mirror of https://github.com/openssl/openssl
s_server: test ocsp with "-cert_chain"
Add a test to exercise the use of s_server with "-cert_chain" to construct an ocsp request. This new functionality was added in PR #22192. Testing: make V=1 TESTS='test_ocsp_cert_chain' test Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23101)
This commit is contained in:
parent
7f8aba2f44
commit
cf8422480a
|
@ -0,0 +1,34 @@
|
|||
HOME = .
|
||||
default_ca = ca
|
||||
config_diagnostics = 1
|
||||
|
||||
####################################################################
|
||||
|
||||
[ req ]
|
||||
x509_extensions = v3_ca
|
||||
|
||||
####################################################################
|
||||
|
||||
[ usr_cert ]
|
||||
basicConstraints = critical, CA:FALSE
|
||||
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||
subjectKeyIdentifier = hash
|
||||
##authorityInfoAccess = OCSP;URI:http://127.0.0.1:19254/ocsp
|
||||
# we do not include aia in the cert.
|
||||
# we use the s_server option "-status_url" to specify the url.
|
||||
|
||||
####################################################################
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = critical, cRLSign, keyCertSign
|
||||
|
||||
####################################################################
|
||||
|
||||
# Minimal CA entry to allow generation of CRLs.
|
||||
[ ca ]
|
||||
default_md = sha256
|
||||
database = index.txt
|
||||
crlnumber = crlnum.txt
|
|
@ -0,0 +1 @@
|
|||
V 241221170717Z 73C8A0894488809AFE972FE0BAD3460318D1CCBF unknown /CN=TestServerCA
|
|
@ -0,0 +1 @@
|
|||
unique_subject = yes
|
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx
|
||||
NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49
|
||||
AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW
|
||||
Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8
|
||||
HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6
|
||||
MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB
|
||||
Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT
|
||||
mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H
|
||||
dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq
|
||||
v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIBFTCBnAIBADAdMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwdjAQBgcq
|
||||
hkjOPQIBBgUrgQQAIgNiAARr39Xo6Um7NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7ka
|
||||
TkBHVlXPZeur5hdFZ/8dg40krBELftFhsEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7
|
||||
xkp5/B6jqgaRbqJd9kQddpWgADAKBggqhkjOPQQDAgNoADBlAjBjsIsCYu4rcGoW
|
||||
FoNw+9ON/16cBk/Roo6BysamuqZYWBjpzQgFEeGRXPL7zs/AdN8CMQDjOlJ47Q7V
|
||||
2OoRkMbv4OOGyIoPpndPqjPnxmTujgAppK2wC/KtIJaGTilOEzUqMb8=
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -0,0 +1,6 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7rnV1sLw6Zbw9GEBb
|
||||
kGgygZlqOpkAmoJADlpfpOIXJVp6MNlTnhqsmeOZgAhD3CyhZANiAARr39Xo6Um7
|
||||
NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7kaTkBHVlXPZeur5hdFZ/8dg40krBELftFh
|
||||
sEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7xkp5/B6jqgaRbqJd9kQddpU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,100 @@
|
|||
#!/bin/sh
|
||||
|
||||
opensslcmd() {
|
||||
LD_LIBRARY_PATH=../.. ../../apps/openssl $@
|
||||
}
|
||||
|
||||
# report the openssl version
|
||||
opensslcmd version
|
||||
|
||||
echo "Creating private keys and certs..."
