From cf8422480acf10146d0bc6bec40e3efeb12a2d5a Mon Sep 17 00:00:00 2001 From: James Muir Date: Wed, 20 Dec 2023 00:15:17 -0500 Subject: s_server: test ocsp with "-cert_chain" Add a test to exercise the use of s_server with "-cert_chain" to construct an ocsp request. This new functionality was added in PR #22192. Testing: make V=1 TESTS='test_ocsp_cert_chain' test Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23101) --- test/ocsp-tests/ca.cnf | 34 ++++++++ test/ocsp-tests/index.txt | 1 + test/ocsp-tests/index.txt.attr | 1 + test/ocsp-tests/intermediate-cert.pem | 13 +++ test/ocsp-tests/intermediate-csr.pem | 8 ++ test/ocsp-tests/intermediate-key.pem | 6 ++ test/ocsp-tests/mk-ocsp-cert-chain.sh | 100 +++++++++++++++++++++++ test/ocsp-tests/ocsp.pem | 19 +++++ test/ocsp-tests/root-cert.pem | 14 ++++ test/ocsp-tests/root-key.pem | 8 ++ test/ocsp-tests/server-cert.pem | 12 +++ test/ocsp-tests/server-csr.pem | 9 +++ test/ocsp-tests/server-key.pem | 5 ++ test/ocsp-tests/server.pem | 30 +++++++ test/recipes/82-test_ocsp_cert_chain.t | 143 +++++++++++++++++++++++++++++++++ 15 files changed, 403 insertions(+) create mode 100644 test/ocsp-tests/ca.cnf create mode 100644 test/ocsp-tests/index.txt create mode 100644 test/ocsp-tests/index.txt.attr create mode 100644 test/ocsp-tests/intermediate-cert.pem create mode 100644 test/ocsp-tests/intermediate-csr.pem create mode 100644 test/ocsp-tests/intermediate-key.pem create mode 100755 test/ocsp-tests/mk-ocsp-cert-chain.sh create mode 100644 test/ocsp-tests/ocsp.pem create mode 100644 test/ocsp-tests/root-cert.pem create mode 100644 test/ocsp-tests/root-key.pem create mode 100644 test/ocsp-tests/server-cert.pem create mode 100644 test/ocsp-tests/server-csr.pem create mode 100644 test/ocsp-tests/server-key.pem create mode 100644 test/ocsp-tests/server.pem create mode 100644 test/recipes/82-test_ocsp_cert_chain.t diff --git a/test/ocsp-tests/ca.cnf b/test/ocsp-tests/ca.cnf new file mode 100644 index 0000000000..1608778d3d --- /dev/null +++ b/test/ocsp-tests/ca.cnf @@ -0,0 +1,34 @@ +HOME = . +default_ca = ca +config_diagnostics = 1 + +#################################################################### + +[ req ] +x509_extensions = v3_ca + +#################################################################### + +[ usr_cert ] +basicConstraints = critical, CA:FALSE +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier = hash +##authorityInfoAccess = OCSP;URI:http://127.0.0.1:19254/ocsp +# we do not include aia in the cert. +# we use the s_server option "-status_url" to specify the url. + +#################################################################### + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +basicConstraints = critical,CA:true +keyUsage = critical, cRLSign, keyCertSign + +#################################################################### + +# Minimal CA entry to allow generation of CRLs. +[ ca ] +default_md = sha256 +database = index.txt +crlnumber = crlnum.txt diff --git a/test/ocsp-tests/index.txt b/test/ocsp-tests/index.txt new file mode 100644 index 0000000000..78252ef726 --- /dev/null +++ b/test/ocsp-tests/index.txt @@ -0,0 +1 @@ +V 241221170717Z 73C8A0894488809AFE972FE0BAD3460318D1CCBF unknown /CN=TestServerCA diff --git a/test/ocsp-tests/index.txt.attr b/test/ocsp-tests/index.txt.attr new file mode 100644 index 0000000000..8f7e63a347 --- /dev/null +++ b/test/ocsp-tests/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/test/ocsp-tests/intermediate-cert.pem b/test/ocsp-tests/intermediate-cert.pem new file mode 100644 index 0000000000..ca83feb1a0 --- /dev/null +++ b/test/ocsp-tests/intermediate-cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx +NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW +Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8 +HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6 +MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT +mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H +dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq +v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA== +-----END CERTIFICATE----- diff --git a/test/ocsp-tests/intermediate-csr.pem b/test/ocsp-tests/intermediate-csr.pem new file mode 100644 index 0000000000..a41fa9f4c1 --- /dev/null +++ b/test/ocsp-tests/intermediate-csr.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBFTCBnAIBADAdMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwdjAQBgcq +hkjOPQIBBgUrgQQAIgNiAARr39Xo6Um7NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7ka +TkBHVlXPZeur5hdFZ/8dg40krBELftFhsEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7 +xkp5/B6jqgaRbqJd9kQddpWgADAKBggqhkjOPQQDAgNoADBlAjBjsIsCYu4rcGoW +FoNw+9ON/16cBk/Roo6BysamuqZYWBjpzQgFEeGRXPL7zs/AdN8CMQDjOlJ47Q7V +2OoRkMbv4OOGyIoPpndPqjPnxmTujgAppK2wC/KtIJaGTilOEzUqMb8= +-----END CERTIFICATE REQUEST----- diff --git a/test/ocsp-tests/intermediate-key.pem b/test/ocsp-tests/intermediate-key.pem new file mode 100644 index 0000000000..e291d8719d --- /dev/null +++ b/test/ocsp-tests/intermediate-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7rnV1sLw6Zbw9GEBb +kGgygZlqOpkAmoJADlpfpOIXJVp6MNlTnhqsmeOZgAhD3CyhZANiAARr39Xo6Um7 +NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7kaTkBHVlXPZeur5hdFZ/8dg40krBELftFh +sEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7xkp5/B6jqgaRbqJd9kQddpU= +-----END PRIVATE KEY----- diff --git a/test/ocsp-tests/mk-ocsp-cert-chain.sh b/test/ocsp-tests/mk-ocsp-cert-chain.sh new file mode 100755 index 0000000000..0f4976ac55 --- /dev/null +++ b/test/ocsp-tests/mk-ocsp-cert-chain.sh @@ -0,0 +1,100 @@ +#!/bin/sh + +opensslcmd() { + LD_LIBRARY_PATH=../.. ../../apps/openssl $@ +} + +# report the openssl version +opensslcmd version + +echo "Creating private keys and certs..." + +##### + +# root CA private key +opensslcmd genpkey \ + -algorithm EC \ + -pkeyopt ec_paramgen_curve:secp521r1 \ + -pkeyopt ec_param_enc:named_curve \ + -out root-key.pem + +# root CA certificate (self-signed) +opensslcmd req \ + -config ca.cnf \ + -x509 \ + -days 3650 \ + -key root-key.pem \ + -subj /CN=TestRootCA \ + -out root-cert.pem +##### + +# intermediate CA private key +opensslcmd genpkey \ + -algorithm EC \ + -pkeyopt ec_paramgen_curve:secp384r1 \ + -pkeyopt ec_param_enc:named_curve \ + -out intermediate-key.pem + +# intermediate CA certificate-signing-request +opensslcmd req \ + -config ca.cnf \ + -new \ + -key intermediate-key.pem \ + -subj /CN=TestIntermediateCA \ + -out intermediate-csr.pem + +# intermediate CA certificate (signed by root CA) +opensslcmd req \ + -config ca.cnf \ + -x509 \ + -days 1825 \ + -CA root-cert.pem \ + -CAkey root-key.pem \ + -in intermediate-csr.pem \ + -copy_extensions copyall \ + -out intermediate-cert.pem +##### + +# server key +opensslcmd genpkey \ + -algorithm EC \ + -pkeyopt ec_paramgen_curve:prime256v1 \ + -pkeyopt ec_param_enc:named_curve \ + -out server-key.pem + +# server certificate-signing-request +opensslcmd req \ + -config ca.cnf \ + -extensions usr_cert \ + -new \ + -key server-key.pem \ + -subj /CN=TestServerCA \ + -out server-csr.pem + +# server certificate (signed by intermediate CA) +opensslcmd req \ + -config ca.cnf \ + -extensions usr_cert \ + -x509 \ + -days 365 \ + -CA intermediate-cert.pem \ + -CAkey intermediate-key.pem \ + -in server-csr.pem \ + -copy_extensions copyall \ + -out server-cert.pem +##### + +rm -f index.txt index.txt.attr +echo -n > index.txt +opensslcmd ca \ + -config ca.cnf \ + -valid server-cert.pem \ + -keyfile intermediate-key.pem \ + -cert intermediate-cert.pem +rm -f index.txt.old +##### + +cat server-cert.pem server-key.pem intermediate-cert.pem > server.pem +cat intermediate-cert.pem intermediate-key.pem > ocsp.pem + +echo "Done." diff --git a/test/ocsp-tests/ocsp.pem b/test/ocsp-tests/ocsp.pem new file mode 100644 index 0000000000..75bb296245 --- /dev/null +++ b/test/ocsp-tests/ocsp.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx +NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW +Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8 +HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6 +MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT +mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H +dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq +v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7rnV1sLw6Zbw9GEBb +kGgygZlqOpkAmoJADlpfpOIXJVp6MNlTnhqsmeOZgAhD3CyhZANiAARr39Xo6Um7 +NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7kaTkBHVlXPZeur5hdFZ/8dg40krBELftFh +sEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7xkp5/B6jqgaRbqJd9kQddpU= +-----END PRIVATE KEY----- diff --git a/test/ocsp-tests/root-cert.pem b/test/ocsp-tests/root-cert.pem new file mode 100644 index 0000000000..7a123ac87e --- /dev/null +++ b/test/ocsp-tests/root-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFjCCAXigAwIBAgIUXM2lq+OknWVAO84nbtJw0j+9tC4wCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0zMzEyMTkx +NzA3MTdaMBUxEzARBgNVBAMMClRlc3RSb290Q0EwgZswEAYHKoZIzj0CAQYFK4EE +ACMDgYYABAHu0OEJC9mfLC3AXhBQvzBdt6PQAhhk8NVsHg/8vjuVYFcA7oNuNm8F +8pINV5JbjBnYm1oIdivlAkYtdTRol0CI/wHTWWxhx8G5heu1IS8eylT5q3XEfyoo +XWxnzLQxAFLAfAfLyum6CCiL8PQSF2T1KNqH+tDLyXiJtFn8NLi0xR1/bqNjMGEw +HQYDVR0OBBYEFAP1uJrOxcHqX5HpBxC/0gLUYzHtMB8GA1UdIwQYMBaAFAP1uJrO +xcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG +MAoGCCqGSM49BAMCA4GLADCBhwJBPEZv63dNmv++g0WouaaOtnVVeK/wZEfxv98H +FkEGzQd5aXpA3N+ndt73WbEIu0JQ3E/HV60q2/VAHWbKdyRm9swCQgCctR5fcrRe +C7EBlzuWBDJUSum2D74ZFTpkoV7tcx80an/BrlzvQNuHpotGxmxLQQc4INxmQa77 +X2hA+YT4DAc2eA== +-----END CERTIFICATE----- diff --git a/test/ocsp-tests/root-key.pem b/test/ocsp-tests/root-key.pem new file mode 100644 index 0000000000..c025188d88 --- /dev/null +++ b/test/ocsp-tests/root-key.pem @@ -0,0 +1,8 @@ +-----BEGIN PRIVATE KEY----- +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA0VOY/DcDqrOne8i9 +Vttq+jbmaFMhQSOfx7eJyq3phgfe2BJ1r0R8iwczsc/mzSYjd9Gyqwc4NO5HY9WO +NlIRFAKhgYkDgYYABAHu0OEJC9mfLC3AXhBQvzBdt6PQAhhk8NVsHg/8vjuVYFcA +7oNuNm8F8pINV5JbjBnYm1oIdivlAkYtdTRol0CI/wHTWWxhx8G5heu1IS8eylT5 +q3XEfyooXWxnzLQxAFLAfAfLyum6CCiL8PQSF2T1KNqH+tDLyXiJtFn8NLi0xR1/ +bg== +-----END PRIVATE KEY----- diff --git a/test/ocsp-tests/server-cert.pem b/test/ocsp-tests/server-cert.pem new file mode 100644 index 0000000000..ff5a1646ea --- /dev/null +++ b/test/ocsp-tests/server-cert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtTCCATygAwIBAgIUc8igiUSIgJr+ly/gutNGAxjRzL8wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIzMTIyMjE3MDcxN1oX +DTI0MTIyMTE3MDcxN1owFzEVMBMGA1UEAwwMVGVzdFNlcnZlckNBMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAEs2TL/y4CoUDd4Vf2RLNRW1BWPCL30uz2Waio6/Ri +Naw2BSV0p/IGQrc57Q6xJxmo0viDigrQ6n0xgL8GkyEFn6NgMF4wDAYDVR0TAQH/ +BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFKqV4zgKs+ijvA1VXP/z4K89 +F/fGMB8GA1UdIwQYMBaAFK026R0pctsFs0qumItVbi/ZcKP6MAoGCCqGSM49BAMC +A2cAMGQCMEhvb5WRpIR3oTnCyj8S82XSwS+8HZjk2ORrovm1rycrHFshdts/5AnH +r3qjBY9khAIwXt9AXo829mkmB2OIZyczHDTsgjtDvwHuR682+R71WmCeD8AkLMJT +gcpvgA1oIi8p +-----END CERTIFICATE----- diff --git a/test/ocsp-tests/server-csr.pem b/test/ocsp-tests/server-csr.pem new file mode 100644 index 0000000000..cefb130450 --- /dev/null +++ b/test/ocsp-tests/server-csr.