
  51. done
  52. if test -e "$1"; then
  53. echo -e "found ready file, starting client..."
  54. else
  55. echo -e "NO ready file at \"$1\" -- ending test..."
  56. exit 1
  57. fi
  58. }
  59. remove_single_rF(){
  60. if test -e "$1"; then
  61. printf '%s\n' "removing ready file: \"$1\""
  62. rm "$1"
  63. fi
  64. }
  65. #create a configure file for cert generation with the port 0 solution
  66. create_new_cnf() {
  67. printf '%s\n' "Random Port Selected: $RPORTSELECTED"
  68. printf '%s\n' "#" > $test_cnf
  69. printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
  70. printf '%s\n' "#" >> $test_cnf
  71. printf '%s\n' "" >> $test_cnf
  72. printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
  73. printf '%s\n' "[ v3_req1 ]" >> $test_cnf
  74. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  75. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  76. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  77. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  78. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
  79. printf '%s\n' "" >> $test_cnf
  80. printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
  81. printf '%s\n' "[ v3_req2 ]" >> $test_cnf
  82. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  83. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  84. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  85. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  86. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
  87. printf '%s\n' "" >> $test_cnf
  88. printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
  89. printf '%s\n' "[ v3_req3 ]" >> $test_cnf
  90. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  91. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  92. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  93. printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
  94. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
  95. printf '%s\n' "" >> $test_cnf
  96. printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
  97. printf '%s\n' "[ v3_ca ]" >> $test_cnf
  98. printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
  99. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  100. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  101. printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
  102. printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
  103. printf '%s\n' "" >> $test_cnf
  104. printf '%s\n' "# OCSP extensions." >> $test_cnf
  105. printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
  106. printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
  107. printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
  108. printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
  109. printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
  110. mv $test_cnf $CERT_DIR/$test_cnf
  111. cd $CERT_DIR
  112. CURR_LOC="$PWD"
  113. printf '%s\n' "echo now in $CURR_LOC"
  114. ./renewcerts-for-test.sh $test_cnf
  115. cd $WORKSPACE
  116. }
  117. remove_ready_file() {
  118. if test -e "$ready_file"; then
  119. printf '%s\n' "removing ready file"
  120. rm "$ready_file"
  121. fi
  122. if test -e "$ready_file2"; then
  123. printf '%s\n' "removing ready file: \"$ready_file2\""
  124. rm "$ready_file2"
  125. fi
  126. }
  127. cleanup()
  128. {
  129. exit_status=$?
  130. for i in $(jobs -pr)
  131. do
  132. kill -s kill "$i"
  133. done
  134. remove_ready_file
  135. rm $CERT_DIR/$test_cnf
  136. cd "$PARENTDIR" || return 1
  137. rm -r "$WORKSPACE" || return 1
  138. if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
  139. echo "retrying..."
  140. RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
  141. exec $0 "$@"
  142. fi
  143. }
  144. trap cleanup EXIT INT TERM HUP
  145. server=login.live.com
  146. ca=certs/external/baltimore-cybertrust-root.pem
  147. [ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1
  148. # choose consecutive ports based on the PID, skipping any that are
  149. # already bound, to avoid the birthday problem in case other
  150. # instances are sharing this host.
  151. get_first_free_port() {
  152. local ret="$1"
  153. while :; do
  154. if [[ "$ret" -ge 65536 ]]; then
  155. ret=1024
  156. fi
  157. if ! nc -z 127.0.0.1 "$ret"; then
  158. break
  159. fi
  160. ret=$((ret+1))
  161. done
  162. echo "$ret"
  163. return 0
  164. }
  165. base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
  166. port1=$(get_first_free_port $base_port)
  167. port2=$(get_first_free_port $((port1 + 1)))
  168. # create a port to use with openssl ocsp responder
  169. ./examples/server/server -R "$ready_file" -p $port1 &
  170. wolf_pid=$!
  171. wait_for_readyFile "$ready_file" $wolf_pid $port1
  172. if [ ! -f "$ready_file" ]; then
  173. printf '%s\n' "Failed to create ready file: \"$ready_file\""
  174. exit 1
  175. else
  176. printf '%s\n' "Random port selected: $port1"
  177. # Use client connection to shutdown the server cleanly
  178. ./examples/client/client -p $port1
  179. create_new_cnf $port1
  180. fi
  181. sleep 0.1
  182. # is our desired server there? - login.live.com doesn't answers PING
  183. #./scripts/ping.test $server 2
  184. # client test against the server
  185. # external test case was never running, disable for now but retain case in event
  186. # we wish to re-activate in the future.
  187. #./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
  188. #RESULT=$?
  189. #[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
  190. # setup ocsp responder
  191. # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
  192. # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
  193. # purposes!
  194. openssl ocsp -port $port1 -nmin 1 \
  195. -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
  196. -rsigner certs/ocsp/intermediate1-ca-cert.pem \
  197. -rkey certs/ocsp/intermediate1-ca-key.pem \
  198. -CA certs/ocsp/intermediate1-ca-cert.pem \
  199. "$@" \
  200. &
  201. sleep 0.1
  202. # "jobs" is not portable for posix. Must use bash interpreter!
  203. [ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
  204. printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
  205. # client test against our own server - GOOD CERT
  206. ./examples/server/server -c certs/ocsp/server1-cert.pem \
  207. -k certs/ocsp/server1-key.pem -R "$ready_file2" \
  208. -p $port2 &
  209. wolf_pid2=$!
  210. wait_for_readyFile "$ready_file2" $wolf_pid2 $port2
  211. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
  212. -p $port2
  213. RESULT=$?
  214. [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
  215. printf '%s\n\n' "Test PASSED!"
  216. printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
  217. # client test against our own server - REVOKED CERT
  218. remove_single_rF "$ready_file2"
  219. ./examples/server/server -c certs/ocsp/server2-cert.pem \
  220. -k certs/ocsp/server2-key.pem -R "$ready_file2" \
  221. -p $port2 &
  222. wolf_pid2=$!
  223. wait_for_readyFile "$ready_file2" $wolf_pid2 $port2
  224. ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
  225. -p $port2
  226. RESULT=$?
  227. [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
  228. printf '%s\n\n' "Test successfully REVOKED!"
  229. exit 0