source-git / gnutls

Clone
Source Code
GIT

Files

  1.   991b9335accd7a7146e76367d8f0fd9fe77ccbcd
  2.   tests
  3.   ocsp-tests
  4.   ocsp-tls-connection
Blob Blame History Raw 
#!/bin/sh

# Test case: Try to establish TLS connections with gnutls-cli and
# check the validity of the server certificate via OCSP
#
# Copyright (C) 2016 Thomas Klute
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

srcdir="${srcdir:-.}"
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
OCSPTOOL="${OCSPTOOL:-../src/ocsptool${EXEEXT}}"
GNUTLS_SERV="${GNUTLS_SERV:-../src/gnutls-serv${EXEEXT}}"
GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}"
DIFF="${DIFF:-diff}"
TEMPLATE_FILE="out.$$.tmpl.tmp"
SERVER_CERT_FILE="cert.$$.pem.tmp"

if ! test -x "${CERTTOOL}"; then
	exit 77
fi

if ! test -x "${OCSPTOOL}"; then
	exit 77
fi

if ! test -x "${GNUTLS_SERV}"; then
	exit 77
fi

if ! test -x "${GNUTLS_CLI}"; then
	exit 77
fi

if ! test -z "${VALGRIND}"; then
	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
fi

export TZ="UTC"

. "${srcdir}/scripts/common.sh"

check_for_datefudge

eval "${GETPORT}"
# Port for gnutls-serv
TLS_SERVER_PORT=$PORT

# Port to use for OCSP server, must match the OCSP URI set in the
# server_*.pem certificates
eval "${GETPORT}"
OCSP_PORT=$PORT

# Maximum timeout for server startup (OCSP and TLS)
SERVER_START_TIMEOUT=10

# Check for OpenSSL
OPENSSL=`which openssl`
if ! test -x "${OPENSSL}"; then
    echo "You need openssl to run this test."
    exit 77
fi

CERTDATE="2016-04-28"
TESTDATE="2016-04-29"

OCSP_PID=""
TLS_SERVER_PID=""
stop_servers ()
{
    test -z "${OCSP_PID}" || kill "${OCSP_PID}"
    test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
    rm -f "$TEMPLATE_FILE"
    rm -f "$SERVER_CERT_FILE"
}
trap stop_servers 1 15 2 EXIT

echo "=== Generating good server certificate ==="

rm -f "$TEMPLATE_FILE"
cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
chmod u+w "$TEMPLATE_FILE"
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"

# Generate certificates with the random port
datefudge -s "${CERTDATE}" ${CERTTOOL} \
	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
	--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
	--template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null

echo "=== Bringing OCSP server up ==="

# Start OpenSSL OCSP server
#
# WARNING: As of version 1.0.2g, OpenSSL OCSP cannot bind the TCP port
# if started repeatedly in a short time, probably a lack of
# SO_REUSEADDR usage.
PORT=${OCSP_PORT}
launch_bare_server $$ \
	  datefudge "${TESTDATE}" \
	  "${OPENSSL}" ocsp -index "${srcdir}/ocsp-tests/certs/ocsp_index.txt" -text \
	  -port "${OCSP_PORT}" \
	  -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
	  -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
	  -CA "${srcdir}/ocsp-tests/certs/ca.pem"
OCSP_PID="${!}"
wait_server "${OCSP_PID}"

echo "=== Verifying OCSP server is up ==="

# Port probing (as done in wait_port) makes the OpenSSL OCSP server
# crash due to the "invalid request", so try proper requests
t=0
while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
    # Run a test request to make sure the server works
    datefudge "${TESTDATE}" \
	      ${VALGRIND} "${OCSPTOOL}" --ask \
	      --load-cert "${SERVER_CERT_FILE}" \
	      --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem"
    rc=$?
    if test "${rc}" = "0"; then
	break
    else
	t=`expr ${t} + 1`
	sleep 1
    fi
done
# Fail if the final OCSP request failed
if test "${rc}" != "0"; then
    echo "OCSP server check failed."
    exit ${rc}
fi

echo "=== Test 1: Server with valid certificate ==="

PORT=${TLS_SERVER_PORT}
launch_bare_server $$ \
	  datefudge "${TESTDATE}" \
	  "${GNUTLS_SERV}" --echo --disable-client-cert \
	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
	  --x509certfile="${SERVER_CERT_FILE}" \
	  --port="${TLS_SERVER_PORT}"
TLS_SERVER_PID="${!}"
wait_server $TLS_SERVER_PID

wait_for_port "${TLS_SERVER_PORT}"

echo "test 123456" | \
    datefudge -s "${TESTDATE}" \
	      "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
	      --port="${TLS_SERVER_PORT}" localhost
rc=$?

if test "${rc}" != "0"; then
    echo "Connecting to server with valid certificate failed."
    exit ${rc}
fi

kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID

echo "=== Generating bad server certificate ==="

rm -f "${SERVER_CERT_FILE}"
rm -f "${TEMPLATE_FILE}"
cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE"
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"

# Generate certificates with the random port
datefudge -s "${CERTDATE}" ${CERTTOOL} \
	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
	--load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
	--template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}"

echo "=== Test 2: Server with revoked certificate ==="

eval "${GETPORT}"
TLS_SERVER_PORT=$PORT

launch_bare_server $$ \
	  datefudge "${TESTDATE}" \
	  "${GNUTLS_SERV}" --echo --disable-client-cert \
	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
	  --x509certfile="${SERVER_CERT_FILE}" \
	  --port="${TLS_SERVER_PORT}"
TLS_SERVER_PID="${!}"
wait_server ${TLS_SERVER_PID}
wait_for_port "${TLS_SERVER_PORT}"

echo "test 123456" | \
    datefudge -s "${TESTDATE}" \
	      "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
	      --port="${TLS_SERVER_PORT}" localhost
rc=$?

kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID

# This connection should not work because the certificate has been
# revoked.
if test "${rc}" = "0"; then
    echo "Connecting to server with revoked certificate succeeded."
    exit 1
fi

kill ${OCSP_PID}
wait ${OCSP_PID}
unset OCSP_PID

rm -f "${SERVER_CERT_FILE}"
rm -f "${TEMPLATE_FILE}"

exit 0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation