mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use pzero solutions on servers and clients in addition to ocsp responders

Browse Source
This commit is contained in:
kaleb-himes 2018-08-10 14:17:17 -06:00
parent c288a214b1
commit 280de47d06
3 changed files with 188 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
scripts/ocsp-stapling-with-ca-as-responder.test
View File

@ -5,6 +5,7 @@ WORKSPACE=`pwd`
CERT_DIR="./certs/ocsp"
resume_port=0
ready_file=`pwd`/wolf_ocsp_s1_readyF$$
ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: $ready_file"
test_cnf="ocsp_s_w_ca_a_r.cnf"
@ -38,6 +39,32 @@ restore_originals() {
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
@ -100,6 +127,10 @@ remove_ready_file() {
printf '%s\n' "removing ready file"
rm $ready_file
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
}
@ -122,7 +153,7 @@ ca=certs/external/baltimore-cybertrust-root.pem
# create a port 0 port to use with openssl ocsp responder
./examples/server/server -R $ready_file -p $resume_port &
sleep 1
wait_for_readyFile $ready_file
if [ ! -f $ready_file ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
@ -163,18 +194,27 @@ sleep 1
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R $ready_file2 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -R $ready_file2 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"

75
scripts/ocsp-stapling.test
View File

@ -8,6 +8,7 @@ WORKSPACE=`pwd`
CERT_DIR="./certs/ocsp"
resume_port=0
ready_file=`pwd`/wolf_ocsp_s1_readyF$$
ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
printf '%s\n' "ready file: $ready_file"
test_cnf="ocsp_s1.cnf"
@ -41,6 +42,32 @@ restore_originals() {
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
@ -103,6 +130,10 @@ remove_ready_file() {
printf '%s\n' "removing ready file"
rm $ready_file
fi
if test -e $ready_file2; then
printf '%s\n' "removing ready file: $ready_file2"
rm $ready_file2
fi
}
cleanup()
@ -128,7 +159,7 @@ fi
# create a port 0 port to use with openssl ocsp responder
./examples/server/server -R $ready_file -p $resume_port &
sleep 1
wait_for_readyFile $ready_file
if [ ! -f $ready_file ]; then
printf '%s\n' "Failed to create ready file: \"$ready_file\""
exit 1
@ -175,20 +206,24 @@ sleep 1
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \
-k certs/ocsp/server1-key.pem -p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED CERT
./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem &
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \
-k certs/ocsp/server2-key.pem -p $resume_port &
wait_for_readyFile $ready_file2
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" \
&& exit 1
@ -199,20 +234,28 @@ printf '%s\n\n' "Test successfully REVOKED!"
if [ $? -ne 0 ]; then
printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -v 4 &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \
-k certs/ocsp/server1-key.pem -v 4 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED CERT
./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -v 4 &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1
remove_single_rF $ready_file2
./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \
-k certs/ocsp/server2-key.pem -v 4 \
-p $resume_port &
wait_for_readyFile $ready_file2
CLI_PORT=`cat $ready_file2`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && \
printf '\n\n%s\n' "Client connection suceeded $RESULT" \

104
scripts/ocsp-stapling2.test
View File

@ -9,10 +9,12 @@ ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$
ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$
ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$
ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$
ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$
printf '%s\n' "ready file 1: $ready_file1"
printf '%s\n' "ready file 2: $ready_file2"
printf '%s\n' "ready file 3: $ready_file3"
printf '%s\n' "ready file 4: $ready_file4"
printf '%s\n' "ready file 5: $ready_file5"
test_cnf="ocsp_s2.cnf"
@ -45,6 +47,32 @@ restore_originals() {
mv bak-server5-cert.pem server5-cert.pem
}
wait_for_readyFile(){
counter=0
while [ ! -s $1 -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $1; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e $1; then
printf '%s\n' "removing ready file: $1"
rm $1
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
copy_originals
@ -119,6 +147,10 @@ remove_ready_file(){
printf '%s\n' "removing ready file: $ready_file4"
rm $ready_file4
fi
if test -e $ready_file5; then
printf '%s\n' "removing ready file: $ready_file5"
rm $ready_file5
fi
}
cleanup()
@ -138,28 +170,28 @@ trap cleanup EXIT INT TERM HUP
#get four unique ports
# 1:
./examples/server/server -R $ready_file1 -p $resume_port &
sleep 1
wait_for_readyFile $ready_file1
if [ ! -f $ready_file1 ]; then
printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
exit 1
fi
# 2:
./examples/server/server -R $ready_file2 -p $resume_port &
sleep 1
wait_for_readyFile $ready_file2
if [ ! -f $ready_file2 ]; then
printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
exit 1
fi
# 3:
./examples/server/server -R $ready_file3 -p $resume_port &
sleep 1
wait_for_readyFile $ready_file3
if [ ! -f $ready_file3 ]; then
printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
exit 1
fi
# 4:
./examples/server/server -R $ready_file4 -p $resume_port &
sleep 1
wait_for_readyFile $ready_file4
if [ ! -f $ready_file4 ]; then
printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
exit 1
@ -223,53 +255,81 @@ sleep 1
printf '\n\n%s\n\n' "All OCSP responders started successfully!"
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW"
#printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
#
#./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
#sleep 1
#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
#remove_single_rF $ready_file5
#./examples/server/server -c certs/ocsp/server3-cert.pem \
# -k certs/ocsp/server3-key.pem -R $ready_file5 \
# -p $resume_port &
#wait_for_readyFile $ready_file5
#CLI_PORT=`cat $ready_file5`
#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
# -p $CLI_PORT
#RESULT=$?
#[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
#printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED SERVER CERT
./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $resume_port &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $resume_port &
wait_for_readyFile $ready_file5
CLI_PORT=`cat $ready_file5`
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
-p $CLI_PORT
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"