|
||||
|
||||
#####
|
||||
|
||||
# root CA private key
|
||||
opensslcmd genpkey \
|
||||
-algorithm EC \
|
||||
-pkeyopt ec_paramgen_curve:secp521r1 \
|
||||
-pkeyopt ec_param_enc:named_curve \
|
||||
-out root-key.pem
|
||||
|
||||
# root CA certificate (self-signed)
|
||||
opensslcmd req \
|
||||
-config ca.cnf \
|
||||
-x509 \
|
||||
-days 3650 \
|
||||
-key root-key.pem \
|
||||
-subj /CN=TestRootCA \
|
||||
-out root-cert.pem
|
||||
#####
|
||||
|
||||
# intermediate CA private key
|
||||
opensslcmd genpkey \
|
||||
-algorithm EC \
|
||||
-pkeyopt ec_paramgen_curve:secp384r1 \
|
||||
-pkeyopt ec_param_enc:named_curve \
|
||||
-out intermediate-key.pem
|
||||
|
||||
# intermediate CA certificate-signing-request
|
||||
opensslcmd req \
|
||||
-config ca.cnf \
|
||||
-new \
|
||||
-key intermediate-key.pem \
|
||||
-subj /CN=TestIntermediateCA \
|
||||
-out intermediate-csr.pem
|
||||
|
||||
# intermediate CA certificate (signed by root CA)
|
||||
opensslcmd req \
|
||||
-config ca.cnf \
|
||||
-x509 \
|
||||
-days 1825 \
|
||||
-CA root-cert.pem \
|
||||
-CAkey root-key.pem \
|
||||
-in intermediate-csr.pem \
|
||||
-copy_extensions copyall \
|
||||
-out intermediate-cert.pem
|
||||
#####
|
||||
|
||||
# server key
|
||||
opensslcmd genpkey \
|
||||
-algorithm EC \
|
||||
-pkeyopt ec_paramgen_curve:prime256v1 \
|
||||
-pkeyopt ec_param_enc:named_curve \
|
||||
-out server-key.pem
|
||||
|
||||
# server certificate-signing-request
|
||||
opensslcmd req \
|
||||
-config ca.cnf \
|
||||
-extensions usr_cert \
|
||||
-new \
|
||||
-key server-key.pem \
|
||||
-subj /CN=TestServerCA \
|
||||
-out server-csr.pem
|
||||
|
||||
# server certificate (signed by intermediate CA)
|
||||
opensslcmd req \
|
||||
-config ca.cnf \
|
||||
-extensions usr_cert \
|
||||
-x509 \
|
||||
-days 365 \
|
||||
-CA intermediate-cert.pem \
|
||||
-CAkey intermediate-key.pem \
|
||||
-in server-csr.pem \
|
||||
-copy_extensions copyall \
|
||||
-out server-cert.pem
|
||||
#####
|
||||
|
||||
rm -f index.txt index.txt.attr
|
||||
echo -n > index.txt
|
||||
opensslcmd ca \
|
||||
-config ca.cnf \
|
||||
-valid server-cert.pem \
|
||||
-keyfile intermediate-key.pem \
|
||||
-cert intermediate-cert.pem
|
||||
rm -f index.txt.old
|
||||
#####
|
||||
|
||||
cat server-cert.pem server-key.pem intermediate-cert.pem > server.pem
|
||||
cat intermediate-cert.pem intermediate-key.pem > ocsp.pem
|
||||
|
||||
echo "Done."
|
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx
|
||||
NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49
|
||||
AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW
|
||||
Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8
|
||||
HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6
|
||||
MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB
|
||||
Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT
|
||||
mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H
|
||||
dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq
|
||||
v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB7rnV1sLw6Zbw9GEBb
|
||||
kGgygZlqOpkAmoJADlpfpOIXJVp6MNlTnhqsmeOZgAhD3CyhZANiAARr39Xo6Um7
|
||||
