adds ocsp test scripts;

SCRIPTS-LIST

@@ -19,11 +19,18 @@ certs/
  renewcerts.sh - renews test certs and crls
  crl/
   gencrls.sh   - generates crls, used by renewcerts.sh
+ ocsp/
+  renewcerts.sh - renews ocsp certs
+  ocspd0.sh - ocsp responder for root-ca-cert.pem
+  ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem
+  ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem
 
 scripts/
  external.test - example client test against our website, part of tests
  google.test   - example client test against google, part of tests
  resume.test   - example sessoin resume test, part of tests
+ ocsp-stapling.test - example client test against globalsign, part of tests
+ ocsp-stapling2.test - example client test against example server, part of tests
  sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
                           in sniffer mode
 swig/

certs/external/ca-globalsign-root-r2.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
+MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
+v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
+eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
+tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
+C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
+zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
+mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
+V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
+bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
+3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
+J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
+291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
+AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
+TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
+-----END CERTIFICATE-----

certs/external/ca-verisign-g5.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
+nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
+t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
+SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
+BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
+NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
+BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
+aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
+MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
+p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
+5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
+WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
+4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
+hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
+-----END CERTIFICATE-----

certs/ocsp/ocspd0.sh

@@ -1,10 +1,8 @@
 #!/bin/bash
 
-openssl ocsp                         \
-    -index index0.txt                \
-    -port 22220                      \
-    -rsigner ocsp-responder-cert.pem \
-    -rkey ocsp-responder-key.pem     \
-    -CA root-ca-cert.pem             \
-    -nmin 1                          \
-    -text
+openssl ocsp -port 22220 -nmin 1 -text          \
+    -index   certs/ocsp/index0.txt              \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem \
+    -rkey    certs/ocsp/ocsp-responder-key.pem  \
+    -CA      certs/ocsp/root-ca-cert.pem        \
+    $@

certs/ocsp/ocspd1.sh

@@ -1,10 +1,8 @@
 #!/bin/bash
 
-openssl ocsp                         \
-    -index index1.txt                \
-    -port 22221                      \
-    -rsigner ocsp-responder-cert.pem \
-    -rkey ocsp-responder-key.pem     \
-    -CA intermediate1-ca-cert.pem    \
-    -nmin 1                          \
-    -text
+openssl ocsp -port 22221 -nmin 1 -text            \
+    -index   certs/ocsp/index1.txt                \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
+    -rkey    certs/ocsp/ocsp-responder-key.pem    \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem \
+    $@

certs/ocsp/ocspd2.sh

@@ -1,10 +1,8 @@
 #!/bin/bash
 
-openssl ocsp                         \
-    -index index2.txt                \
-    -port 22222                      \
-    -rsigner ocsp-responder-cert.pem \
-    -rkey ocsp-responder-key.pem     \
-    -CA intermediate2-ca-cert.pem    \
-    -nmin 1                          \
-    -text
+openssl ocsp -port 22222 -nmin 1 -text            \
+    -index   certs/ocsp/index2.txt                \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
+    -rkey    certs/ocsp/ocsp-responder-key.pem    \
+    -CA      certs/ocsp/intermediate2-ca-cert.pem \
+    $@

configure.ac

@@ -1676,6 +1676,8 @@ then
     fi
 fi
 
+AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
+
 # Certificate Status Request v2 : a.k.a. OCSP stapling v2
 AC_ARG_ENABLE([ocspstapling2],
     [AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])],
@@ -1696,6 +1698,8 @@ then
     fi
 fi
 
+AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
+
 # Renegotiation Indication - (FAKE Secure Renegotiation)
 AC_ARG_ENABLE([renegotiation-indication],
     [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])],

examples/client/client.c

@@ -484,7 +484,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 #ifndef WOLFSSL_VXWORKS
     while ((ch = mygetopt(argc, argv,
-               "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) {
+               "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W:")) != -1) {
         switch (ch) {
             case '?' :
                 Usage();
@@ -678,7 +678,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             case 'W' :
                 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
                  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
-                    statusRequest = 1;
+                    statusRequest = atoi(myoptarg);
                 #endif
                 break;
 
