]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.dnsdist/test_OCSP.py
7 from dnsdisttests
import DNSDistTest
9 class DNSDistOCSPStaplingTest(DNSDistTest
):
12 def checkOCSPStaplingStatus(cls
, addr
, port
, serverName
, caFile
):
13 testcmd
= ['openssl', 's_client', '-CAfile', caFile
, '-connect', '%s:%d' % (addr
, port
), '-status', '-servername', serverName
]
16 process
= subprocess
.Popen(testcmd
, stdout
=subprocess
.PIPE
, stdin
=subprocess
.PIPE
, stderr
=subprocess
.STDOUT
, close_fds
=True)
17 output
= process
.communicate(input='')
18 except subprocess
.CalledProcessError
as exc
:
19 raise AssertionError('openssl s_client failed (%d): %s' % (exc
.returncode
, exc
.output
))
21 return output
[0].decode()
24 def getOCSPSerial(cls
, output
):
26 for line
in output
.splitlines():
29 if line
.startswith('Serial Number:'):
30 (_
, serialNumber
) = line
.split(':')
35 def getTLSProvider(self
):
36 return self
.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
38 @unittest.skipIf('SKIP_DOH_TESTS' in os
.environ
, 'DNS over HTTPS tests are disabled')
39 class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest
):
41 _consoleKey
= DNSDistTest
.generateConsoleKey()
42 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
43 _serverKey
= 'server.key'
44 _serverCert
= 'server.chain'
45 _serverName
= 'tls.tests.dnsdist.org'
46 _ocspFile
= 'server.ocsp'
50 _config_template
= """
51 newServer{address="127.0.0.1:%s"}
53 controlSocket("127.0.0.1:%s")
55 -- generate an OCSP response file for our certificate, valid one day
56 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
57 addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
59 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohServerPort', '_serverCert', '_serverKey', '_ocspFile']
64 # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
65 if 'SKIP_DOH_TESTS' in os
.environ
:
66 raise unittest
.SkipTest('DNS over HTTPS tests are disabled')
72 print("Launching tests..")
74 def testOCSPStapling(self
):
78 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._dohServerPort
, self
._serverName
, self
._caCert
)
79 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
81 serialNumber
= self
.getOCSPSerial(output
)
82 self
.assertTrue(serialNumber
)
84 self
.generateNewCertificateAndKey()
85 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
86 self
.sendConsoleCommand("reloadAllCertificates()")
88 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._dohServerPort
, self
._serverName
, self
._caCert
)
89 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
90 serialNumber2
= self
.getOCSPSerial(output
)
91 self
.assertTrue(serialNumber2
)
92 self
.assertNotEqual(serialNumber
, serialNumber2
)
94 class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest
):
96 _consoleKey
= DNSDistTest
.generateConsoleKey()
97 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
98 _serverKey
= 'server.key'
99 _serverCert
= 'server.chain'
100 _serverName
= 'tls.tests.dnsdist.org'
101 _ocspFile
= 'server.ocsp'
104 _tlsServerPort
= 8443
105 _config_template
= """
106 newServer{address="127.0.0.1:%s"}
108 controlSocket("127.0.0.1:%s")
110 -- generate an OCSP response file for our certificate, valid one day
111 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
112 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
114 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
116 def testOCSPStapling(self
):
118 OCSP Stapling: TLS (GnuTLS)
120 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
121 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
122 self
.assertEquals(self
.getTLSProvider(), "gnutls")
124 serialNumber
= self
.getOCSPSerial(output
)
125 self
.assertTrue(serialNumber
)
127 self
.generateNewCertificateAndKey()
128 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
129 self
.sendConsoleCommand("reloadAllCertificates()")
131 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
132 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
133 serialNumber2
= self
.getOCSPSerial(output
)
134 self
.assertTrue(serialNumber2
)
135 self
.assertNotEqual(serialNumber
, serialNumber2
)
137 class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest
):
139 _consoleKey
= DNSDistTest
.generateConsoleKey()
140 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
141 _serverKey
= 'server.key'
142 _serverCert
= 'server.chain'
143 _serverName
= 'tls.tests.dnsdist.org'
144 _ocspFile
= 'server.ocsp'
147 _tlsServerPort
= 8443
148 _config_template
= """
149 newServer{address="127.0.0.1:%s"}
151 controlSocket("127.0.0.1:%s")
153 -- generate an OCSP response file for our certificate, valid one day
154 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
155 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
157 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
159 def testOCSPStapling(self
):
161 OCSP Stapling: TLS (OpenSSL)
163 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
164 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
165 self
.assertEquals(self
.getTLSProvider(), "openssl")
167 serialNumber
= self
.getOCSPSerial(output
)
168 self
.assertTrue(serialNumber
)
170 self
.generateNewCertificateAndKey()
171 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
172 self
.sendConsoleCommand("reloadAllCertificates()")
174 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
175 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
176 serialNumber2
= self
.getOCSPSerial(output
)
177 self
.assertTrue(serialNumber2
)
178 self
.assertNotEqual(serialNumber
, serialNumber2
)