NXKTGbo9NoeJu7mxXTh3h1NKXYGd+7kaTkBHVlXPZeur5hdFZ/8dg40krBELftFh
|
||||
sEmDf9dP6b0r9zDcjh+TBfUIHkF+vFU7xkp5/B6jqgaRbqJd9kQddpU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,14 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICFjCCAXigAwIBAgIUXM2lq+OknWVAO84nbtJw0j+9tC4wCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0zMzEyMTkx
|
||||
NzA3MTdaMBUxEzARBgNVBAMMClRlc3RSb290Q0EwgZswEAYHKoZIzj0CAQYFK4EE
|
||||
ACMDgYYABAHu0OEJC9mfLC3AXhBQvzBdt6PQAhhk8NVsHg/8vjuVYFcA7oNuNm8F
|
||||
8pINV5JbjBnYm1oIdivlAkYtdTRol0CI/wHTWWxhx8G5heu1IS8eylT5q3XEfyoo
|
||||
XWxnzLQxAFLAfAfLyum6CCiL8PQSF2T1KNqH+tDLyXiJtFn8NLi0xR1/bqNjMGEw
|
||||
HQYDVR0OBBYEFAP1uJrOxcHqX5HpBxC/0gLUYzHtMB8GA1UdIwQYMBaAFAP1uJrO
|
||||
xcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
|
||||
MAoGCCqGSM49BAMCA4GLADCBhwJBPEZv63dNmv++g0WouaaOtnVVeK/wZEfxv98H
|
||||
FkEGzQd5aXpA3N+ndt73WbEIu0JQ3E/HV60q2/VAHWbKdyRm9swCQgCctR5fcrRe
|
||||
C7EBlzuWBDJUSum2D74ZFTpkoV7tcx80an/BrlzvQNuHpotGxmxLQQc4INxmQa77
|
||||
X2hA+YT4DAc2eA==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA0VOY/DcDqrOne8i9
|
||||
Vttq+jbmaFMhQSOfx7eJyq3phgfe2BJ1r0R8iwczsc/mzSYjd9Gyqwc4NO5HY9WO
|
||||
NlIRFAKhgYkDgYYABAHu0OEJC9mfLC3AXhBQvzBdt6PQAhhk8NVsHg/8vjuVYFcA
|
||||
7oNuNm8F8pINV5JbjBnYm1oIdivlAkYtdTRol0CI/wHTWWxhx8G5heu1IS8eylT5
|
||||
q3XEfyooXWxnzLQxAFLAfAfLyum6CCiL8PQSF2T1KNqH+tDLyXiJtFn8NLi0xR1/
|
||||
bg==
|
||||
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBtTCCATygAwIBAgIUc8igiUSIgJr+ly/gutNGAxjRzL8wCgYIKoZIzj0EAwIw
|
||||
HTEbMBkGA1UEAwwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIzMTIyMjE3MDcxN1oX
|
||||
DTI0MTIyMTE3MDcxN1owFzEVMBMGA1UEAwwMVGVzdFNlcnZlckNBMFkwEwYHKoZI
|
||||
zj0CAQYIKoZIzj0DAQcDQgAEs2TL/y4CoUDd4Vf2RLNRW1BWPCL30uz2Waio6/Ri
|
||||
Naw2BSV0p/IGQrc57Q6xJxmo0viDigrQ6n0xgL8GkyEFn6NgMF4wDAYDVR0TAQH/
|
||||
BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFKqV4zgKs+ijvA1VXP/z4K89
|
||||
F/fGMB8GA1UdIwQYMBaAFK026R0pctsFs0qumItVbi/ZcKP6MAoGCCqGSM49BAMC
|
||||
A2cAMGQCMEhvb5WRpIR3oTnCyj8S82XSwS+8HZjk2ORrovm1rycrHFshdts/5AnH
|
||||
r3qjBY9khAIwXt9AXo829mkmB2OIZyczHDTsgjtDvwHuR682+R71WmCeD8AkLMJT
|
||||
gcpvgA1oIi8p
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,9 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIBITCBxwIBADAXMRUwEwYDVQQDDAxUZXN0U2VydmVyQ0EwWTATBgcqhkjOPQIB
|
||||
BggqhkjOPQMBBwNCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS7PZZqKjr9GI1rDYF
|
||||
JXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWfoE4wTAYJKoZIhvcNAQkOMT8w
|
||||
PTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUqpXjOAqz
|
||||
6KO8DVVc//Pgrz0X98YwCgYIKoZIzj0EAwIDSQAwRgIhANtinT6lF67B7HxcIEoC
|
||||
zTyRNV+y9HuqCn1/hlrzvNgDAiEA1dh3fyrobsqDO15BeXbV9SIW2bux/JeznBL5
|
||||
8YPjtWg=
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -0,0 +1,5 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2qWtFAsGbCGr89+1
|
||||
pICpHCzDXTxfbBOo86Cau5LXhqChRANCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS
|
||||
7PZZqKjr9GI1rDYFJXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWf
|
||||
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBtTCCATygAwIBAgIUc8igiUSIgJr+ly/gutNGAxjRzL8wCgYIKoZIzj0EAwIw
|
||||
