diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 784c3bed4..73c5f285d 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -12,6 +12,7 @@ EXTRA_DIST += \ certs/ocsp/index-intermediate3-ca-issued-certs.txt \ certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \ certs/ocsp/openssl.cnf \ + certs/ocsp/renewcerts-for-test.sh \ certs/ocsp/intermediate1-ca-key.pem \ certs/ocsp/intermediate1-ca-cert.pem \ certs/ocsp/intermediate2-ca-key.pem \ diff --git a/certs/ocsp/renewcerts-for-test.sh b/certs/ocsp/renewcerts-for-test.sh new file mode 100755 index 000000000..7bae1005d --- /dev/null +++ b/certs/ocsp/renewcerts-for-test.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial +update_cert(){ + + openssl req \ + -new \ + -key $1-key.pem \ + -out $1-cert.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com" + + openssl x509 \ + -req -in $1-cert.csr \ + -extfile $6 \ + -extensions $4 \ + -days 1000 \ + -CA $3-cert.pem \ + -CAkey $3-key.pem \ + -set_serial $5 \ + -out $1-cert.pem \ + -sha256 + + rm $1-cert.csr + openssl x509 -in $1-cert.pem -text > $1_tmp.pem + mv $1_tmp.pem $1-cert.pem + cat $3-cert.pem >> $1-cert.pem +} + + + +printf '%s\n' "Using CNF: $1" + +openssl req \ + -new \ + -key root-ca-key.pem \ + -out root-ca-cert.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com" + +openssl x509 \ + -req -in root-ca-cert.csr \ + -extfile $1 \ + -extensions v3_ca \ + -days 1000 \ + -signkey root-ca-key.pem \ + -set_serial 99 \ + -out root-ca-cert.pem \ + -sha256 + +rm root-ca-cert.csr +openssl x509 -in root-ca-cert.pem -text > tmp.pem +mv tmp.pem root-ca-cert.pem + +update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 $1 +update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 $1 +update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 $1 # REVOKED + +update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04 $1 + +update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05 $1 +update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 $1 # REVOKED +update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 $1 +update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 $1 # REVOKED +update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 $1 diff --git a/scripts/include.am b/scripts/include.am index 93508b8cf..6882d24e1 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -27,8 +27,11 @@ endif if BUILD_OCSP_STAPLING dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test +scripts/ocsp-stapling.log: tests/unit.log scripts/ocsp-stapling.log: scripts/ocsp.log dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test +scripts/ocsp-stapling-with-ca-as-responder.log: tests/unit.log +scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log endif @@ -36,8 +39,12 @@ if BUILD_OCSP_STAPLING_V2 dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test if BUILD_OCSP_STAPLING +scripts/ocsp-stapling2.log: tests/unit.log +scripts/ocsp-stapling2.log: scripts/ocsp.log +scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log else +scripts/ocsp-stapling2.log: tests/unit.log scripts/ocsp-stapling2.log: scripts/ocsp.log endif diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index 303dd713f..a043ba809 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,19 +1,170 @@ #!/bin/bash # ocsp-stapling.test +WORKSPACE=`pwd` +CERT_DIR="./certs/ocsp" +resume_port=0 +ready_file=`pwd`/wolf_ocsp_s1_readyF$$ +ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$ +printf '%s\n' "ready file: $ready_file" + +test_cnf="ocsp_s_w_ca_a_r.cnf" + +copy_originals() { + cd $CERT_DIR + cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem + cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem + cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem + cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem + cp root-ca-cert.pem bak-root-ca-cert.pem + cp server1-cert.pem bak-server1-cert.pem + cp server2-cert.pem bak-server2-cert.pem + cp server3-cert.pem bak-server3-cert.pem + cp server4-cert.pem bak-server4-cert.pem + cp server5-cert.pem bak-server5-cert.pem + cd $WORKSPACE +} + +restore_originals() { + cd $CERT_DIR + mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem + mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem + mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem + mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem + mv bak-root-ca-cert.pem root-ca-cert.pem + mv bak-server1-cert.pem server1-cert.pem + mv bak-server2-cert.pem server2-cert.pem + mv bak-server3-cert.pem server3-cert.pem + mv bak-server4-cert.pem server4-cert.pem + mv bak-server5-cert.pem server5-cert.pem +} + +wait_for_readyFile(){ + + counter=0 + + while [ ! -s $1 -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $1; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + +} + +remove_single_rF(){ + if test -e $1; then + printf '%s\n' "removing ready file: $1" + rm $1 + fi +} + +#create a configure file for cert generation with the port 0 solution +create_new_cnf() { + copy_originals + + printf '%s\n' "Random Port Selected: $RPORTSELECTED" + + printf '%s\n' "#" > $test_cnf + printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf + printf '%s\n' "#" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf + printf '%s\n' "[ v3_req1 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf + printf '%s\n' "[ v3_req2 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf + printf '%s\n' "[ v3_req3 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions for a typical CA" >> $test_cnf + printf '%s\n' "[ v3_ca ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:true" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# OCSP extensions." >> $test_cnf + printf '%s\n' "[ v3_ocsp ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf + + mv $test_cnf $CERT_DIR/$test_cnf + cd $CERT_DIR + CURR_LOC=`pwd` + printf '%s\n' "echo now in $CURR_LOC" + ./renewcerts-for-test.sh $test_cnf + cd $WORKSPACE +} + +remove_ready_file() { + if test -e $ready_file; then + printf '%s\n' "removing ready file" + rm $ready_file + fi + if test -e $ready_file2; then + printf '%s\n' "removing ready file: $ready_file2" + rm $ready_file2 + fi +} + + cleanup() { for i in $(jobs -pr) do kill -s HUP "$i" done + remove_ready_file + rm $CERT_DIR/$test_cnf + restore_originals } trap cleanup EXIT INT TERM HUP server=login.live.com ca=certs/external/baltimore-cybertrust-root.pem -[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 +[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" && exit 1 + +# create a port 0 port to use with openssl ocsp responder +./examples/server/server -R $ready_file -p $resume_port & +wait_for_readyFile $ready_file +if [ ! -f $ready_file ]; then + printf '%s\n' "Failed to create ready file: \"$ready_file\"" + exit 1 +else + RPORTSELECTED=`cat $ready_file` + printf '%s\n' "Random port selected: $RPORTSELECTED" + # Use client connection to shutdown the server cleanly + ./examples/client/client -p $RPORTSELECTED + create_new_cnf $RPORTSELECTED +fi +sleep 1 # is our desired server there? - login.live.com doesn't answers PING #./scripts/ping.test $server 2 @@ -29,7 +180,7 @@ ca=certs/external/baltimore-cybertrust-root.pem # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port 22221 -nmin 1 \ +openssl ocsp -port $RPORTSELECTED -nmin 1 \ -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ -rsigner certs/ocsp/intermediate1-ca-cert.pem \ -rkey certs/ocsp/intermediate1-ca-key.pem \ @@ -39,20 +190,33 @@ openssl ocsp -port 22221 -nmin 1 \ sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 +[ $(jobs -r | wc -l) -ne 1 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 +printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERT -./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/server/server -c certs/ocsp/server1-cert.pem \ + -k certs/ocsp/server1-key.pem -R $ready_file2 \ + -p $resume_port & +wait_for_readyFile $ready_file2 +CLI_PORT=`cat $ready_file2` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed" && exit 1 +printf '%s\n\n' "Test PASSED!" +printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED CERT -./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +remove_single_rF $ready_file2 +./examples/server/server -c certs/ocsp/server2-cert.pem \ + -k certs/ocsp/server2-key.pem -R $ready_file2 \ + -p $resume_port & +wait_for_readyFile $ready_file2 +CLI_PORT=`cat $ready_file2` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1 +printf '%s\n\n' "Test successfully REVOKED!" exit 0 diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 01173f5f8..031fdfe40 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -2,12 +2,149 @@ # ocsp-stapling.test +# create a unique ready file ending in PID for the script instance ($$) to take +# advantage of port zero solution +WORKSPACE=`pwd` +CERT_DIR="./certs/ocsp" +resume_port=0 +ready_file=`pwd`/wolf_ocsp_s1_readyF$$ +ready_file2=`pwd`/wolf_ocsp_s1_readyF2$$ +printf '%s\n' "ready file: $ready_file" + +test_cnf="ocsp_s1.cnf" + +copy_originals() { + cd $CERT_DIR + cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem + cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem + cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem + cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem + cp root-ca-cert.pem bak-root-ca-cert.pem + cp server1-cert.pem bak-server1-cert.pem + cp server2-cert.pem bak-server2-cert.pem + cp server3-cert.pem bak-server3-cert.pem + cp server4-cert.pem bak-server4-cert.pem + cp server5-cert.pem bak-server5-cert.pem + cd $WORKSPACE +} + +restore_originals() { + cd $CERT_DIR + mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem + mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem + mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem + mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem + mv bak-root-ca-cert.pem root-ca-cert.pem + mv bak-server1-cert.pem server1-cert.pem + mv bak-server2-cert.pem server2-cert.pem + mv bak-server3-cert.pem server3-cert.pem + mv bak-server4-cert.pem server4-cert.pem + mv bak-server5-cert.pem server5-cert.pem +} + +wait_for_readyFile(){ + + counter=0 + + while [ ! -s $1 -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $1; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + +} + +remove_single_rF(){ + if test -e $1; then + printf '%s\n' "removing ready file: $1" + rm $1 + fi +} + +#create a configure file for cert generation with the port 0 solution +create_new_cnf() { + copy_originals + + printf '%s\n' "Random Port Selected: $RPORTSELECTED" + + printf '%s\n' "#" > $test_cnf + printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf + printf '%s\n' "#" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf + printf '%s\n' "[ v3_req1 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf + printf '%s\n' "[ v3_req2 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf + printf '%s\n' "[ v3_req3 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions for a typical CA" >> $test_cnf + printf '%s\n' "[ v3_ca ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:true" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# OCSP extensions." >> $test_cnf + printf '%s\n' "[ v3_ocsp ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf + + mv $test_cnf $CERT_DIR/$test_cnf + cd $CERT_DIR + CURR_LOC=`pwd` + printf '%s\n' "echo now in $CURR_LOC" + ./renewcerts-for-test.sh $test_cnf + cd $WORKSPACE +} + +remove_ready_file() { + if test -e $ready_file; then + printf '%s\n' "removing ready file" + rm $ready_file + fi + if test -e $ready_file2; then + printf '%s\n' "removing ready file: $ready_file2" + rm $ready_file2 + fi +} + cleanup() { for i in $(jobs -pr) do kill -s HUP "$i" done + remove_ready_file + rm $CERT_DIR/$test_cnf + restore_originals } trap cleanup EXIT INT TERM HUP @@ -20,6 +157,21 @@ if [ $? -eq 0 ]; then exit 0 fi +# create a port 0 port to use with openssl ocsp responder +./examples/server/server -R $ready_file -p $resume_port & +wait_for_readyFile $ready_file +if [ ! -f $ready_file ]; then + printf '%s\n' "Failed to create ready file: \"$ready_file\"" + exit 1 +else + RPORTSELECTED=`cat $ready_file` + printf '%s\n' "Random port selected: $RPORTSELECTED" + # Use client connection to shutdown the server cleanly + ./examples/client/client -p $RPORTSELECTED + create_new_cnf $RPORTSELECTED +fi +sleep 1 + # is our desired server there? - login.live.com doesn't answers PING #./scripts/ping.test $server 2 @@ -40,7 +192,7 @@ fi # OLD: ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port 22221 -nmin 1 \ +openssl ocsp -port $RPORTSELECTED -nmin 1 \ -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -49,38 +201,66 @@ openssl ocsp -port 22221 -nmin 1 \ sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 +[ $(jobs -r | wc -l) -ne 1 ] && \ + printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 +printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERT -./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \ + -k certs/ocsp/server1-key.pem -p $resume_port & +wait_for_readyFile $ready_file2 +CLI_PORT=`cat $ready_file2` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1 +printf '%s\n\n' "Test PASSED!" +printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED CERT -./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +remove_single_rF $ready_file2 +./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \ + -k certs/ocsp/server2-key.pem -p $resume_port & +wait_for_readyFile $ready_file2 sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +CLI_PORT=`cat $ready_file2` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -p $CLI_PORT RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" \ + && exit 1 +printf '%s\n\n' "Test successfully REVOKED!" ./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version' if [ $? -ne 0 ]; then + printf '%s\n\n' "------------- TEST CASE 3 SHOULD PASS --------------------" # client test against our own server - GOOD CERT - ./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem -v 4 & - sleep 1 - ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 + remove_single_rF $ready_file2 + ./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file2 \ + -k certs/ocsp/server1-key.pem -v 4 \ + -p $resume_port & + wait_for_readyFile $ready_file2 + CLI_PORT=`cat $ready_file2` + ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ + -p $CLI_PORT RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed" && exit 1 + printf '%s\n\n' "Test PASSED!" + printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------" # client test against our own server - REVOKED CERT - ./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem -v 4 & - sleep 1 - ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 + remove_single_rF $ready_file2 + ./examples/server/server -c certs/ocsp/server2-cert.pem -R $ready_file2 \ + -k certs/ocsp/server2-key.pem -v 4 \ + -p $resume_port & + wait_for_readyFile $ready_file2 + CLI_PORT=`cat $ready_file2` + ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 -F 1 \ + -p $CLI_PORT RESULT=$? - [ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + [ $RESULT -ne 1 ] && \ + printf '\n\n%s\n' "Client connection suceeded $RESULT" \ + && exit 1 + printf '%s\n\n' "Test successfully REVOKED!" fi exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 028f01f8a..2076af40a 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,22 +1,224 @@ #!