@@ -1006,18 +1006,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
     if (statusRequest) {
+        switch (statusRequest) {
+            case WOLFSSL_CSR_OCSP:
                 if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP,
                                      WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS)
                     err_sys("UseCertificateStatusRequest failed");
 
+            break;
+        }
+
         wolfSSL_CTX_EnableOCSP(ctx, 0);
     }
 #endif
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
     if (statusRequest) {
-        if (wolfSSL_UseCertificateStatusRequestV2(ssl, WOLFSSL_CSR2_OCSP,
-                                    WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS)
+        switch (statusRequest) {
+            case WOLFSSL_CSR2_OCSP:
+                if (wolfSSL_UseCertificateStatusRequestV2(ssl,
+                    WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
+                                                                 != SSL_SUCCESS)
                     err_sys("UseCertificateStatusRequest failed");
+            break;
+            case WOLFSSL_CSR2_OCSP_MULTI:
+                if (wolfSSL_UseCertificateStatusRequestV2(ssl,
+                    WOLFSSL_CSR2_OCSP_MULTI, 0)
+                                                                 != SSL_SUCCESS)
+                    err_sys("UseCertificateStatusRequest failed");
+            break;
+
+        }
 
         wolfSSL_CTX_EnableOCSP(ctx, 0);
     }

examples/server/server.c

@@ -729,7 +729,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
         if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS)
             err_sys("can't enable OCSP Stapling Certificate Manager");
-        if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
+        if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS)
+            err_sys("can't load ca file, Please run from wolfSSL home dir");
+        if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS)
             err_sys("can't load ca file, Please run from wolfSSL home dir");
 #endif
 #ifdef HAVE_PK_CALLBACKS
@@ -967,5 +969,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
         return 0;
     }
 #endif
-
-

scripts/include.am

@@ -9,6 +9,7 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
 endif
 
 if BUILD_EXAMPLES
+
 dist_noinst_SCRIPTS+= scripts/resume.test
 EXTRA_DIST+= scripts/benchmark.test
 
@@ -23,6 +24,21 @@ dist_noinst_SCRIPTS+= scripts/external.test
 dist_noinst_SCRIPTS+= scripts/google.test
 #dist_noinst_SCRIPTS+= scripts/openssl.test
 endif
+
+if BUILD_OCSP
+dist_noinst_SCRIPTS+= scripts/ocsp.test
+endif
+
+if BUILD_OCSP_STAPLING
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
+scripts/ocsp-stapling.log: scripts/ocsp.log
+endif
+
+if BUILD_OCSP_STAPLING_V2
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
+scripts/ocsp-stapling2.log: scripts/ocsp.log
+endif
+
 endif
 
 

scripts/ocsp-stapling.test

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
+
+server=login.live.com
+ca=certs/external/ca-verisign-g5.pem
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# is our desired server there? - login.live.com doesn't answers PING
+# ping -c 2 $server
+# RESULT=$?
+# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
+
+# client test against the server
+./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# setup ocsp responder
+./certs/ocsp/ocspd1.sh &
+
+# client test against our own server - GOOD CERT
+./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# client test against our own server - REVOKED CERT
+./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
+
+exit 0

scripts/ocsp-stapling2.test

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# setup ocsp responders
+./certs/ocsp/ocspd0.sh &
+./certs/ocsp/ocspd1.sh &
+./certs/ocsp/ocspd2.sh &
+
+# client test against our own server - GOOD CERTS
+./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# client test against our own server - REVOKED SERVER CERT
+./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
+
+# client test against our own server - REVOKED INTERMEDIATE CERT
+./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
+
+exit 0

scripts/ocsp.test

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+server=www.globalsign.com
+ca=certs/external/ca-globalsign-root-r2.pem
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# is our desired server there?
+ping -c 2 $server
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
+
+# client test against the server
+./examples/client/client -X -C -h $server -p 443 -A $ca -g -o
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+exit 0

src/internal.c

@@ -4491,7 +4491,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
         if (fatal == 0) {
             int doLookup = 1;
 
-            /* TODO CSR2 */
             if (ssl->options.side == WOLFSSL_CLIENT_END) {
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
                 if (ssl->status_request) {