]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/82-test_ocsp_cert_chain.t
2 # Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
13 use OpenSSL
::Test qw
/:DEFAULT srctop_file bldtop_file/;
14 use OpenSSL
::Test
::Utils
;
17 my $test_name = "test_ocsp_cert_chain";
20 plan skip_all
=> "$test_name requires OCSP support"
22 plan skip_all
=> "$test_name requires EC cryptography"
24 plan skip_all
=> "$test_name requires sock enabled"
26 plan skip_all
=> "$test_name requires TLS enabled"
27 if alldisabled
(available_protocols
("tls"));
28 plan skip_all
=> "$test_name is not available Windows or VMS"
29 if $^O
=~ /^(VMS|MSWin32|msys)$/;
33 my $shlib_wrap = bldtop_file
("util", "shlib_wrap.sh");
34 my $apps_openssl = bldtop_file
("apps", "openssl");
36 my $index_txt = srctop_file
("test", "ocsp-tests", "index.txt");
37 my $ocsp_pem = srctop_file
("test", "ocsp-tests", "ocsp.pem");
38 my $intermediate_cert_pem = srctop_file
("test", "ocsp-tests", "intermediate-cert.pem");
40 my $server_pem = srctop_file
("test", "ocsp-tests", "server.pem");
44 # this test starts two servers that listen on respective ports.
45 # that can be problematic since the ports may not be available
46 # (e.g. when multiple instances of the test are run on the same
49 # to avoid this, we specify port 0 when staring each server, which
50 # causes the OS to provide a random unused port.
52 # using a random port with s_server is straightforward. doing so
53 # with the ocsp responder required some investigation because the
54 # url for the ocsp responder is usually included in the server's
55 # cert (normally, in the authority-information-access extension,
56 # and it would be complicated to change that when the test
57 # executes). however, s_server has an option "-status_url" that
58 # can be used to specify a fallback url when no url is specified
59 # in the cert. that is what we do here.
61 # openssl ocsp -port 0 -index index.txt -rsigner ocsp.pem -CA intermediate-cert.pem
62 my @ocsp_cmd = ("ocsp", "-port", "0", "-index", $index_txt, "-rsigner", $ocsp_pem, "-CA", $intermediate_cert_pem);
63 my $ocsp_pid = open3
(my $ocsp_i, my $ocsp_o, my $ocsp_e = gensym
, $shlib_wrap, $apps_openssl, @ocsp_cmd);
66 # ACCEPT 0.0.0.0:19254 PID=620007
68 # ACCEPT [::]:19254 PID=620007
73 if (/^ACCEPT 0.0.0.0:(\d+)/) {
76 } elsif (/^ACCEPT \[::\]:(\d+)/) {
83 ok
($port ne "0", "ocsp server port check");
84 my $ocsp_port = $port;
86 print("ocsp server ready, listening on port $ocsp_port\n");
88 # openssl s_server -accept 0 -naccept 1 \
89 # -cert server.pem -cert_chain intermediate-cert.pem \
90 # -status_verbose -status_url http://localhost:19254/ocsp
91 my @s_server_cmd = ("s_server", "-accept", "0", "-naccept", "1",
92 "-cert", $server_pem, "-cert_chain", $intermediate_cert_pem,
93 "-status_verbose", "-status_url", "http://localhost:${ocsp_port}/ocsp");
94 my $s_server_pid = open3
(my $s_server_i, my $s_server_o, my $s_server_e = gensym
, $shlib_wrap, $apps_openssl, @s_server_cmd);
96 # ACCEPT 0.0.0.0:45921
99 while (<$s_server_o>) {
102 if (/^ACCEPT 0.0.0.0:(\d+)/) {
105 } elsif (/^ACCEPT \[::\]:(\d+)/) {
108 } elsif (/^Using default/) {
114 ok
($port ne "0", "s_server port check");
115 my $server_port = $port;
117 print("s_server ready, listening on port $server_port\n");
119 # openssl s_client -connect localhost:45921 -status -verify_return_error
120 my @s_client_cmd = ("s_client", "-connect", "localhost:$server_port", "-status", "-verify_return_error");
121 my $s_client_pid = open3
(my $s_client_i, my $s_client_o, my $s_client_e = gensym
, $shlib_wrap, $apps_openssl, @s_client_cmd);
123 waitpid($s_client_pid, 0);
124 kill 'HUP', $s_server_pid, $ocsp_pid;
126 ### the output from s_server that we want to check is written to its stderr
127 ### cert_status: ocsp response sent:
130 while (<$s_server_e>) {
133 if (/^cert_status: ocsp response sent:/) {
138 ok
($resp == 1, "check s_server sent ocsp response");