wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-03-27 14:29:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
wolfssl/scripts/ocsp-responder-openssl-interop.test
Juliusz Sosinowicz 4578e1390f Implement OCSP responder 
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00

568 lines
18 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# ocsp-responder-openssl-interop.test
#
# Interop test: wolfSSL ocsp_responder serving OCSP responses to openssl ocsp
# client queries. Tests every certificate entry in each index file.
#
# Requires: WOLFSSL_OPENSSL_TEST, HAVE_OCSP, HAVE_OCSP_RESPONDER
# Uses: examples/ocsp_responder/ocsp_responder as the OCSP responder
# openssl ocsp as the client
if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
exit 77
fi
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
SCRIPT_DIR="$(dirname "$0")"
WOLFSSL_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$WOLFSSL_DIR" || exit 1
OCSP_RESPONDER="./examples/ocsp_responder/ocsp_responder"
OCSP_DIR="certs/ocsp"
if [ "$OPENSSL" = "" ]; then
OPENSSL=openssl
fi
# Check prerequisites
[ ! -x "$OCSP_RESPONDER" ] && \
echo 'skipping: ocsp_responder not built.' 1>&2 && exit 77
if $OCSP_RESPONDER -? 2>&1 | grep -q "OCSP Responder requires"; then
echo 'skipping: ocsp_responder not compiled with required features.' 1>&2
exit 77
fi
command -v $OPENSSL >/dev/null 2>&1 || \
{ echo "Requires openssl command, skipping." 1>&2; exit 77; }
echo "wolfSSL OCSP Responder / OpenSSL OCSP client interop test"
echo "OpenSSL: $($OPENSSL version)"
echo
# IPv6 detection
if nc -h 2>&1 | fgrep -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 77
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='-6 ::1'
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
fi
########################################################################
# Helpers
########################################################################
resp_pids=""
resp_logs=""
ready_files=""
cleanup() {
exit_status=$?
for p in $resp_pids; do
kill $p 2>/dev/null
wait $p 2>/dev/null
done
# Clean up log files
for log in $resp_logs; do
rm -f "$log" 2>/dev/null
done
# Clean up ready files
for rf in $ready_files; do
rm -f "$rf" 2>/dev/null
done
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec $0 "$@"
fi
}
trap cleanup EXIT INT TERM
tests_run=0
tests_passed=0
tests_failed=0
print_responder_logs() {
echo "--- Responder Logs ---"
for log in $resp_logs; do
if [ -f "$log" ]; then
echo "=== $(basename $log) ==="
cat "$log"
echo
fi
done
echo "----------------------"
}
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
# wait_for_ready_file READY_FILE PID PORT
wait_for_ready_file() {
local ready_file="$1"
local pid="$2"
local port="$3"
local counter=0
while [ ! -s "$ready_file" ] && [ "$counter" -lt 20 ]; do
if ! kill -0 "$pid" 2>/dev/null; then
echo "ERROR: Responder pid $pid for port $port exited before creating ready file" 1>&2
print_responder_logs
exit 1
fi
sleep 0.1
counter=$((counter + 1))
done
if [ ! -s "$ready_file" ]; then
echo "ERROR: Ready file $ready_file not created after 2 seconds" 1>&2
print_responder_logs
exit 1
fi
}
# query_ocsp ISSUER_CERT CERT_TO_CHECK PORT EXPECTED_STATUS DESCRIPTION
query_ocsp() {
local issuer="$1"
local cert="$2"
local _port="$3"
local expected="$4"
local desc="$5"
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "$desc"
local output
output=$($OPENSSL ocsp \
-issuer "$issuer" \
-cert "$cert" \
-url "http://127.0.0.1:$_port/" \
-resp_text 2>&1)
local rc=$?
# Extract the cert status line
local status
status=$(echo "$output" | grep "Cert Status:" | head -1 | \
sed 's/.*Cert Status: *//')
if [ "$status" = "$expected" ]; then
printf "PASSED (status: %s)\n" "$status"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected: %s, got: %s, rc: %d)\n" \
"$expected" "$status" "$rc"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
}
########################################################################
# Start responders - one per CA/index-file pair
########################################################################
base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port $base_port) # OCSP responder: intermediate1-ca
port2=$(get_first_free_port $((port1 + 1))) # OCSP responder: intermediate2-ca
port3=$(get_first_free_port $((port2 + 1))) # OCSP responder: intermediate3-ca
port4=$(get_first_free_port $((port3 + 1))) # OCSP responder: root-ca
port5=$(get_first_free_port $((port4 + 1))) # TLS server
# Responder 1: intermediate1-ca (server1=valid, server2=revoked)
log1=$(mktemp /tmp/ocsp_resp1.XXXXXX)
resp_logs="$resp_logs $log1"
ready1=$(mktemp /tmp/ocsp_ready1.XXXXXX)
ready_files="$ready_files $ready1"
$OCSP_RESPONDER -p $port1 -v -R "$ready1" \
-c $OCSP_DIR/intermediate1-ca-cert.pem \
-k $OCSP_DIR/intermediate1-ca-key.pem \
-i $OCSP_DIR/index-intermediate1-ca-issued-certs.txt \
> "$log1" 2>&1 &
pid1=$!
resp_pids="$resp_pids $pid1"
# Responder 2: intermediate2-ca (server3=valid, server4=revoked)
log2=$(mktemp /tmp/ocsp_resp2.XXXXXX)
resp_logs="$resp_logs $log2"
ready2=$(mktemp /tmp/ocsp_ready2.XXXXXX)
ready_files="$ready_files $ready2"
$OCSP_RESPONDER -p $port2 -v -R "$ready2" \
-c $OCSP_DIR/intermediate2-ca-cert.pem \
-k $OCSP_DIR/intermediate2-ca-key.pem \
-i $OCSP_DIR/index-intermediate2-ca-issued-certs.txt \
> "$log2" 2>&1 &
pid2=$!
resp_pids="$resp_pids $pid2"
# Responder 3: intermediate3-ca (server5=valid)
log3=$(mktemp /tmp/ocsp_resp3.XXXXXX)
resp_logs="$resp_logs $log3"
ready3=$(mktemp /tmp/ocsp_ready3.XXXXXX)
ready_files="$ready_files $ready3"
$OCSP_RESPONDER -p $port3 -v -R "$ready3" \
-c $OCSP_DIR/intermediate3-ca-cert.pem \
-k $OCSP_DIR/intermediate3-ca-key.pem \
-i $OCSP_DIR/index-intermediate3-ca-issued-certs.txt \
> "$log3" 2>&1 &
pid3=$!
resp_pids="$resp_pids $pid3"
# Responder 4: root-ca (intermediate CAs: 1=valid, 2=valid, 3=revoked)
log4=$(mktemp /tmp/ocsp_resp4.XXXXXX)
resp_logs="$resp_logs $log4"
ready4=$(mktemp /tmp/ocsp_ready4.XXXXXX)
ready_files="$ready_files $ready4"
$OCSP_RESPONDER -p $port4 -v -R "$ready4" \
-c $OCSP_DIR/root-ca-cert.pem \
-k $OCSP_DIR/root-ca-key.pem \
-i $OCSP_DIR/index-ca-and-intermediate-cas.txt \
> "$log4" 2>&1 &
pid4=$!
resp_pids="$resp_pids $pid4"
# Responder 5: authorized responder (delegated OCSP signer with id-kp-OCSPSigning)
log5=$(mktemp /tmp/ocsp_resp5.XXXXXX)
resp_logs="$resp_logs $log5"
ready5=$(mktemp /tmp/ocsp_ready5.XXXXXX)
ready_files="$ready_files $ready5"
$OCSP_RESPONDER -p $port5 -v -R "$ready5" \
-c $OCSP_DIR/root-ca-cert.pem \
-r $OCSP_DIR/ocsp-responder-cert.pem \
-k $OCSP_DIR/ocsp-responder-key.pem \
-i $OCSP_DIR/index-ca-and-intermediate-cas.txt \
> "$log5" 2>&1 &
pid5=$!
resp_pids="$resp_pids $pid5"
echo "Starting wolfSSL OCSP responders..."
echo " Responder 1 (intermediate1-ca): port $port1, pid $pid1"
echo " Responder 2 (intermediate2-ca): port $port2, pid $pid2"
echo " Responder 3 (intermediate3-ca): port $port3, pid $pid3"
echo " Responder 4 (root-ca): port $port4, pid $pid4"
echo " Responder 5 (authorized resp): port $port5, pid $pid5"
# Wait for all responders to be ready
wait_for_ready_file "$ready1" "$pid1" "$port1"
wait_for_ready_file "$ready2" "$pid2" "$port2"
wait_for_ready_file "$ready3" "$pid3" "$port3"
wait_for_ready_file "$ready4" "$pid4" "$port4"
wait_for_ready_file "$ready5" "$pid5" "$port5"
echo "All responders ready"
echo "All responders running."
