Elgato_dark/wolfssl
1
0
Fork 0
mirror of https://github.com/wolfSSL/wolfssl synced 2026-05-24 10:18:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
wolfssl/scripts/ocsp-stapling_tls13multi.test
Juliusz Sosinowicz 4578e1390f Implement OCSP responder 
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00

522 lines
18 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/bash
# ocsp-stapling_tls13multi.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
SCRIPT_DIR="$(dirname "$0")"
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
if [[ -z "${RETRIES_REMAINING-}" ]]; then
export RETRIES_REMAINING=2
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
&& exit 1
if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
echo 'skipping ocsp-stapling_tls13multi.test because client not compiled in.' 1>&2
exit 77
fi
if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
echo 'skipping ocsp-stapling_tls13multi.test because server not compiled in.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 4; then
tls13=no
else
tls13=yes
fi
if ! ./examples/client/client -? 2>&1 | grep -q 'DTLSv1.3'; then
dtls13=no
else
dtls13=yes
fi
if [[ ("$tls13" == "no") && ("$dtls13" == "no") ]]; then
echo 'skipping ocsp-stapling_tls13multi.test because TLS1.3 is not available.' 1>&2
exit 77
fi
if ! ./examples/client/client -V | grep -q 4; then
tls13=no
echo 'skipping ocsp-stapling_tls13multi.test because TLS1.3 is not available.' 1>&2
exit 77
else
tls13=yes
fi
if openssl s_server -help 2>&1 | grep -F -q -i ipv6 && nc -h 2>&1 | grep -F -q -i ipv6; then
IPV6_SUPPORTED=yes
else
IPV6_SUPPORTED=no
fi
if ./examples/client/client '-#' | grep -F -q -e ' -DTEST_IPV6 '; then
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
exit 77
fi
LOCALHOST='[::1]'
LOCALHOST_FOR_NC='-6 ::1'
else
LOCALHOST='127.0.0.1'
LOCALHOST_FOR_NC='127.0.0.1'
fi
PARENTDIR="$PWD"
# create a unique workspace directory ending in PID for the script instance ($$)
# to make this instance orthogonal to any others running, even on same repo.
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
#WORKSPACE="${PARENTDIR}/workspace.pid$$"
#mkdir "${WORKSPACE}" || exit $?
# Use portable mktemp syntax that works on both Linux and macOS
WORKSPACE="$(mktemp -d "${PARENTDIR}"/wolfssl-ocsp-test.XXXXXX)"
cp -pR "${SCRIPT_DIR}"/../certs "${WORKSPACE}"/ || exit $?
cd "$WORKSPACE" || exit $?
ln -s ../examples .
CERT_DIR="certs/ocsp"
ready_file1="$WORKSPACE"/wolf_ocsp_tls13_readyF1$$
ready_file2="$WORKSPACE"/wolf_ocsp_tls13_readyF2$$
ready_file3="$WORKSPACE"/wolf_ocsp_tls13_readyF3$$
ready_file4="$WORKSPACE"/wolf_ocsp_tls13_readyF4$$
ready_file5="$WORKSPACE"/wolf_ocsp_tls13_readyF5$$
printf '%s\n' "ready file 1: $ready_file1"
printf '%s\n' "ready file 2: $ready_file2"
printf '%s\n' "ready file 3: $ready_file3"
printf '%s\n' "ready file 4: $ready_file4"
printf '%s\n' "ready file 5: $ready_file5"
test_cnf="ocsp_s2.cnf"
wait_for_readyFile(){
counter=0
while [ ! -s "$1" ] && [ "$counter" -lt 20 ]; do
if [[ -n "${2-}" ]]; then
if ! kill -0 "$2" 2>&-; then
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
exit 1
fi
fi
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e "$1"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file at $1 -- ending test..."
exit 1
fi
}
remove_single_rF(){
if test -e "$1"; then
printf '%s\n' "removing ready file: $1"
rm "$1"
fi
}
#create a configure file for cert generation with the port 0 solution
create_new_cnf() {
echo "Random Ports Selected: $1 $2 $3 $4"
cat <<- EOF > "$test_cnf"
#
# openssl configuration file for OCSP certificates
#
# Extensions to add to a certificate request (intermediate1-ca)
[ v3_req1 ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1
# Extensions to add to a certificate request (intermediate2-ca)
[ v3_req2 ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2
# Extensions to add to a certificate request (intermediate3-ca)
[ v3_req3 ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3
# Extensions for a typical CA
[ v3_ca ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = keyCertSign, cRLSign
authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4
# OCSP extensions.
[ v3_ocsp ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
extendedKeyUsage = OCSPSigning
EOF
mv "$test_cnf" "$CERT_DIR/$test_cnf"
cd "$CERT_DIR" || exit
CURR_LOC="$PWD"
printf '%s\n' "echo now in $CURR_LOC"
./renewcerts-for-test.sh "$test_cnf"
cd "$WORKSPACE" || exit
}
remove_ready_file(){
if test -e "$ready_file1"; then
printf '%s\n' "removing ready file: $ready_file1"
rm "$ready_file1"
fi
if test -e "$ready_file2"; then
printf '%s\n' "removing ready file: $ready_file2"
rm "$ready_file2"
fi
if test -e "$ready_file3"; then
printf '%s\n' "removing ready file: $ready_file3"
rm "$ready_file3"
fi
if test -e "$ready_file4"; then
printf '%s\n' "removing ready file: $ready_file4"
rm "$ready_file4"
fi
if test -e "$ready_file5"; then
printf '%s\n' "removing ready file: $ready_file5"
rm "$ready_file5"
fi
}
cleanup()
{
exit_status=$?
for i in $(jobs -pr)
do
kill -s KILL "$i"
done
remove_ready_file
rm "$CERT_DIR/$test_cnf"
cd "$PARENTDIR" || return 1
rm -r "$WORKSPACE" || return 1
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
echo "retrying..."
