diff options
Diffstat (limited to 'tests/ocsp-tests/ocsp-tls-connection.sh')
| -rwxr-xr-x | tests/ocsp-tests/ocsp-tls-connection.sh | 231 |
1 files changed, 231 insertions, 0 deletions
diff --git a/tests/ocsp-tests/ocsp-tls-connection.sh b/tests/ocsp-tests/ocsp-tls-connection.sh new file mode 100755 index 0000000..84eda22 --- /dev/null +++ b/tests/ocsp-tests/ocsp-tls-connection.sh @@ -0,0 +1,231 @@ +#!/bin/sh + +# Test case: Try to establish TLS connections with gnutls-cli and +# check the validity of the server certificate via OCSP +# +# Copyright (C) 2016 Thomas Klute +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${srcdir=.} +: ${CERTTOOL=../src/certtool${EXEEXT}} +: ${OCSPTOOL=../src/ocsptool${EXEEXT}} +: ${SERV=../src/gnutls-serv${EXEEXT}} +: ${CLI=../src/gnutls-cli${EXEEXT}} +: ${DIFF=diff} +TEMPLATE_FILE="out.$$.tmpl.tmp" +SERVER_CERT_FILE="cert.$$.pem.tmp" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -x "${OCSPTOOL}"; then + exit 77 +fi + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + +export TZ="UTC" + +. "${srcdir}/scripts/common.sh" + +skip_if_no_datefudge + +eval "${GETPORT}" +# Port for gnutls-serv +TLS_SERVER_PORT=$PORT + +# Port to use for OCSP server, must match the OCSP URI set in the +# server_*.pem certificates +eval "${GETPORT}" +OCSP_PORT=$PORT + +# Maximum timeout for server startup (OCSP and TLS) +SERVER_START_TIMEOUT=10 + +# Check for OpenSSL +: ${OPENSSL=openssl} +if ! ("$OPENSSL" version) > /dev/null 2>&1; then + echo "You need openssl to run this test." + exit 77 +fi + +CERTDATE="2016-04-28" +TESTDATE="2016-04-29" + +OCSP_PID="" +TLS_SERVER_PID="" +stop_servers () +{ + test -z "${OCSP_PID}" || kill "${OCSP_PID}" + test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}" + rm -f "$TEMPLATE_FILE" + rm -f "$SERVER_CERT_FILE" +} +trap stop_servers 1 15 2 EXIT + +echo "=== Generating good server certificate ===" + +rm -f "$TEMPLATE_FILE" +cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE" +chmod u+w "$TEMPLATE_FILE" +echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE" + +# Generate certificates with the random port +datefudge -s "${CERTDATE}" ${CERTTOOL} \ + --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ + --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ + --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ + --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null + +echo "=== Bringing OCSP server up ===" + +# Start OpenSSL OCSP server +# +# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port +# if started repeatedly in a short time, probably a lack of +# SO_REUSEADDR usage. +PORT=${OCSP_PORT} +launch_bare_server \ + datefudge "${TESTDATE}" \ + "${OPENSSL}" ocsp -index "${srcdir}/ocsp-tests/certs/ocsp_index.txt" -text \ + -port "${OCSP_PORT}" \ + -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \ + -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \ + -CA "${srcdir}/ocsp-tests/certs/ca.pem" +OCSP_PID="${!}" +wait_server "${OCSP_PID}" + +echo "=== Verifying OCSP server is up ===" + +# Port probing (as done in wait_port) makes the OpenSSL OCSP server +# crash due to the "invalid request", so try proper requests +t=0 +while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do + # Run a test request to make sure the server works + datefudge "${TESTDATE}" \ + ${VALGRIND} "${OCSPTOOL}" --ask \ + --load-cert "${SERVER_CERT_FILE}" \ + --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem" + rc=$? + if test "${rc}" = "0"; then + break + else + t=`expr ${t} + 1` + sleep 1 + fi +done +# Fail if the final OCSP request failed +if test "${rc}" != "0"; then + echo "OCSP server check failed." + exit ${rc} +fi + +echo "=== Test 1: Server with valid certificate ===" + +PORT=${TLS_SERVER_PORT} +launch_bare_server \ + datefudge "${TESTDATE}" \ + "${SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" +TLS_SERVER_PID="${!}" +wait_server $TLS_SERVER_PID + +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate failed." + exit ${rc} +fi + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +echo "=== Generating bad server certificate ===" + +rm -f "${SERVER_CERT_FILE}" +rm -f "${TEMPLATE_FILE}" +cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE" +echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE" + +# Generate certificates with the random port +datefudge -s "${CERTDATE}" ${CERTTOOL} \ + --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ + --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ + --load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \ + --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" + +echo "=== Test 2: Server with revoked certificate ===" + +eval "${GETPORT}" +TLS_SERVER_PORT=$PORT + +launch_bare_server \ + datefudge "${TESTDATE}" \ + "${SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" +TLS_SERVER_PID="${!}" +wait_server ${TLS_SERVER_PID} +wait_for_port "${TLS_SERVER_PORT}" + +echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost +rc=$? + +kill "${TLS_SERVER_PID}" +wait "${TLS_SERVER_PID}" +unset TLS_SERVER_PID + +# This connection should not work because the certificate has been +# revoked. +if test "${rc}" = "0"; then + echo "Connecting to server with revoked certificate succeeded." + exit 1 +fi + +kill ${OCSP_PID} +wait ${OCSP_PID} +unset OCSP_PID + +rm -f "${SERVER_CERT_FILE}" +rm -f "${TEMPLATE_FILE}" + +exit 0 |