echo
########################################################################
# Test index-intermediate1-ca-issued-certs.txt
# serial 05 = server1 (V = valid)
# serial 06 = server2 (R = revoked)
########################################################################
echo "=== index-intermediate1-ca-issued-certs.txt (intermediate1-ca) ==="
query_ocsp "$OCSP_DIR/intermediate1-ca-cert.pem" \
"$OCSP_DIR/server1-cert.pem" \
$port1 "good" \
"server1 (serial 05) -> good"
query_ocsp "$OCSP_DIR/intermediate1-ca-cert.pem" \
"$OCSP_DIR/server2-cert.pem" \
$port1 "revoked" \
"server2 (serial 06) -> revoked"
echo
########################################################################
# Test index-intermediate2-ca-issued-certs.txt
# serial 07 = server3 (V = valid)
# serial 08 = server4 (R = revoked)
########################################################################
echo "=== index-intermediate2-ca-issued-certs.txt (intermediate2-ca) ==="
query_ocsp "$OCSP_DIR/intermediate2-ca-cert.pem" \
"$OCSP_DIR/server3-cert.pem" \
$port2 "good" \
"server3 (serial 07) -> good"
query_ocsp "$OCSP_DIR/intermediate2-ca-cert.pem" \
"$OCSP_DIR/server4-cert.pem" \
$port2 "revoked" \
"server4 (serial 08) -> revoked"
echo
########################################################################
# Test index-intermediate3-ca-issued-certs.txt
# serial 09 = server5 (V = valid)
########################################################################
echo "=== index-intermediate3-ca-issued-certs.txt (intermediate3-ca) ==="
query_ocsp "$OCSP_DIR/intermediate3-ca-cert.pem" \
"$OCSP_DIR/server5-cert.pem" \
$port3 "good" \
"server5 (serial 09) -> good"
echo
########################################################################
# Test index-ca-and-intermediate-cas.txt
# serial 01 = intermediate1-ca (V = valid)
# serial 02 = intermediate2-ca (V = valid)
# serial 03 = intermediate3-ca (R = revoked)
# serial 63 = root-ca (V = valid, self-signed)
########################################################################
echo "=== index-ca-and-intermediate-cas.txt (root-ca) ==="
query_ocsp "$OCSP_DIR/root-ca-cert.pem" \
"$OCSP_DIR/intermediate1-ca-cert.pem" \
$port4 "good" \
"intermediate1-ca (serial 01) -> good"
query_ocsp "$OCSP_DIR/root-ca-cert.pem" \
"$OCSP_DIR/intermediate2-ca-cert.pem" \
$port4 "good" \
"intermediate2-ca (serial 02) -> good"
query_ocsp "$OCSP_DIR/root-ca-cert.pem" \
"$OCSP_DIR/intermediate3-ca-cert.pem" \
$port4 "revoked" \
"intermediate3-ca (serial 03) -> revoked"
query_ocsp "$OCSP_DIR/root-ca-cert.pem" \
"$OCSP_DIR/root-ca-cert.pem" \
$port4 "good" \
"root-ca (serial 63) -> good"
echo
echo "=== Negative tests: unsupported features ==="
# Test non-SHA-1 hash algorithms
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "SHA-384 hash -> good"
output=$($OPENSSL ocsp \
-sha384 \
-issuer "$OCSP_DIR/intermediate1-ca-cert.pem" \
-cert "$OCSP_DIR/server1-cert.pem" \
-url "http://127.0.0.1:$port1/" \
-resp_text 2>&1)
rc=$?
