]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.dnsdist/test_OCSP.py
7 from dnsdisttests
import DNSDistTest
9 class DNSDistOCSPStaplingTest(DNSDistTest
):
12 def checkOCSPStaplingStatus(cls
, addr
, port
, serverName
, caFile
):
13 testcmd
= ['openssl', 's_client', '-CAfile', caFile
, '-connect', '%s:%d' % (addr
, port
), '-status', '-servername', serverName
]
16 process
= subprocess
.Popen(testcmd
, stdout
=subprocess
.PIPE
, stdin
=subprocess
.PIPE
, stderr
=subprocess
.STDOUT
, close_fds
=True)
17 output
= process
.communicate(input='')
18 except subprocess
.CalledProcessError
as exc
:
19 raise AssertionError('openssl s_client failed (%d): %s' % (exc
.returncode
, exc
.output
))
21 return output
[0].decode()
24 def getOCSPSerial(cls
, output
):
26 for line
in output
.splitlines():
29 if line
.startswith('Serial Number:'):
30 (_
, serialNumber
) = line
.split(':')
35 @unittest.skipIf('SKIP_DOH_TESTS' in os
.environ
, 'DNS over HTTPS tests are disabled')
36 class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest
):
38 _consoleKey
= DNSDistTest
.generateConsoleKey()
39 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
40 _serverKey
= 'server.key'
41 _serverCert
= 'server.chain'
42 _serverName
= 'tls.tests.dnsdist.org'
43 _ocspFile
= 'server.ocsp'
47 _config_template
= """
48 newServer{address="127.0.0.1:%s"}
50 controlSocket("127.0.0.1:%s")
52 -- generate an OCSP response file for our certificate, valid one day
53 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
54 addDOHLocal("127.0.0.1:%s", "%s", "%s", { "/" }, { ocspResponses={"%s"}})
56 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohServerPort', '_serverCert', '_serverKey', '_ocspFile']
61 # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
62 if 'SKIP_DOH_TESTS' in os
.environ
:
63 raise unittest
.SkipTest('DNS over HTTPS tests are disabled')
69 print("Launching tests..")
71 def testOCSPStapling(self
):
75 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._dohServerPort
, self
._serverName
, self
._caCert
)
76 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
78 serialNumber
= self
.getOCSPSerial(output
)
79 self
.assertTrue(serialNumber
)
81 self
.generateNewCertificateAndKey()
82 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
83 self
.sendConsoleCommand("reloadAllCertificates()")
85 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._dohServerPort
, self
._serverName
, self
._caCert
)
86 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
87 serialNumber2
= self
.getOCSPSerial(output
)
88 self
.assertTrue(serialNumber2
)
89 self
.assertNotEquals(serialNumber
, serialNumber2
)
91 class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest
):
93 _consoleKey
= DNSDistTest
.generateConsoleKey()
94 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
95 _serverKey
= 'server.key'
96 _serverCert
= 'server.chain'
97 _serverName
= 'tls.tests.dnsdist.org'
98 _ocspFile
= 'server.ocsp'
101 _tlsServerPort
= 8443
102 _config_template
= """
103 newServer{address="127.0.0.1:%s"}
105 controlSocket("127.0.0.1:%s")
107 -- generate an OCSP response file for our certificate, valid one day
108 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
109 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
111 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
113 def testOCSPStapling(self
):
115 OCSP Stapling: TLS (GnuTLS)
117 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
118 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
120 serialNumber
= self
.getOCSPSerial(output
)
121 self
.assertTrue(serialNumber
)
123 self
.generateNewCertificateAndKey()
124 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
125 self
.sendConsoleCommand("reloadAllCertificates()")
127 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
128 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
129 serialNumber2
= self
.getOCSPSerial(output
)
130 self
.assertTrue(serialNumber2
)
131 self
.assertNotEquals(serialNumber
, serialNumber2
)
133 class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest
):
135 _consoleKey
= DNSDistTest
.generateConsoleKey()
136 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
137 _serverKey
= 'server.key'
138 _serverCert
= 'server.chain'
139 _serverName
= 'tls.tests.dnsdist.org'
140 _ocspFile
= 'server.ocsp'
143 _tlsServerPort
= 8443
144 _config_template
= """
145 newServer{address="127.0.0.1:%s"}
147 controlSocket("127.0.0.1:%s")
149 -- generate an OCSP response file for our certificate, valid one day
150 generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
151 addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
153 _config_params
= ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
155 def testOCSPStapling(self
):
157 OCSP Stapling: TLS (OpenSSL)
159 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
160 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
162 serialNumber
= self
.getOCSPSerial(output
)
163 self
.assertTrue(serialNumber
)
165 self
.generateNewCertificateAndKey()
166 self
.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self
._serverCert
, self
._caCert
, self
._caKey
, self
._ocspFile
))
167 self
.sendConsoleCommand("reloadAllCertificates()")
169 output
= self
.checkOCSPStaplingStatus('127.0.0.1', self
._tlsServerPort
, self
._serverName
, self
._caCert
)
170 self
.assertIn('OCSP Response Status: successful (0x0)', output
)
171 serialNumber2
= self
.getOCSPSerial(output
)
172 self
.assertTrue(serialNumber2
)
173 self
.assertNotEquals(serialNumber
, serialNumber2
)