#!/bin/bash # ocsp-stapling.test ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if [ $? -eq 0 ]; then echo "TLS 1.2 or lower required" echo "Skipped" exit 0 fi WORKSPACE=`pwd` CERT_DIR="certs/ocsp" resume_port=0 ready_file1=`pwd`/wolf_ocsp_s2_readyF1$$ ready_file2=`pwd`/wolf_ocsp_s2_readyF2$$ ready_file3=`pwd`/wolf_ocsp_s2_readyF3$$ ready_file4=`pwd`/wolf_ocsp_s2_readyF4$$ ready_file5=`pwd`/wolf_ocsp_s2_readyF5$$ printf '%s\n' "ready file 1: $ready_file1" printf '%s\n' "ready file 2: $ready_file2" printf '%s\n' "ready file 3: $ready_file3" printf '%s\n' "ready file 4: $ready_file4" printf '%s\n' "ready file 5: $ready_file5" test_cnf="ocsp_s2.cnf" copy_originals() { cd $CERT_DIR cp intermediate1-ca-cert.pem bak-intermediate1-ca-cert.pem cp intermediate2-ca-cert.pem bak-intermediate2-ca-cert.pem cp intermediate3-ca-cert.pem bak-intermediate3-ca-cert.pem cp ocsp-responder-cert.pem bak-ocsp-responder-cert.pem cp root-ca-cert.pem bak-root-ca-cert.pem cp server1-cert.pem bak-server1-cert.pem cp server2-cert.pem bak-server2-cert.pem cp server3-cert.pem bak-server3-cert.pem cp server4-cert.pem bak-server4-cert.pem cp server5-cert.pem bak-server5-cert.pem cd $WORKSPACE } restore_originals() { cd $CERT_DIR mv bak-intermediate1-ca-cert.pem intermediate1-ca-cert.pem mv bak-intermediate2-ca-cert.pem intermediate2-ca-cert.pem mv bak-intermediate3-ca-cert.pem intermediate3-ca-cert.pem mv bak-ocsp-responder-cert.pem ocsp-responder-cert.pem mv bak-root-ca-cert.pem root-ca-cert.pem mv bak-server1-cert.pem server1-cert.pem mv bak-server2-cert.pem server2-cert.pem mv bak-server3-cert.pem server3-cert.pem mv bak-server4-cert.pem server4-cert.pem mv bak-server5-cert.pem server5-cert.pem } wait_for_readyFile(){ counter=0 while [ ! -s $1 -a "$counter" -lt 20 ]; do echo -e "waiting for ready file..." sleep 0.1 counter=$((counter+ 1)) done if test -e $1; then echo -e "found ready file, starting client..." else echo -e "NO ready file ending test..." exit 1 fi } remove_single_rF(){ if test -e $1; then printf '%s\n' "removing ready file: $1" rm $1 fi } #create a configure file for cert generation with the port 0 solution create_new_cnf() { copy_originals printf '%s\n' "Random Port Selected: $RPORTSELECTED" printf '%s\n' "#" > $test_cnf printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf printf '%s\n' "#" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf printf '%s\n' "[ v3_req1 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf printf '%s\n' "[ v3_req2 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf printf '%s\n' "[ v3_req3 ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# Extensions for a typical CA" >> $test_cnf printf '%s\n' "[ v3_ca ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:true" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf printf '%s\n' "" >> $test_cnf printf '%s\n' "# OCSP extensions." >> $test_cnf printf '%s\n' "[ v3_ocsp ]" >> $test_cnf printf '%s\n' "basicConstraints = CA:false" >> $test_cnf printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf mv $test_cnf $CERT_DIR/$test_cnf cd $CERT_DIR CURR_LOC=`pwd` printf '%s\n' "echo now in $CURR_LOC" ./renewcerts-for-test.sh $test_cnf cd $WORKSPACE } remove_ready_file(){ if test -e $ready_file1; then printf '%s\n' "removing ready file: $ready_file1" rm $ready_file1 fi if test -e $ready_file2; then printf '%s\n' "removing ready file: $ready_file2" rm $ready_file2 fi if test -e $ready_file3; then printf '%s\n' "removing ready file: $ready_file3" rm $ready_file3 fi if test -e $ready_file4; then printf '%s\n' "removing ready file: $ready_file4" rm $ready_file4 fi if test -e $ready_file5; then printf '%s\n' "removing ready file: $ready_file5" rm $ready_file5 fi } cleanup() { for i in $(jobs -pr) do kill -s HUP "$i" done remove_ready_file rm $CERT_DIR/$test_cnf restore_originals } trap cleanup EXIT INT TERM HUP [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 # check if supported key size is large enough to handle 4096 bit RSA size=`./examples/client/client '-?' | grep "Max RSA key"` size=`echo ${size//[^0-9]/}` if [ ! -z "$size" ]; then printf 'check on max key size of %d ...' $size if [ $size -lt 4096 ]; then printf '%s\n' "4096 bit RSA keys not supported" exit 0 fi printf 'OK\n' fi #get four unique ports # 1: ./examples/server/server -R $ready_file1 -p $resume_port & wait_for_readyFile $ready_file1 if [ ! -f $ready_file1 ]; then printf '%s\n' "Failed to create ready file1: \"$ready_file1\"" exit 1 fi # 2: ./examples/server/server -R $ready_file2 -p $resume_port & wait_for_readyFile $ready_file2 if [ ! -f $ready_file2 ]; then printf '%s\n' "Failed to create ready file2: \"$ready_file2\"" exit 1 fi # 3: ./examples/server/server -R $ready_file3 -p $resume_port & wait_for_readyFile $ready_file3 if [ ! -f $ready_file3 ]; then printf '%s\n' "Failed to create ready file3: \"$ready_file3\"" exit 1 fi # 4: ./examples/server/server -R $ready_file4 -p $resume_port & wait_for_readyFile $ready_file4 if [ ! -f $ready_file4 ]; then printf '%s\n' "Failed to create ready file4: \"$ready_file4\"" exit 1 else RPORTSELECTED1=`cat $ready_file1` RPORTSELECTED2=`cat $ready_file2` RPORTSELECTED3=`cat $ready_file3` RPORTSELECTED4=`cat $ready_file4` printf '%s\n' "------------- PORTS ---------------" printf '%s' "Random ports selected: $RPORTSELECTED1 $RPORTSELECTED2" printf '%s\n' " $RPORTSELECTED3 $RPORTSELECTED4" printf '%s\n' "-----------------------------------" # Use client connections to cleanly shutdown the servers ./examples/client/client -p $RPORTSELECTED1 ./examples/client/client -p $RPORTSELECTED2 ./examples/client/client -p $RPORTSELECTED3 ./examples/client/client -p $RPORTSELECTED4 create_new_cnf $RPORTSELECTED1 $RPORTSELECTED2 $RPORTSELECTED3 \ $RPORTSELECTED4 fi sleep 1 # setup ocsp responders # OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! openssl ocsp -port $RPORTSELECTED1 -nmin 1 \ -index certs/ocsp/index-ca-and-intermediate-cas.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ -CA certs/ocsp/root-ca-cert.pem \ $@ \ & # OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! openssl ocsp -port $RPORTSELECTED2 -nmin 1 \ -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ -CA certs/ocsp/intermediate2-ca-cert.pem \ $@ \ & # OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & # NEW: openssl isn't being cleaned up, invoke directly in script for cleanup # purposes! openssl ocsp -port $RPORTSELECTED3 -nmin 1 \ -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ -CA certs/ocsp/intermediate3-ca-cert.pem \ $@ \ & sleep 1 # "jobs" is not portable for posix. Must use bash interpreter! [ $(jobs -r | wc -l) -ne 3 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0 printf '\n\n%s\n\n' "All OCSP responders started successfully!" printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------" # client test against our own server - GOOD CERTS ./examples/server/server -c certs/ocsp/server3-cert.pem \ -k certs/ocsp/server3-key.pem -R $ready_file5 \ -p $resume_port & wait_for_readyFile $ready_file5 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "TEST CASE 2 DISABLED PENDING REVIEW" #printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------" #remove_single_rF $ready_file5 #./examples/server/server -c certs/ocsp/server3-cert.pem \ # -k certs/ocsp/server3-key.pem -R $ready_file5 \ # -p $resume_port & #wait_for_readyFile $ready_file5 #CLI_PORT=`cat $ready_file5` #./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ # -p $CLI_PORT #RESULT=$? #[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1 #printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------" # client test against our own server - REVOKED SERVER CERT remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server4-cert.pem \ -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $resume_port & wait_for_readyFile $ready_file5 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------" remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server4-cert.pem \ -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $resume_port & sleep 1 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------" # client test against our own server - REVOKED INTERMEDIATE CERT remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server5-cert.pem \ -k certs/ocsp/server5-key.pem -R $ready_file5 \ -p $resume_port & wait_for_readyFile $ready_file5 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1 printf '%s\n\n' "Test PASSED!" printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------" remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server5-cert.pem \ -k certs/ocsp/server5-key.pem -R $ready_file5 \ -p $resume_port & wait_for_readyFile $ready_file5 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------" remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server1-cert.pem \ -k certs/ocsp/server1-key.pem -R $ready_file5 \ -p $resume_port -H loadSSL & wolf_pid=$! wait_for_readyFile $ready_file5 CLI_PORT=`cat $ready_file5` echo "test connection" | openssl s_client -status -connect 127.0.0.1:$CLI_PORT -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1 wait $wolf_pid if [ $? -ne 0 ]; then printf '%s\n' "Unexpected server result" exit 1 fi printf '%s\n\n' "Test successful" printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------" remove_single_rF $ready_file5 ./examples/server/server -c certs/ocsp/server4-cert.pem \ -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $resume_port -H loadSSL & wolf_pid=$! sleep 1 CLI_PORT=`cat $ready_file5` ./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \ -p $CLI_PORT RESULT=$? [ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1 wait $wolf_pid if [ $? -ne 1 ]; then printf '%s\n' "Unexpected server result" exit 1 fi printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" exit 0