diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 111 | ||||
-rw-r--r-- | tests/ocsp-tests/response3.der | 2 |
3 files changed, 113 insertions, 2 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 8d71fc4bf0..0387bf7389 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -57,7 +57,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ scripts/common.sh scripts/starttls-common.sh \ rng-op.c x509sign-verify-common.h common-key-tests.h \ ocsp-tests/certs/ca.key ocsp-tests/certs/ca.pem ocsp-tests/certs/ocsp-server.key ocsp-tests/certs/ocsp-server.pem ocsp-tests/response1.der \ - ocsp-tests/response2.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \ + ocsp-tests/response2.der ocsp-tests/response3.der ocsp-tests/certs/ocsp_index.txt ocsp-tests/certs/ocsp_index.txt.attr \ ocsp-tests/response1.pem ocsp-tests/response2.pem \ ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \ ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \ diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 49c355dda3..55d718ddf0 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -26,6 +26,7 @@ GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}" DIFF="${DIFF:-diff}" TEMPLATE_FILE="ms-out.$$.tmpl.tmp" SERVER_CERT_FILE="ms-cert.$$.pem.tmp" +SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp" OCSP_RESPONSE_FILE="ms-resp.$$.tmp" OCSP_REQ_FILE="ms-req.$$.tmp" @@ -86,6 +87,7 @@ stop_servers () test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}" rm -f "$TEMPLATE_FILE" rm -f "$SERVER_CERT_FILE" + rm -f "$SERVER_CERT_NO_EXT_FILE" rm -f "$OCSP_RESPONSE_FILE" rm -f "$OCSP_REQ_FILE" } @@ -97,13 +99,21 @@ rm -f "$TEMPLATE_FILE" cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE" chmod u+w "$TEMPLATE_FILE" echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE" -echo "tls_feature = 5" >>"$TEMPLATE_FILE" # Generate certificates with the random port datefudge -s "${CERTDATE}" ${CERTTOOL} \ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ + --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null + +# Generate certificates with the random port (with mandatory stapling extension) +echo "tls_feature = 5" >>"$TEMPLATE_FILE" + +datefudge -s "${CERTDATE}" ${CERTTOOL} \ + --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ + --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ + --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null echo "=== Bringing OCSP server up ===" @@ -392,6 +402,105 @@ kill "${TLS_SERVER_PID}" wait "${TLS_SERVER_PID}" unset TLS_SERVER_PID +echo "=== Test 7: OSCP response error - client doesn't send status_request ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate and OCSP error response failed" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate and OCSP error response failed" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ===" + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT +PORT=${TLS_SERVER_PORT} +launch_bare_server $$ \ + datefudge "${TESTDATE}" \ + "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" = "0"; then + echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded" + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + kill ${OCSP_PID} wait ${OCSP_PID} diff --git a/tests/ocsp-tests/response3.der b/tests/ocsp-tests/response3.der new file mode 100644 index 0000000000..39e09cffaa --- /dev/null +++ b/tests/ocsp-tests/response3.der @@ -0,0 +1,2 @@ +0 +
\ No newline at end of file |