HTEbMBkGA1UEAwwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIzMTIyMjE3MDcxN1oX
|
||||
DTI0MTIyMTE3MDcxN1owFzEVMBMGA1UEAwwMVGVzdFNlcnZlckNBMFkwEwYHKoZI
|
||||
zj0CAQYIKoZIzj0DAQcDQgAEs2TL/y4CoUDd4Vf2RLNRW1BWPCL30uz2Waio6/Ri
|
||||
Naw2BSV0p/IGQrc57Q6xJxmo0viDigrQ6n0xgL8GkyEFn6NgMF4wDAYDVR0TAQH/
|
||||
BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFKqV4zgKs+ijvA1VXP/z4K89
|
||||
F/fGMB8GA1UdIwQYMBaAFK026R0pctsFs0qumItVbi/ZcKP6MAoGCCqGSM49BAMC
|
||||
A2cAMGQCMEhvb5WRpIR3oTnCyj8S82XSwS+8HZjk2ORrovm1rycrHFshdts/5AnH
|
||||
r3qjBY9khAIwXt9AXo829mkmB2OIZyczHDTsgjtDvwHuR682+R71WmCeD8AkLMJT
|
||||
gcpvgA1oIi8p
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2qWtFAsGbCGr89+1
|
||||
pICpHCzDXTxfbBOo86Cau5LXhqChRANCAASzZMv/LgKhQN3hV/ZEs1FbUFY8IvfS
|
||||
7PZZqKjr9GI1rDYFJXSn8gZCtzntDrEnGajS+IOKCtDqfTGAvwaTIQWf
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIB+DCCAVqgAwIBAgIUXFMqBp6K/J1oNTwtzIJt5oRYSHMwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKVGVzdFJvb3RDQTAeFw0yMzEyMjIxNzA3MTdaFw0yODEyMjAx
|
||||
NzA3MTdaMB0xGzAZBgNVBAMMElRlc3RJbnRlcm1lZGlhdGVDQTB2MBAGByqGSM49
|
||||
AgEGBSuBBAAiA2IABGvf1ejpSbs1cpMZuj02h4m7ubFdOHeHU0pdgZ37uRpOQEdW
|
||||
Vc9l66vmF0Vn/x2DjSSsEQt+0WGwSYN/10/pvSv3MNyOH5MF9QgeQX68VTvGSnn8
|
||||
HqOqBpFuol32RB12laNjMGEwHQYDVR0OBBYEFK026R0pctsFs0qumItVbi/ZcKP6
|
||||
MB8GA1UdIwQYMBaAFAP1uJrOxcHqX5HpBxC/0gLUYzHtMA8GA1UdEwEB/wQFMAMB
|
||||
Af8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA4GLADCBhwJBA6lPEQ+FSyoT
|
||||
mSmdffUb8OYoB132DK98wAqJaWIIl8Cuxcq/TdVTO8vwZFzRCerSWrseCi8EiA+H
|
||||
dhcKJJ1flbsCQgClCy8YAOKHrqQ4NS5IPRUCWLYjS4cwnQjObHb5+lA4aJMs85Uq
|
||||
v1HAvDC6ObSGCV+h9DYHTyWXaWgZsJoyPgXVDA==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,143 @@
|
|||
#! /usr/bin/env perl
|
||||
# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
# in the file LICENSE in the source distribution or at
|
||||
# https://www.openssl.org/source/license.html
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use IPC::Open3;
|
||||
use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/;
|
||||
use OpenSSL::Test::Utils;
|
||||
use Symbol 'gensym';
|
||||
|
||||
my $test_name = "test_ocsp_cert_chain";
|
||||
setup($test_name);
|
||||
|
||||
plan skip_all => "$test_name requires OCSP support"
|
||||
if disabled("ocsp");
|
||||
plan skip_all => "$test_name requires EC cryptography"
|
||||
if disabled("ec");
|
||||
plan skip_all => "$test_name requires sock enabled"
|
||||
if disabled("sock");
|
||||
plan skip_all => "$test_name requires TLS enabled"
|
||||
if alldisabled(available_protocols("tls"));
|
||||
plan skip_all => "$test_name is not available Windows or VMS"
|
||||
if $^O =~ /^(VMS|MSWin32|msys)$/;
|
||||
|
||||
plan tests => 3;
|
||||
|
||||
my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh");
|
||||
my $apps_openssl = bldtop_file("apps", "openssl");
|
||||
|
||||
my $index_txt = srctop_file("test", "ocsp-tests", "index.txt");
|
||||
my $ocsp_pem = srctop_file("test", "ocsp-tests", "ocsp.pem");
|
||||
my $intermediate_cert_pem = srctop_file("test", "ocsp-tests", "intermediate-cert.pem");
|
||||
|
||||
my $server_pem = srctop_file("test", "ocsp-tests", "server.pem");