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBITCBxwIBADAXMRUwEwYDVQQDDAxUZXN0U2VydmVyQ0EwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS7PZZqKjr9GI1rDYF +JXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWfoE4wTAYJKoZIhvcNAQkOMT8w +PTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUqpXjOAqz +6KO8DVVc//Pgrz0X98YwCgYIKoZIzj0EAwIDSQAwRgIhANtinT6lF67B7HxcIEoC +zTyRNV+y9HuqCn1/hlrzvNgDAiEA1dh3fyrobsqDO15BeXbV9SIW2bux/JeznBL5 +8YPjtWg= +-----END CERTIFICATE REQUEST----- diff --git a/test/ocsp-tests/server-key.pem b/test/ocsp-tests/server-key.pem new file mode 100644 index 0000000000..a8f7b1cdda --- /dev/null +++ b/test/ocsp-tests/server-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2qWtFAsGbCGr89+1 +pICpHCzDXTxfbBOo86Cau5LXhqChRANCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS +7PZZqKjr9GI1rDYFJXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWf +-----END PRIVATE KEY----- diff --git a/test/ocsp-tests/server.pem b/test/ocsp-tests/server.pem new file mode 100644 index 0000000000..26d7b6fe75 --- /dev/null +++ b/test/ocsp-tests/server.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIBtTCCATygAwIBAgIUc8igiUSIgJr+ly/gutNGAxjRzL8wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIzMTIyMjE3MDcxN1oX +DTI0MTIyMTE3MDcxN1owFzEVMBMGA1UEAwwMVGVzdFNlcnZlckNBMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAEs2TL/y4CoUDd4Vf2RLNRW1BWPCL30uz2Waio6/Ri +Naw2BSV0p/IGQrc57Q6xJxmo0viDigrQ6n0xgL8GkyEFn6NgMF4wDAYDVR0TAQH/ +BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFKqV4zgKs+ijvA1VXP/z4K89 +F/fGMB8GA1UdIwQYMBaAFK026R0pctsFs0qumItVbi/ZcKP6MAoGCCqGSM49BAMC +A2cAMGQCMEhvb5WRpIR3oTnCyj8S82XSwS+8HZjk2ORrovm1rycrHFshdts/5AnH +r3qjBY9khAIwXt9AXo829mkmB2OIZyczHDTsgjtDvwHuR682+R71WmCeD8AkLMJT +gcpvgA1oIi8p +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2qWtFAsGbCGr89+1 +pICpHCzDXTxfbBOo86Cau5LXhqChRANCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS +7PZZqKjr9GI1rDYFJXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWf +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx +NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW +Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8 +HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6 +MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT +mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H +dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq +v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA== +-----END CERTIFICATE----- diff --git a/test/recipes/82-test_ocsp_cert_chain.t b/test/recipes/82-test_ocsp_cert_chain.t new file mode 100644 index 0000000000..351ed66b0a --- /dev/null +++ b/test/recipes/82-test_ocsp_cert_chain.t @@ -0,0 +1,143 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use IPC::Open3; +use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; +use OpenSSL::Test::Utils; +use Symbol 'gensym'; + +my $test_name = "test_ocsp_cert_chain"; +setup($test_name); + +plan skip_all => "$test_name requires OCSP support" + if disabled("ocsp"); +plan skip_all => "$test_name requires EC cryptography" + if disabled("ec"); +plan skip_all => "$test_name requires sock enabled" + if disabled("sock"); +plan skip_all => "$test_name requires TLS enabled" + if alldisabled(available_protocols("tls")); +plan skip_all => "$test_name is not available Windows or VMS" + if $^O =~ /^(VMS|MSWin32|msys)$/; + +plan tests => 