# Extract the cert status line
status=$(echo "$output" | grep "Cert Status:" | head -1 | \
sed 's/.*Cert Status: *//')
# Expect "good" status (feature should be supported)
if [ "$status" = "good" ]; then
printf "PASSED (status: %s)\n" "$status"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected: good, got: %s, rc: %d)\n" "$status" "$rc"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
########################################################################
# Test: Authorized Responder (RFC 6960 Section 4.2.2.2)
########################################################################
# Test: Authorized Responder (RFC 6960 Section 4.2.2.2)
# An OCSP response can be signed by a delegated signer with id-kp-OCSPSigning
# extended key usage instead of the CA itself.
# Uses Responder 5 which has ocsp-responder-cert.pem with id-kp-OCSPSigning EKU.
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "Authorized responder"
# Query using OpenSSL - asks about intermediate1-ca which was issued by root-ca
# Response will be signed by ocsp-responder-cert (authorized responder)
output=$($OPENSSL ocsp \
-issuer "$OCSP_DIR/root-ca-cert.pem" \
-cert "$OCSP_DIR/intermediate1-ca-cert.pem" \
-url "http://127.0.0.1:$port5/" \
-resp_text 2>&1)
rc=$?
# Extract the cert status line
status=$(echo "$output" | grep "Cert Status:" | head -1 | \
sed 's/.*Cert Status: *//')
# Expect "good" status
if [ "$status" = "good" ]; then
printf "PASSED (authorized responder works)\n"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected good status, got: %s)\n" "$status"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
########################################################################
# Test: Unknown certificates (not in responder's database)
########################################################################
echo "=== Unknown certificate tests ==="
# Test 1: Query Responder 1 (intermediate1-ca) about server3 (issued by intermediate2-ca)
# Note: This tests wrong issuer - should get OCSP error (unauthorized)
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "Wrong issuer: server3 to responder 1 (wrong issuer)"
output=$($OPENSSL ocsp \
-issuer "$OCSP_DIR/intermediate1-ca-cert.pem" \
-cert "$OCSP_DIR/server3-cert.pem" \
-url "http://127.0.0.1:$port1/" \
-noverify \
-resp_text 2>&1)
rc=$?
# server3 is actually issued by intermediate2-ca, not intermediate1-ca
# Expect OCSP error response: unauthorized (6)
if echo "$output" | grep -q "Responder Error: unauthorized"; then
printf "PASSED (OCSP unauthorized - wrong issuer)\n"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected OCSP unauthorized, got rc: %d)\n" "$rc"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
# Test 2: Query Responder 2 (intermediate2-ca) about server1 (issued by intermediate1-ca)
# Note: This tests wrong issuer - should get OCSP error (unauthorized)
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "Wrong issuer: server1 to responder 2 (wrong issuer)"
output=$($OPENSSL ocsp \
-issuer "$OCSP_DIR/intermediate2-ca-cert.pem" \
-cert "$OCSP_DIR/server1-cert.pem" \
-url "http://127.0.0.1:$port2/" \
-noverify \
-resp_text 2>&1)
rc=$?
# server1 is actually issued by intermediate1-ca, not intermediate2-ca
# Expect OCSP error response: unauthorized (6)
if echo "$output" | grep -q "Responder Error: unauthorized"; then
printf "PASSED (OCSP unauthorized - wrong issuer)\n"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected OCSP unauthorized, got rc: %d)\n" "$rc"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
echo
########################################################################
# Negative tests: unsupported functionality
########################################################################
# Test: Multiple requests in one OCSP request (should fail with OCSP error)
tests_run=$((tests_run+1))
printf " TEST %2d: %-55s " "$tests_run" "Multiple requests (should return OCSP error)"
# Using multiple -cert options creates one OCSP request with multiple certificate IDs
output=$($OPENSSL ocsp \
-issuer "$OCSP_DIR/intermediate1-ca-cert.pem" \
-cert "$OCSP_DIR/server1-cert.pem" \
-cert "$OCSP_DIR/server2-cert.pem" \
-url "http://127.0.0.1:$port1/" \
-resp_text 2>&1)
rc=$?
# Expect OCSP error response: malformedrequest (1)
# OpenSSL shows "Responder Error: malformedrequest (1)"
if echo "$output" | grep -q "Responder Error: malformedrequest"; then
printf "PASSED (OCSP malformedrequest)\n"
tests_passed=$((tests_passed+1))
else
printf "FAILED (expected OCSP malformedrequest, got rc: %d)\n" "$rc"
tests_failed=$((tests_failed+1))
echo "--- openssl output ---"
echo "$output"
echo "----------------------"
print_responder_logs
fi
echo
########################################################################
# Results
########################################################################
echo "============================================================"
echo "Results: $tests_passed/$tests_run passed, $tests_failed failed"
echo "============================================================"
if [ $tests_failed -ne 0 ]; then
exit 1
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink