diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST index 2f2306590..ffea9432f 100644 --- a/SCRIPTS-LIST +++ b/SCRIPTS-LIST @@ -19,13 +19,20 @@ certs/ renewcerts.sh - renews test certs and crls crl/ gencrls.sh - generates crls, used by renewcerts.sh + ocsp/ + renewcerts.sh - renews ocsp certs + ocspd0.sh - ocsp responder for root-ca-cert.pem + ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem + ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem scripts/ external.test - example client test against our website, part of tests google.test - example client test against google, part of tests resume.test - example sessoin resume test, part of tests - sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests - in sniffer mode + ocsp-stapling.test - example client test against globalsign, part of tests + ocsp-stapling2.test - example client test against example server, part of tests + sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests + in sniffer mode swig/ PythonBuild.sh - builds and runs simple python example diff --git a/certs/external/ca-globalsign-root-r2.pem b/certs/external/ca-globalsign-root-r2.pem new file mode 100644 index 000000000..6f0f8db0d --- /dev/null +++ b/certs/external/ca-globalsign-root-r2.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE----- diff --git a/certs/external/ca-verisign-g5.pem b/certs/external/ca-verisign-g5.pem new file mode 100644 index 000000000..707ff085b --- /dev/null +++ b/certs/external/ca-verisign-g5.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW +ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 +nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex +t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz +SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG +BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ +rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ +NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH +BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy +aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv +MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE +p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y +5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK +WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ +4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N +hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq +-----END CERTIFICATE----- diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh index ea15a1c7a..33baeee14 100755 --- a/certs/ocsp/ocspd0.sh +++ b/certs/ocsp/ocspd0.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index0.txt \ - -port 22220 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA root-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22220 -nmin 1 -text \ + -index certs/ocsp/index0.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/root-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh index 60390216d..1a6f2dc2a 100755 --- a/certs/ocsp/ocspd1.sh +++ b/certs/ocsp/ocspd1.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index1.txt \ - -port 22221 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA intermediate1-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22221 -nmin 1 -text \ + -index certs/ocsp/index1.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh index f827bbcb6..04f3ae2bf 100755 --- a/certs/ocsp/ocspd2.sh +++ b/certs/ocsp/ocspd2.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index2.txt \ - -port 22222 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA intermediate2-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22222 -nmin 1 -text \ + -index certs/ocsp/index2.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate2-ca-cert.pem \ + $@ diff --git a/configure.ac b/configure.ac index e7bd09bad..35497b851 100644 --- a/configure.ac +++ b/configure.ac @@ -1676,6 +1676,8 @@ then fi fi +AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) + # Certificate Status Request v2 : a.k.a. OCSP stapling v2 AC_ARG_ENABLE([ocspstapling2], [AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])], @@ -1696,6 +1698,8 @@ then fi fi +AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) + # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], diff --git a/examples/client/client.c b/examples/client/client.c index 79d735b44..f96258664 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -484,7 +484,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W:")) != -1) { switch (ch) { case '?' : Usage(); @@ -678,7 +678,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) case 'W' : #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - statusRequest = 1; + statusRequest = atoi(myoptarg); #endif break; @@ -1006,18 +1006,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + switch (statusRequest) { + case WOLFSSL_CSR_OCSP: + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); + err_sys("UseCertificateStatusRequest failed"); + + break; + } wolfSSL_CTX_EnableOCSP(ctx, 0); } #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequestV2(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); + switch (statusRequest) { + case WOLFSSL_CSR2_OCSP: + if (wolfSSL_UseCertificateStatusRequestV2(ssl, + WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + case WOLFSSL_CSR2_OCSP_MULTI: + if (wolfSSL_UseCertificateStatusRequestV2(ssl, + WOLFSSL_CSR2_OCSP_MULTI, 0) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + + } wolfSSL_CTX_EnableOCSP(ctx, 0); } diff --git a/examples/server/server.c b/examples/server/server.c index 000d35a1c..b413b81b0 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -729,7 +729,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); - if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #ifdef HAVE_PK_CALLBACKS @@ -967,5 +969,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) return 0; } #endif - - diff --git a/scripts/include.am b/scripts/include.am index 4b2c7982a..b4c66554c 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -9,8 +9,9 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test endif if BUILD_EXAMPLES + dist_noinst_SCRIPTS+= scripts/resume.test -EXTRA_DIST+= scripts/benchmark.test +EXTRA_DIST+= scripts/benchmark.test if BUILD_CRL # make revoked test rely on completion of resume test @@ -23,6 +24,21 @@ dist_noinst_SCRIPTS+= scripts/external.test dist_noinst_SCRIPTS+= scripts/google.test #dist_noinst_SCRIPTS+= scripts/openssl.test endif + +if BUILD_OCSP +dist_noinst_SCRIPTS+= scripts/ocsp.test +endif + +if BUILD_OCSP_STAPLING +dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test +scripts/ocsp-stapling.log: scripts/ocsp.log +endif + +if BUILD_OCSP_STAPLING_V2 +dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test +scripts/ocsp-stapling2.log: scripts/ocsp.log +endif + endif diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test new file mode 100755 index 000000000..7b4ac9cda --- /dev/null +++ b/scripts/ocsp-stapling.test @@ -0,0 +1,39 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +server=login.live.com +ca=certs/external/ca-verisign-g5.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? - login.live.com doesn't answers PING +# ping -c 2 $server +# RESULT=$? +# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# setup ocsp responder +./certs/ocsp/ocspd1.sh & + +# client test against our own server - GOOD CERT +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test new file mode 100755 index 000000000..eb300a625 --- /dev/null +++ b/scripts/ocsp-stapling2.test @@ -0,0 +1,35 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# setup ocsp responders +./certs/ocsp/ocspd0.sh & +./certs/ocsp/ocspd1.sh & +./certs/ocsp/ocspd2.sh & + +# client test against our own server - GOOD CERTS +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED SERVER CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +# client test against our own server - REVOKED INTERMEDIATE CERT +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp.test b/scripts/ocsp.test new file mode 100755 index 000000000..66d4488ad --- /dev/null +++ b/scripts/ocsp.test @@ -0,0 +1,20 @@ +#!/bin/sh + +# ocsp-stapling.test + +server=www.globalsign.com +ca=certs/external/ca-globalsign-root-r2.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? +ping -c 2 $server +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -o +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +exit 0 diff --git a/src/internal.c b/src/internal.c index 6b2d44459..6d10a972b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4491,7 +4491,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (fatal == 0) { int doLookup = 1; - /* TODO CSR2 */ if (ssl->options.side == WOLFSSL_CLIENT_END) { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) {