/bin/bash # ocsp-stapling.test +WORKSPACE=`pwd` +CERT_DIR="certs/ocsp" + +resume_port=0 +ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$ +ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$ +ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$ +ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$ +ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$ +printf '%s\n' "ready file 1: $ready_file1" +printf '%s\n' "ready file 2: $ready_file2" +printf '%s\n' "ready file 3: $ready_file3" +printf '%s\n' "ready file 4: $ready_file4" +printf '%s\n' "ready file 5: $ready_file5" + +test_cnf="ocsp_s2.cnf" + +copy_originals() { + cd $CERT_DIR + cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem + cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem + cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem + cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem + cp root-ca-cert.pem bak-root-ca-cert.pem + cp server1-cert.pem bak-server1-cert.pem + cp server2-cert.pem bak-server2-cert.pem + cp server3-cert.pem bak-server3-cert.pem + cp server4-cert.pem bak-server4-cert.pem + cp server5-cert.pem bak-server5-cert.pem + cd $WORKSPACE +} + +restore_originals() { + cd $CERT_DIR + mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem + mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem + mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem + mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem + mv bak-root-ca-cert.pem root-ca-cert.pem + mv bak-server1-cert.pem server1-cert.pem + mv bak-server2-cert.pem server2-cert.pem + mv bak-server3-cert.pem server3-cert.pem + mv bak-server4-cert.pem server4-cert.pem + mv bak-server5-cert.pem server5-cert.pem +} + +wait_for_readyFile(){ + + counter=0 + + while [ ! -s $1 -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." + sleep 0.1 + counter=$((counter+ 1)) + done + + if test -e $1; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + +} + +remove_single_rF(){ + if test -e $1; then + printf '%s\n' "removing ready file: $1" + rm $1 + fi +} + +#create a configure file for cert generation with the port 0 solution +create_new_cnf() { + copy_originals + + printf '%s\n' "Random Port Selected: $RPORTSELECTED" + + printf '%s\n' "#" > $test_cnf + printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf + printf '%s\n' "#" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf + printf '%s\n' "[ v3_req1 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf + printf '%s\n' "[ v3_req2 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf + printf '%s\n' "[ v3_req3 ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# Extensions for a typical CA" >> $test_cnf + printf '%s\n' "[ v3_ca ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:true" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf + printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf + printf '%s\n' "" >> $test_cnf + printf '%s\n' "# OCSP extensions." >> $test_cnf + printf '%s\n' "[ v3_ocsp ]" >> $test_cnf + printf '%s\n' "basicConstraints = CA:false" >> $test_cnf + printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf + printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf + printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf + + mv $test_cnf $CERT_DIR/$test_cnf + cd $CERT_DIR + CURR_LOC=`pwd` + printf '%s\n' "echo now in $CURR_LOC" + ./renewcerts-for-test.sh $test_cnf + cd $WORKSPACE +} + +remove_ready_file(){ + if test -e $ready_file1; then + printf '%s\n' "removing ready file: $ready_file1" + rm $ready_file1 + fi + if test -e $ready_file2; then + printf '%s\n' "removing ready file: $ready_file2" + rm $ready_file2 + fi + if test -e $ready_file3; then + printf '%s\n' "removing ready file: $ready_file3" + rm $ready_file3 + fi + if test -e $ready_file4; then + printf '%s\n' "removing ready file: $ready_file4" + rm $ready_file4 + fi + if test -e $ready_file5; then + printf '%s\n' "removing ready file: $ready_file5" + rm $ready_file5 + fi +} + cleanup() { for i in $(jobs -pr) do kill -s HUP "$i" done + remove_ready_file + rm $CERT_DIR/$test_cnf + restore_originals } trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 +#get four unique ports +# 1: +./examples/server/server -R $ready_file1 -p $resume_port & +wait_for_readyFile $ready_file1 +if [ ! -f $ready_file1 ]; then + printf '%s\n' "Failed to create ready file1: \"$ready_file1\"" + exit 1 +fi +# 2: +./examples/server/server -R $ready_file2 -p $resume_port & +wait_for_readyFile $ready_file2 +if [ ! -f $ready_file2 ]; then + printf '%s\n' "Failed to create ready file2: \"$ready_file2\"" + exit 1 +fi +# 3: +./examples/server/server -R $ready_file3 -p $resume_port & +wait_for_readyFile $ready_file3 +if [ ! -f $ready_file3 ]; then + printf '%s\n' "Failed to create ready file3: \"$ready_file3\"" + exit 1 +fi +# 4: +./examples/server/server -R $ready_file4 -p $resume_port & +wait_for_readyFile $ready_file4 +if [ ! -f $ready_file4 ]; then + printf '%s\n' "Failed to create ready file4: \"$ready_file4\"" + exit 1 +else + RPORTSELECTED1=`cat $ready_file1` + RPORTSELECTED2=`cat $ready_file2` + RPORTSELECTED3=`cat $ready_file3` + RPORTSELECTED4=`cat $ready_file4` + printf '%s\n' "------------- PORTS ---------------" + printf '%s' "Random ports selected: $RPORTSELECTED1 $RPORTSELECTED2" + printf '%s\n' " $RPORTSELECTED3 $RPORTSELECTED4" + printf '%s\n' "-----------------------------------" + # Use client connections to cleanly shutdown the servers + ./examples/client/client -p $RPORTSELECTED1 + ./examples/client/client -p $RPORTSELECTED2 + ./examples/client/client -p $RPORTSELECTED3 + ./examples/client/client -p $RPORTSELECTED4 + create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \ + $RPORTSELECTED4 +fi +sleep 1 + # setup ocsp responders # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port 22220 -nmin 1 \ +openssl ocsp -port $RPORTSELECTED1 -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -27,7 +229,7 @@ openssl ocsp -port 22220 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port 22222 -nmin 1 \ +openssl ocsp -port $RPORTSELECTED2 -nmin 1 \ -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -38,7 +240,7 @@ openssl ocsp -port 22222 -nmin 1 \ # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! -openssl ocsp -port 22223 -nmin 1 \ +openssl ocsp -port $RPORTSELECTED3 -nmin 1 \ -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ @@ -48,45 +250,89 @@ openssl ocsp -port 22223 -nmin 1 \ sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! -[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 +[ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 +printf '\n\n%s\n\n' "All OCSP responders started successfully!" +printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERTS -./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 +./examples/server/server -c certs/ocsp/server3-cert.pem \ + -k certs/ocsp/server3-key.pem -R $ready_file5 \ + -p $resume_port & +wait_for_readyFile $ready_file5 +CLI_PORT=`cat $ready_file5` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 +printf '%s\n\n' "Test PASSED!" -./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW" +#printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------" +#remove_single_rF $ready_file5 +#./examples/server/server -c certs/ocsp/server3-cert.pem \ +# -k certs/ocsp/server3-key.pem -R $ready_file5 \ +# -p $resume_port & +#wait_for_readyFile $ready_file5 +#CLI_PORT=`cat $ready_file5` +#./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ +# -p $CLI_PORT +#RESULT=$? +#[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1 +#printf '%s\n\n' "Test PASSED!" +printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED SERVER CERT -./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 +remove_single_rF $ready_file5 +./examples/server/server -c certs/ocsp/server4-cert.pem \ + -k certs/ocsp/server4-key.pem -R $ready_file5 \ + -p $resume_port & +wait_for_readyFile $ready_file5 +CLI_PORT=`cat $ready_file5` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1 +printf '%s\n\n' "Test successfully REVOKED!" -./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & +printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------" +remove_single_rF $ready_file5 +./examples/server/server -c certs/ocsp/server4-cert.pem \ + -k certs/ocsp/server4-key.pem -R $ready_file5 \ + -p $resume_port & sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 +CLI_PORT=`cat $ready_file5` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1 +printf '%s\n\n' "Test successfully REVOKED!" +printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------" # client test against our own server - REVOKED INTERMEDIATE CERT -./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 +remove_single_rF $ready_file5 +./examples/server/server -c certs/ocsp/server5-cert.pem \ + -k certs/ocsp/server5-key.pem -R $ready_file5 \ + -p $resume_port & +wait_for_readyFile $ready_file5 +CLI_PORT=`cat $ready_file5` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1 +printf '%s\n\n' "Test PASSED!" -./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & -sleep 1 -./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 +printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------" +remove_single_rF $ready_file5 +./examples/server/server -c certs/ocsp/server5-cert.pem \ + -k certs/ocsp/server5-key.pem -R $ready_file5 \ + -p $resume_port & +wait_for_readyFile $ready_file5 +CLI_PORT=`cat $ready_file5` +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ + -p $CLI_PORT RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 +[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection suceeded $RESULT" && exit 1 +printf '%s\n\n' "Test successfully REVOKED!" +printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" exit 0