3; + +my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); +my $apps_openssl = bldtop_file("apps", "openssl"); + +my $index_txt = srctop_file("test", "ocsp-tests", "index.txt"); +my $ocsp_pem = srctop_file("test", "ocsp-tests", "ocsp.pem"); +my $intermediate_cert_pem = srctop_file("test", "ocsp-tests", "intermediate-cert.pem"); + +my $server_pem = srctop_file("test", "ocsp-tests", "server.pem"); + +sub run_test { + + # this test starts two servers that listen on respective ports. + # that can be problematic since the ports may not be available + # (e.g. when multiple instances of the test are run on the same + # machine). + + # to avoid this, we specify port 0 when staring each server, which + # causes the OS to provide a random unused port. + + # using a random port with s_server is straightforward. doing so + # with the ocsp responder required some investigation because the + # url for the ocsp responder is usually included in the server's + # cert (normally, in the authority-information-access extension, + # and it would be complicated to change that when the test + # executes). however, s_server has an option "-status_url" that + # can be used to specify a fallback url when no url is specified + # in the cert. that is what we do here. + + # openssl ocsp -port 0 -index index.txt -rsigner ocsp.pem -CA intermediate-cert.pem + my @ocsp_cmd = ("ocsp", "-port", "0", "-index", $index_txt, "-rsigner", $ocsp_pem, "-CA", $intermediate_cert_pem); + my $ocsp_pid = open3(my $ocsp_i, my $ocsp_o, my $ocsp_e = gensym, $shlib_wrap, $apps_openssl, @ocsp_cmd); + + ## ipv4 + # ACCEPT 0.0.0.0:19254 PID=620007 + ## ipv6 + # ACCEPT [::]:19254 PID=620007 + my $port = "0"; + while (<$ocsp_o>) { + print($_); + chomp; + if (/^ACCEPT 0.0.0.0:(\d+)/) { + $port = $1; + last; + } elsif (/^ACCEPT \[::\]:(\d+)/) { + $port = $1; + last; + } else { + last; + } + } + ok($port ne "0", "ocsp server port check"); + my $ocsp_port = $port; + + print("ocsp server ready, listening on port $ocsp_port\n"); + + # openssl s_server -accept 0 -cert server.pem -cert_chain intermediate-cert.pem \ + # -status_verbose -status_url http://localhost:19254/ocsp + my @s_server_cmd = ("s_server", "-accept", "0", "-cert", $server_pem, "-cert_chain", $intermediate_cert_pem, + "-status_verbose", "-status_url", "http://localhost:${ocsp_port}/ocsp"); + my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e = gensym, $shlib_wrap, $apps_openssl, @s_server_cmd); + + # ACCEPT 0.0.0.0:45921 + # ACCEPT [::]:45921 + $port = "0"; + while (<$s_server_o>) { + print($_); + chomp; + if (/^ACCEPT 0.0.0.0:(\d+)/) { + $port = $1; + last; + } elsif (/^ACCEPT \[::\]:(\d+)/) { + $port = $1; + last; + } elsif (/^Using default/) { + ; + } else { + last; + } + } + ok($port ne "0", "s_server port check"); + my $server_port = $port; + + print("s_server ready, listening on port $server_port\n"); + + # openssl s_client -connect localhost:45921 -status -verify_return_error + my @s_client_cmd = ("s_client", "-connect", "localhost:$server_port", "-status", "-verify_return_error"); + my $s_client_pid = open3(my $s_client_i, my $s_client_o, my $s_client_e = gensym, $shlib_wrap, $apps_openssl, @s_client_cmd); + + ### the output from s_server that we want to check is written to its stderr + ### cert_status: ocsp response sent: + + my $resp = 0; + while (<$s_server_e>) { + print($_); + chomp; + if (/^cert_status: ocsp response sent:/) { + $resp = 1; + last; + } elsif (/^cert_status:/) { + ; + } else { + last; + } + } + ok($resp == 1, "check s_server sent ocsp response"); + + waitpid($s_client_pid, 0); + kill 'HUP', $s_server_pid, $ocsp_pid; +} + +run_test(); -- cgit v1.2.3