487c60df78
TLS 1.3 Early Data can be used with PSK and not session tickets. If only TLS 1.3 and no session tickets then no resumption. External sites don't support TLS 1.3 yet.
232 lines
8.5 KiB
Bash
Executable File
232 lines
8.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# ocsp-stapling.test
|
|
|
|
|
|
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
|
|
if [ $? -eq 0 ]; then
|
|
echo "TLS 1.2 or lower required"
|
|
echo "Skipped"
|
|
exit 0
|
|
fi
|
|
|
|
|
|
WORKSPACE=`pwd`
|
|
CERT_DIR="./certs/ocsp"
|
|
resume_port=0
|
|
ready_file=`pwd`/wolf_ocsp_s1_readyF$$
|
|
ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$
|
|
printf '%s\n' "ready file: $ready_file"
|
|
|
|
test_cnf="ocsp_s_w_ca_a_r.cnf"
|
|
|
|
copy_originals() {
|
|
cd $CERT_DIR
|
|
cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem
|
|
cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem
|
|
cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem
|
|
cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem
|
|
cp root-ca-cert.pem bak-root-ca-cert.pem
|
|
cp server1-cert.pem bak-server1-cert.pem
|
|
cp server2-cert.pem bak-server2-cert.pem
|
|
cp server3-cert.pem bak-server3-cert.pem
|
|
cp server4-cert.pem bak-server4-cert.pem
|
|
cp server5-cert.pem bak-server5-cert.pem
|
|
cd $WORKSPACE
|
|
}
|
|
|
|
restore_originals() {
|
|
cd $CERT_DIR
|
|
mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem
|
|
mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem
|
|
mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem
|
|
mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem
|
|
mv bak-root-ca-cert.pem root-ca-cert.pem
|
|
mv bak-server1-cert.pem server1-cert.pem
|
|
mv bak-server2-cert.pem server2-cert.pem
|
|
mv bak-server3-cert.pem server3-cert.pem
|
|
mv bak-server4-cert.pem server4-cert.pem
|
|
mv bak-server5-cert.pem server5-cert.pem
|
|
}
|
|
|
|
wait_for_readyFile(){
|
|
|
|
counter=0
|
|
|
|
while [ ! -s $1 -a "$counter" -lt 20 ]; do
|
|
echo -e "waiting for ready file..."
|
|
sleep 0.1
|
|
counter=$((counter+ 1))
|
|
done
|
|
|
|
if test -e $1; then
|
|
echo -e "found ready file, starting client..."
|
|
else
|
|
echo -e "NO ready file ending test..."
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
remove_single_rF(){
|
|
if test -e $1; then
|
|
printf '%s\n' "removing ready file: $1"
|
|
rm $1
|
|
fi
|
|
}
|
|
|
|
#create a configure file for cert generation with the port 0 solution
|
|
create_new_cnf() {
|
|
copy_originals
|
|
|
|
printf '%s\n' "Random Port Selected: $RPORTSELECTED"
|
|
|
|
printf '%s\n' "#" > $test_cnf
|
|
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
|
|
printf '%s\n' "#" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
|
|
printf '%s\n' "[ v3_ca ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# OCSP extensions." >> $test_cnf
|
|
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
|
|
|
|
mv $test_cnf $CERT_DIR/$test_cnf
|
|
cd $CERT_DIR
|
|
CURR_LOC=`pwd`
|
|
printf '%s\n' "echo now in $CURR_LOC"
|
|
./renewcerts-for-test.sh $test_cnf
|
|
cd $WORKSPACE
|
|
}
|
|
|
|
remove_ready_file() {
|
|
if test -e $ready_file; then
|
|
printf '%s\n' "removing ready file"
|
|
rm $ready_file
|
|
fi
|
|
if test -e $ready_file2; then
|
|
printf '%s\n' "removing ready file: $ready_file2"
|
|
rm $ready_file2
|
|
fi
|
|
}
|
|
|
|
|
|
cleanup()
|
|
{
|
|
for i in $(jobs -pr)
|
|
do
|
|
kill -s HUP "$i"
|
|
done
|
|
remove_ready_file
|
|
rm $CERT_DIR/$test_cnf
|
|
restore_originals
|
|
}
|
|
trap cleanup EXIT INT TERM HUP
|
|
|
|
server=login.live.com
|
|
ca=certs/external/baltimore-cybertrust-root.pem
|
|
|
|
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1
|
|
|
|
# create a port 0 port to use with openssl ocsp responder
|
|
./examples/server/server -R $ready_file -p $resume_port &
|
|
wait_for_readyFile $ready_file
|
|
if [ ! -f $ready_file ]; then
|
|
printf '%s\n' "Failed to create ready file: \"$ready_file\""
|
|
exit 1
|
|
else
|
|
RPORTSELECTED=`cat $ready_file`
|
|
printf '%s\n' "Random port selected: $RPORTSELECTED"
|
|
# Use client connection to shutdown the server cleanly
|
|
./examples/client/client -p $RPORTSELECTED
|
|
create_new_cnf $RPORTSELECTED
|
|
fi
|
|
sleep 1
|
|
|
|
# is our desired server there? - login.live.com doesn't answers PING
|
|
#./scripts/ping.test $server 2
|
|
|
|
# client test against the server
|
|
# external test case was never running, disable for now but retain case in event
|
|
# we wish to re-activate in the future.
|
|
#./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
|
|
#RESULT=$?
|
|
#[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
|
|
|
# setup ocsp responder
|
|
# OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
|
|
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
|
|
# purposes!
|
|
openssl ocsp -port $RPORTSELECTED -nmin 1 \
|
|
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
|
|
-rsigner certs/ocsp/intermediate1-ca-cert.pem \
|
|
-rkey certs/ocsp/intermediate1-ca-key.pem \
|
|
-CA certs/ocsp/intermediate1-ca-cert.pem \
|
|
$@ \
|
|
&
|
|
|
|
sleep 1
|
|
# "jobs" is not portable for posix. Must use bash interpreter!
|
|
[ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
|
|
# client test against our own server - GOOD CERT
|
|
./examples/server/server -c certs/ocsp/server1-cert.pem \
|
|
-k certs/ocsp/server1-key.pem -R $ready_file2 \
|
|
-p $resume_port &
|
|
wait_for_readyFile $ready_file2
|
|
CLI_PORT=`cat $ready_file2`
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
|
|
-p $CLI_PORT
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
|
|
# client test against our own server - REVOKED CERT
|
|
remove_single_rF $ready_file2
|
|
./examples/server/server -c certs/ocsp/server2-cert.pem \
|
|
-k certs/ocsp/server2-key.pem -R $ready_file2 \
|
|
-p $resume_port &
|
|
wait_for_readyFile $ready_file2
|
|
CLI_PORT=`cat $ready_file2`
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \
|
|
-p $CLI_PORT
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1
|
|
printf '%s\n\n' "Test successfully REVOKED!"
|
|
|
|
exit 0
|