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
exec "$0" "$@"
fi
}
trap cleanup EXIT INT TERM HUP
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# check if supported key size is large enough to handle 4096 bit RSA
size="$(./examples/client/client '-?' | grep "Max RSA key")"
size="${size//[^0-9]/}"
if [ -n "$size" ]; then
printf 'check on max key size of %d ...' "$size"
if [ "$size" -lt 4096 ]; then
printf '%s\n' "4096 bit RSA keys not supported"
exit 0
fi
printf 'OK\n'
fi
#get four unique ports
# choose consecutive ports based on the PID, skipping any that are
# already bound, to avoid the birthday problem in case other
# instances are sharing this host.
get_first_free_port() {
local ret="$1"
while :; do
if [[ "$ret" -ge 65536 ]]; then
ret=1024
fi
if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
break
fi
ret=$((ret+1))
done
echo "$ret"
return 0
}
base_port=$((((($$ + RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
port1=$(get_first_free_port "$base_port")
port2=$(get_first_free_port $((port1 + 1)))
port3=$(get_first_free_port $((port2 + 1)))
port4=$(get_first_free_port $((port3 + 1)))
port5=$(get_first_free_port $((port4 + 1)))
# 1:
./examples/server/server -R "$ready_file1" -p "$port1" &
server_pid1=$!
wait_for_readyFile "$ready_file1" "$server_pid1" "$port1"
if [ ! -f "$ready_file1" ]; then
printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
exit 1
fi
# 2:
./examples/server/server -R "$ready_file2" -p "$port2" &
server_pid2=$!
wait_for_readyFile "$ready_file2" "$server_pid2" "$port2"
if [ ! -f "$ready_file2" ]; then
printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
exit 1
fi
# 3:
./examples/server/server -R "$ready_file3" -p "$port3" &
server_pid3=$!
wait_for_readyFile "$ready_file3" "$server_pid3" "$port3"
if [ ! -f "$ready_file3" ]; then
printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
exit 1
fi
# 4:
./examples/server/server -R "$ready_file4" -p "$port4" &
server_pid4=$!
wait_for_readyFile "$ready_file4" "$server_pid4" "$port4"
if [ ! -f "$ready_file4" ]; then
printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
exit 1
fi
printf '%s\n' "------------- PORTS ---------------"
printf '%s' "Random ports selected: $port1 $port2"
printf '%s\n' " $port3 $port4 $port5"
printf '%s\n' "-----------------------------------"
# Use client connections to cleanly shutdown the servers
./examples/client/client -p "$port1"
./examples/client/client -p "$port2"
./examples/client/client -p "$port3"
./examples/client/client -p "$port4"
create_new_cnf "$port1" "$port2" "$port3" \
"$port4"
sleep 0.1
# setup ocsp responders
# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port "$port1" -nmin 1 \
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
"$@" \
&
# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port "$port2" -nmin 1 \
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
"$@" \
&
# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port "$port3" -nmin 1 \
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate3-ca-cert.pem \
"$@" \
&
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
# purposes!
openssl ocsp -port "$port4" -nmin 1 \
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
"$@" \
&
sleep 0.1
# "jobs" is not portable for posix. Must use bash interpreter!
[ "$(jobs -r | wc -l)" -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
printf '\n\n%s\n\n' "All OCSP responders started successfully!"
if [ "$tls13" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R "$ready_file5" \
-p "$port5" -v 4 &
server_pid5=$!
wait_for_readyFile "$ready_file5" "$server_pid5" "$port5"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE ----------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" -v 4 &
server_pid5=$!
wait_for_readyFile "$ready_file5" "$server_pid5" "$port5"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" &
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ------------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R "$ready_file5" \
-p "$port5" -v 4 &
server_pid5=$!
wait_for_readyFile "$ready_file5" "$server_pid5" "$port5"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 5 SHOULD REVOKE ----------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R "$ready_file5" \
-p "$port5" -v 4 &
server_pid5=$!
wait_for_readyFile "$ready_file5" "$server_pid5" "$port5"
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 6 LOAD CERT IN SSL -------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R "$ready_file5" -v 4 \
-p "$port5" -H loadSSL &
server_pid5=$!
wait_for_readyFile "$ready_file5" "$server_pid5" "$port5"
echo "test connection" | openssl s_client -status -legacy_renegotiation -connect "${LOCALHOST}:$port5" -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
RESULT=$?
[ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
if ! wait "$server_pid5"; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 7 SHOULD REVOKE ----------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" -H loadSSL -v 4 &
server_pid5=$!
sleep 0.1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
wait "$server_pid5"
if [ $? -ne 1 ]; then
printf '%s\n' "Unexpected server result"
exit 1
fi
printf '%s\n\n' "Test successfully REVOKED!"
fi
if [ "$dtls13" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS ---------------"
# client test against our own server - GOOD CERTS
./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R "$ready_file5" \
-p "$port5" -u -v 4 &
server_pid5=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -u -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE DTLS-2 SHOULD REVOKE --------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" -v 4 &
server_pid5=$!
sleep 0.2
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 -v 4 \
-p "$port5"
RESULT=$?
[ "$RESULT" -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
printf '%s\n\n' "Test successfully REVOKED!"
fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0
Reference in a new issue View git blame Copy permalink