|
||||
|
||||
sub run_test {
|
||||
|
||||
# this test starts two servers that listen on respective ports.
|
||||
# that can be problematic since the ports may not be available
|
||||
# (e.g. when multiple instances of the test are run on the same
|
||||
# machine).
|
||||
|
||||
# to avoid this, we specify port 0 when staring each server, which
|
||||
# causes the OS to provide a random unused port.
|
||||
|
||||
# using a random port with s_server is straightforward. doing so
|
||||
# with the ocsp responder required some investigation because the
|
||||
# url for the ocsp responder is usually included in the server's
|
||||
# cert (normally, in the authority-information-access extension,
|
||||
# and it would be complicated to change that when the test
|
||||
# executes). however, s_server has an option "-status_url" that
|
||||
# can be used to specify a fallback url when no url is specified
|
||||
# in the cert. that is what we do here.
|
||||
|
||||
# openssl ocsp -port 0 -index index.txt -rsigner ocsp.pem -CA intermediate-cert.pem
|
||||
my @ocsp_cmd = ("ocsp", "-port", "0", "-index", $index_txt, "-rsigner", $ocsp_pem, "-CA", $intermediate_cert_pem);
|
||||
my $ocsp_pid = open3(my $ocsp_i, my $ocsp_o, my $ocsp_e = gensym, $shlib_wrap, $apps_openssl, @ocsp_cmd);
|
||||
|
||||
## ipv4
|
||||
# ACCEPT 0.0.0.0:19254 PID=620007
|
||||
## ipv6
|
||||
# ACCEPT [::]:19254 PID=620007
|
||||
my $port = "0";
|
||||
while (<$ocsp_o>) {
|
||||
print($_);
|
||||
chomp;
|
||||
if (/^ACCEPT 0.0.0.0:(\d+)/) {
|
||||
$port = $1;
|
||||
last;
|
||||
} elsif (/^ACCEPT \[::\]:(\d+)/) {
|
||||
$port = $1;
|
||||
last;
|
||||
} else {
|
||||
last;
|
||||
}
|
||||
}
|
||||
ok($port ne "0", "ocsp server port check");
|
||||
my $ocsp_port = $port;
|
||||
|
||||
print("ocsp server ready, listening on port $ocsp_port\n");
|
||||
|
||||
# openssl s_server -accept 0 -cert server.pem -cert_chain intermediate-cert.pem \
|
||||
# -status_verbose -status_url http://localhost:19254/ocsp
|
||||
my @s_server_cmd = ("s_server", "-accept", "0", "-cert", $server_pem, "-cert_chain", $intermediate_cert_pem,
|
||||
"-status_verbose", "-status_url", "http://localhost:${ocsp_port}/ocsp");
|
||||
my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e = gensym, $shlib_wrap, $apps_openssl, @s_server_cmd);
|
||||
|
||||
# ACCEPT 0.0.0.0:45921
|
||||
# ACCEPT [::]:45921
|
||||
$port = "0";
|
||||
while (<$s_server_o>) {
|
||||
print($_);
|
||||
chomp;
|
||||
if (/^ACCEPT 0.0.0.0:(\d+)/) {
|
||||
$port = $1;
|
||||
last;
|
||||
} elsif (/^ACCEPT \[::\]:(\d+)/) {
|
||||
$port = $1;
|
||||
last;
|
||||
} elsif (/^Using default/) {
|
||||
;
|
||||
} else {
|
||||
last;
|
||||
}
|
||||
}
|
||||
ok($port ne "0", "s_server port check");
|
||||
my $server_port = $port;
|
||||
|
||||
print("s_server ready, listening on port $server_port\n");
|
||||
|
||||
# openssl s_client -connect localhost:45921 -status -verify_return_error
|
||||
my @s_client_cmd = ("s_client", "-connect", "localhost:$server_port", "-status", "-verify_return_error");
|
||||
my $s_client_pid = open3(my $s_client_i, my $s_client_o, my $s_client_e = gensym, $shlib_wrap, $apps_openssl, @s_client_cmd);
|
||||
|
||||
### the output from s_server that we want to check is written to its stderr
|
||||
### cert_status: ocsp response sent:
|
||||
|
||||
my $resp = 0;
|
||||
while (<$s_server_e>) {
|
||||
print($_);
|
||||
chomp;
|
||||
if (/^cert_status: ocsp response sent:/) {
|
||||
$resp = 1;
|
||||
last;
|
||||
} elsif (/^cert_status:/) {
|
||||
;
|
||||
} else {
|
||||
last;
|
||||
}
|
||||
}
|
||||
ok($resp == 1, "check s_server sent ocsp response");
|
||||
|
||||
waitpid($s_client_pid, 0);
|
||||
kill 'HUP', $s_server_pid, $ocsp_pid;
|
||||
}
|
||||
|
||||
run_test();
|
Loading…
Reference in New Issue