summaryrefslogtreecommitdiff
path: root/tests/ocsp-tests/ocsp-must-staple-connection
diff options
context:
space:
mode:
Diffstat (limited to 'tests/ocsp-tests/ocsp-must-staple-connection')
-rwxr-xr-xtests/ocsp-tests/ocsp-must-staple-connection111
1 files changed, 110 insertions, 1 deletions
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection
index 49c355dda3..55d718ddf0 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection
+++ b/tests/ocsp-tests/ocsp-must-staple-connection
@@ -26,6 +26,7 @@ GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}"
DIFF="${DIFF:-diff}"
TEMPLATE_FILE="ms-out.$$.tmpl.tmp"
SERVER_CERT_FILE="ms-cert.$$.pem.tmp"
+SERVER_CERT_NO_EXT_FILE="ms-cert-no-ext.$$.pem.tmp"
OCSP_RESPONSE_FILE="ms-resp.$$.tmp"
OCSP_REQ_FILE="ms-req.$$.tmp"
@@ -86,6 +87,7 @@ stop_servers ()
test -z "${TLS_SERVER_PID}" || kill "${TLS_SERVER_PID}"
rm -f "$TEMPLATE_FILE"
rm -f "$SERVER_CERT_FILE"
+ rm -f "$SERVER_CERT_NO_EXT_FILE"
rm -f "$OCSP_RESPONSE_FILE"
rm -f "$OCSP_REQ_FILE"
}
@@ -97,13 +99,21 @@ rm -f "$TEMPLATE_FILE"
cp "${srcdir}/ocsp-tests/certs/server_good.template" "$TEMPLATE_FILE"
chmod u+w "$TEMPLATE_FILE"
echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
-echo "tls_feature = 5" >>"$TEMPLATE_FILE"
# Generate certificates with the random port
datefudge -s "${CERTDATE}" ${CERTTOOL} \
--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_NO_EXT_FILE}" 2>/dev/null
+
+# Generate certificates with the random port (with mandatory stapling extension)
+echo "tls_feature = 5" >>"$TEMPLATE_FILE"
+
+datefudge -s "${CERTDATE}" ${CERTTOOL} \
+ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
--template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
echo "=== Bringing OCSP server up ==="
@@ -392,6 +402,105 @@ kill "${TLS_SERVER_PID}"
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
+echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
+echo "=== Test 9: OSCP response error - client sends status_request, TLS feature extension present ==="
+
+eval "${GETPORT}"
+# Port for gnutls-serv
+TLS_SERVER_PORT=$PORT
+PORT=${TLS_SERVER_PORT}
+launch_bare_server $$ \
+ datefudge "${TESTDATE}" \
+ "${GNUTLS_SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+TLS_SERVER_PID="${!}"
+wait_server $TLS_SERVER_PID
+
+wait_for_port "${TLS_SERVER_PORT}"
+
+echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${GNUTLS_CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+rc=$?
+
+if test "${rc}" = "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response unexpectedly succeeded"
+ exit ${rc}
+fi
+
+kill "${TLS_SERVER_PID}"
+wait "${TLS_SERVER_PID}"
+unset TLS_SERVER_PID
+
kill ${OCSP_PID}
wait ${OCSP_PID}
View Lorry Controller Status