security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

// This is a standalone server that delivers various stapled OCSP responses.
// The client is expected to connect, initiate an SSL handshake (with SNI
// to indicate which "server" to connect to), and verify the OCSP response.
// If all is good, the client then sends one encrypted byte and receives that
// same byte back.
// This server also has the ability to "call back" another process waiting on
// it. That is, when the server is all set up and ready to receive connections,
// it will connect to a specified port and issue a simple HTTP request.

#include <stdio.h>

#include "OCSPCommon.h"
#include "TLSServer.h"

using namespace mozilla;
using namespace mozilla::test;

const OCSPHost sOCSPHosts[] = {
    {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr},
    {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr},
    {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr},
    {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr},
    {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr},
    {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert,
     "ocspOtherEndEntity", nullptr},
    {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca",
     nullptr},
    {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr},
    {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr,
     nullptr},
    {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr},
    {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr},
    {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr},
    {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr},
    {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr},
    {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr},
    {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr,
     nullptr},
    {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr,
     "ocspEEWithIntermediate"},
    {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr,
     nullptr},
    {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes,
     nullptr, nullptr},
    {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension,
     nullptr, nullptr},
    {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension,
     nullptr, nullptr},
    {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr,
     nullptr},
    {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded,
     "delegatedSigner", nullptr},
    {"ocsp-stapling-delegated-included-last.example.com",
     ORTDelegatedIncludedLast, "delegatedSigner", nullptr},
    {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing,
     "delegatedSigner", nullptr},
    {"ocsp-stapling-delegated-missing-multiple.example.com",
     ORTDelegatedMissingMultiple, "delegatedSigner", nullptr},
    {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded,
     "invalidDelegatedSignerNoExtKeyUsage", nullptr},
    {"ocsp-stapling-delegated-from-intermediate.example.com",
     ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr},
    {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
     ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr},
    {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
     ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr},
    {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired,
     nullptr, nullptr},
    {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded,
     "rsa-1016-keysizeDelegatedSigner", nullptr},
    {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked,
     "ca-used-as-end-entity", nullptr},
    {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood,
     nullptr, "must-staple-ee-with-must-staple-int"},
    {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood,
     nullptr, "must-staple-missing-ee"},
    {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr,
     "must-staple-ee"},
    {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA,
     "other-test-ca", "must-staple-ee"},
    {"multi-tls-feature-good.example.com", ORTNone, nullptr,
     "multi-tls-feature-good-ee"},
    {"multi-tls-feature-bad.example.com", ORTNone, nullptr,
     "multi-tls-feature-bad-ee"},
    {nullptr, ORTNull, nullptr, nullptr}};

int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
                          uint32_t aSrvNameArrSize, void* aArg) {
  const OCSPHost* host =
      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts);
  if (!host) {
    return SSL_SNI_SEND_ALERT;
  }

  if (gDebugLevel >= DEBUG_VERBOSE) {
    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
  }

  const char* certNickname =
      host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME;

  UniqueCERTCertificate cert;
  SSLKEAType certKEA;
  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert,
                                                    &certKEA, nullptr)) {
    return SSL_SNI_SEND_ALERT;
  }

  // If the OCSP response type is "none", don't staple a response.
  if (host->mORT == ORTNone) {
    return 0;
  }

  UniquePLArenaPool arena(PORT_NewArena(1024));
  if (!arena) {
    PrintPRError("PORT_NewArena failed");
    return SSL_SNI_SEND_ALERT;
  }

  // response is contained by the arena - freeing the arena will free it
  SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena,
                                                  host->mAdditionalCertName, 0);
  if (!response) {
    return SSL_SNI_SEND_ALERT;
  }

  // SSL_SetStapledOCSPResponses makes a deep copy of response
  SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
  if (st != SECSuccess) {
    PrintPRError("SSL_SetStapledOCSPResponses failed");
    return SSL_SNI_SEND_ALERT;
  }

  return 0;
}

int main(int argc, char* argv[]) {
  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
}