feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

adds ocsp test scripts;

Browse Source
This commit is contained in:
Moisés Guimarães
2015-12-13 18:02:19 -03:00
parent d30a1be572
commit 196b983b7b
14 changed files with 219 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
SCRIPTS-LIST
View File

@@ -19,13 +19,20 @@ certs/
renewcerts.sh - renews test certs and crls
crl/
gencrls.sh - generates crls, used by renewcerts.sh
ocsp/
renewcerts.sh - renews ocsp certs
ocspd0.sh - ocsp responder for root-ca-cert.pem
ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem
ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem
scripts/
external.test - example client test against our website, part of tests
google.test - example client test against google, part of tests
resume.test - example sessoin resume test, part of tests
sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
in sniffer mode
ocsp-stapling.test - example client test against globalsign, part of tests
ocsp-stapling2.test - example client test against example server, part of tests
sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
in sniffer mode
swig/
PythonBuild.sh - builds and runs simple python example

22
certs/external/ca-globalsign-root-r2.pem vendored Normal file
View File

@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----

28
certs/external/ca-verisign-g5.pem vendored Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----

14
certs/ocsp/ocspd0.sh
View File

@@ -1,10 +1,8 @@
#!/bin/bash
openssl ocsp \
-index index0.txt \
-port 22220 \
-rsigner ocsp-responder-cert.pem \
-rkey ocsp-responder-key.pem \
-CA root-ca-cert.pem \
-nmin 1 \
-text
openssl ocsp -port 22220 -nmin 1 -text \
-index certs/ocsp/index0.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
$@

14
certs/ocsp/ocspd1.sh
View File

@@ -1,10 +1,8 @@
#!/bin/bash
openssl ocsp \
-index index1.txt \
-port 22221 \
-rsigner ocsp-responder-cert.pem \
-rkey ocsp-responder-key.pem \
-CA intermediate1-ca-cert.pem \
-nmin 1 \
-text
openssl ocsp -port 22221 -nmin 1 -text \
-index certs/ocsp/index1.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@

14
certs/ocsp/ocspd2.sh
View File

@@ -1,10 +1,8 @@
#!/bin/bash
openssl ocsp \
-index index2.txt \
-port 22222 \
-rsigner ocsp-responder-cert.pem \
-rkey ocsp-responder-key.pem \
-CA intermediate2-ca-cert.pem \
-nmin 1 \
-text
openssl ocsp -port 22222 -nmin 1 -text \
-index certs/ocsp/index2.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
$@

4
configure.ac
View File

@@ -1676,6 +1676,8 @@ then
fi
fi
AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
# Certificate Status Request v2 : a.k.a. OCSP stapling v2
AC_ARG_ENABLE([ocspstapling2],
[AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])],
@@ -1696,6 +1698,8 @@ then
fi
fi
AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
# Renegotiation Indication - (FAKE Secure Renegotiation)
AC_ARG_ENABLE([renegotiation-indication],
[AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])],

31
examples/client/client.c
View File

@@ -484,7 +484,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifndef WOLFSSL_VXWORKS
while ((ch = mygetopt(argc, argv,
"?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) {
"?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W:")) != -1) {
switch (ch) {
case '?' :
Usage();
@@ -678,7 +678,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
case 'W' :
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
statusRequest = 1;
statusRequest = atoi(myoptarg);
#endif
break;
@@ -1006,18 +1006,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
if (statusRequest) {
if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP,
switch (statusRequest) {
case WOLFSSL_CSR_OCSP:
if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP,
WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS)
err_sys("UseCertificateStatusRequest failed");
err_sys("UseCertificateStatusRequest failed");
break;
}
wolfSSL_CTX_EnableOCSP(ctx, 0);
}
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
if (statusRequest) {
if (wolfSSL_UseCertificateStatusRequestV2(ssl, WOLFSSL_CSR2_OCSP,
WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS)
err_sys("UseCertificateStatusRequest failed");
switch (statusRequest) {
case WOLFSSL_CSR2_OCSP:
if (wolfSSL_UseCertificateStatusRequestV2(ssl,
WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
!= SSL_SUCCESS)
err_sys("UseCertificateStatusRequest failed");
break;
case WOLFSSL_CSR2_OCSP_MULTI:
if (wolfSSL_UseCertificateStatusRequestV2(ssl,
WOLFSSL_CSR2_OCSP_MULTI, 0)
!= SSL_SUCCESS)
err_sys("UseCertificateStatusRequest failed");
break;
}
wolfSSL_CTX_EnableOCSP(ctx, 0);
}

6
examples/server/server.c
View File

@@ -729,7 +729,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager");
if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#endif
#ifdef HAVE_PK_CALLBACKS
@@ -967,5 +969,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
return 0;
}
#endif

18
scripts/include.am
View File

@@ -9,8 +9,9 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
endif
if BUILD_EXAMPLES
dist_noinst_SCRIPTS+= scripts/resume.test
EXTRA_DIST+= scripts/benchmark.test
EXTRA_DIST+= scripts/benchmark.test
if BUILD_CRL
# make revoked test rely on completion of resume test
@@ -23,6 +24,21 @@ dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
#dist_noinst_SCRIPTS+= scripts/openssl.test
endif
if BUILD_OCSP
dist_noinst_SCRIPTS+= scripts/ocsp.test
endif
if BUILD_OCSP_STAPLING
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
scripts/ocsp-stapling.log: scripts/ocsp.log
endif
if BUILD_OCSP_STAPLING_V2
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
scripts/ocsp-stapling2.log: scripts/ocsp.log
endif
endif

39
scripts/ocsp-stapling.test Executable file
View File

@@ -0,0 +1,39 @@
#!/bin/sh
# ocsp-stapling.test
trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
server=login.live.com
ca=certs/external/ca-verisign-g5.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# is our desired server there? - login.live.com doesn't answers PING
# ping -c 2 $server
# RESULT=$?
# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# setup ocsp responder
./certs/ocsp/ocspd1.sh &
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
sleep 1
./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# client test against our own server - REVOKED CERT
./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
sleep 1
./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
exit 0

35
scripts/ocsp-stapling2.test Executable file
View File

@@ -0,0 +1,35 @@
#!/bin/sh
# ocsp-stapling.test
trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# setup ocsp responders
./certs/ocsp/ocspd0.sh &
./certs/ocsp/ocspd1.sh &
./certs/ocsp/ocspd2.sh &
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
sleep 1
./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# client test against our own server - REVOKED SERVER CERT
./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
sleep 1
./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
# client test against our own server - REVOKED INTERMEDIATE CERT
./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
sleep 1
./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
exit 0

20
scripts/ocsp.test Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
# ocsp-stapling.test
server=www.globalsign.com
ca=certs/external/ca-globalsign-root-r2.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# is our desired server there?
ping -c 2 $server
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
exit 0

1
src/internal.c
View File

@@ -4491,7 +4491,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (fatal == 0) {
int doLookup = 1;
/* TODO CSR2 */
if (ssl->options.side == WOLFSSL_CLIENT_END) {
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
if (ssl->status_request) {