]>
Commit | Line | Data |
---|---|---|
cf842248 JM |
1 | #! /usr/bin/env perl |
2 | # Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use warnings; | |
11 | ||
12 | use IPC::Open3; | |
13 | use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; | |
14 | use OpenSSL::Test::Utils; | |
15 | use Symbol 'gensym'; | |
16 | ||
17 | my $test_name = "test_ocsp_cert_chain"; | |
18 | setup($test_name); | |
19 | ||
20 | plan skip_all => "$test_name requires OCSP support" | |
21 | if disabled("ocsp"); | |
22 | plan skip_all => "$test_name requires EC cryptography" | |
23 | if disabled("ec"); | |
24 | plan skip_all => "$test_name requires sock enabled" | |
25 | if disabled("sock"); | |
26 | plan skip_all => "$test_name requires TLS enabled" | |
27 | if alldisabled(available_protocols("tls")); | |
28 | plan skip_all => "$test_name is not available Windows or VMS" | |
29 | if $^O =~ /^(VMS|MSWin32|msys)$/; | |
30 | ||
31 | plan tests => 3; | |
32 | ||
33 | my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); | |
34 | my $apps_openssl = bldtop_file("apps", "openssl"); | |
35 | ||
36 | my $index_txt = srctop_file("test", "ocsp-tests", "index.txt"); | |
37 | my $ocsp_pem = srctop_file("test", "ocsp-tests", "ocsp.pem"); | |
38 | my $intermediate_cert_pem = srctop_file("test", "ocsp-tests", "intermediate-cert.pem"); | |
39 | ||
40 | my $server_pem = srctop_file("test", "ocsp-tests", "server.pem"); | |
41 | ||
42 | sub run_test { | |
43 | ||
44 | # this test starts two servers that listen on respective ports. | |
45 | # that can be problematic since the ports may not be available | |
46 | # (e.g. when multiple instances of the test are run on the same | |
47 | # machine). | |
48 | ||
49 | # to avoid this, we specify port 0 when staring each server, which | |
50 | # causes the OS to provide a random unused port. | |
51 | ||
52 | # using a random port with s_server is straightforward. doing so | |
53 | # with the ocsp responder required some investigation because the | |
54 | # url for the ocsp responder is usually included in the server's | |
55 | # cert (normally, in the authority-information-access extension, | |
56 | # and it would be complicated to change that when the test | |
57 | # executes). however, s_server has an option "-status_url" that | |
58 | # can be used to specify a fallback url when no url is specified | |
59 | # in the cert. that is what we do here. | |
60 | ||
61 | # openssl ocsp -port 0 -index index.txt -rsigner ocsp.pem -CA intermediate-cert.pem | |
62 | my @ocsp_cmd = ("ocsp", "-port", "0", "-index", $index_txt, "-rsigner", $ocsp_pem, "-CA", $intermediate_cert_pem); | |
63 | my $ocsp_pid = open3(my $ocsp_i, my $ocsp_o, my $ocsp_e = gensym, $shlib_wrap, $apps_openssl, @ocsp_cmd); | |
64 | ||
65 | ## ipv4 | |
66 | # ACCEPT 0.0.0.0:19254 PID=620007 | |
67 | ## ipv6 | |
68 | # ACCEPT [::]:19254 PID=620007 | |
69 | my $port = "0"; | |
70 | while (<$ocsp_o>) { | |
71 | print($_); | |
72 | chomp; | |
73 | if (/^ACCEPT 0.0.0.0:(\d+)/) { | |
74 | $port = $1; | |
75 | last; | |
76 | } elsif (/^ACCEPT \[::\]:(\d+)/) { | |
77 | $port = $1; | |
78 | last; | |
79 | } else { | |
80 | last; | |
81 | } | |
82 | } | |
83 | ok($port ne "0", "ocsp server port check"); | |
84 | my $ocsp_port = $port; | |
85 | ||
86 | print("ocsp server ready, listening on port $ocsp_port\n"); | |
87 | ||
88 | # openssl s_server -accept 0 -cert server.pem -cert_chain intermediate-cert.pem \ | |
89 | # -status_verbose -status_url http://localhost:19254/ocsp | |
90 | my @s_server_cmd = ("s_server", "-accept", "0", "-cert", $server_pem, "-cert_chain", $intermediate_cert_pem, | |
91 | "-status_verbose", "-status_url", "http://localhost:${ocsp_port}/ocsp"); | |
92 | my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e = gensym, $shlib_wrap, $apps_openssl, @s_server_cmd); | |
93 | ||
94 | # ACCEPT 0.0.0.0:45921 | |
95 | # ACCEPT [::]:45921 | |
96 | $port = "0"; | |
97 | while (<$s_server_o>) { | |
98 | print($_); | |
99 | chomp; | |
100 | if (/^ACCEPT 0.0.0.0:(\d+)/) { | |
101 | $port = $1; | |
102 | last; | |
103 | } elsif (/^ACCEPT \[::\]:(\d+)/) { | |
104 | $port = $1; | |
105 | last; | |
106 | } elsif (/^Using default/) { | |
107 | ; | |
108 | } else { | |
109 | last; | |
110 | } | |
111 | } | |
112 | ok($port ne "0", "s_server port check"); | |
113 | my $server_port = $port; | |
114 | ||
115 | print("s_server ready, listening on port $server_port\n"); | |
116 | ||
117 | # openssl s_client -connect localhost:45921 -status -verify_return_error | |
118 | my @s_client_cmd = ("s_client", "-connect", "localhost:$server_port", "-status", "-verify_return_error"); | |
119 | my $s_client_pid = open3(my $s_client_i, my $s_client_o, my $s_client_e = gensym, $shlib_wrap, $apps_openssl, @s_client_cmd); | |
120 | ||
121 | ### the output from s_server that we want to check is written to its stderr | |
122 | ### cert_status: ocsp response sent: | |
123 | ||
124 | my $resp = 0; | |
125 | while (<$s_server_e>) { | |
126 | print($_); | |
127 | chomp; | |
128 | if (/^cert_status: ocsp response sent:/) { | |
129 | $resp = 1; | |
130 | last; | |
cf842248 JM |
131 | } |
132 | } | |
133 | ok($resp == 1, "check s_server sent ocsp response"); | |
134 | ||
135 | waitpid($s_client_pid, 0); | |
136 | kill 'HUP', $s_server_pid, $ocsp_pid; | |
137 | } | |
138 | ||
139 | run_test(); |