[thirdparty/pdns.git] / regression-tests.dnsdist / test_OCSP.py

#!/usr/bin/env python
import base64
import dns
import os
import subprocess
import unittest
from dnsdisttests import DNSDistTest, pickAvailablePort

class DNSDistOCSPStaplingTest(DNSDistTest):

    @classmethod
    def checkOCSPStaplingStatus(cls, addr, port, serverName, caFile):
        testcmd = ['openssl', 's_client', '-CAfile', caFile, '-connect', '%s:%d' % (addr, port), '-status', '-servername', serverName ]
        output = None
        try:
            process = subprocess.Popen(testcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
            output = process.communicate(input='')
        except subprocess.CalledProcessError as exc:
            raise AssertionError('openssl s_client failed (%d): %s' % (exc.returncode, exc.output))

        return output[0].decode()

    @classmethod
    def getOCSPSerial(cls, output):
        serialNumber = None
        for line in output.splitlines():
            line = line.strip()
            print(line)
            if line.startswith('Serial Number:'):
                (_, serialNumber) = line.split(':')
                break

        return serialNumber

    def getTLSProvider(self):
        return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()

    @classmethod
    def setUpClass(cls):
        cls.generateNewCertificateAndKey('server-ocsp')
        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()

@unittest.skipIf('SKIP_DOH_TESTS' in os.environ, 'DNS over HTTPS tests are disabled')
class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _dohWithNGHTTP2ServerPort = pickAvailablePort()
    _dohWithH2OServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%d"}
    setKey("%s")
    controlSocket("127.0.0.1:%d")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
    addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']

    @classmethod
    def setUpClass(cls):

        # for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
        if 'SKIP_DOH_TESTS' in os.environ:
            raise unittest.SkipTest('DNS over HTTPS tests are disabled')

        cls.generateNewCertificateAndKey('server-ocsp')
        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()

        print("Launching tests..")

    def testOCSPStapling(self):
        """
        OCSP Stapling: DOH
        """
        for port in [self._dohWithNGHTTP2ServerPort, self._dohWithH2OServerPort]:
            output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
            self.assertIn('OCSP Response Status: successful (0x0)', output)

            serialNumber = self.getOCSPSerial(output)
            self.assertTrue(serialNumber)

            self.generateNewCertificateAndKey('server-ocsp')
            self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
            self.sendConsoleCommand("reloadAllCertificates()")

            output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
            self.assertIn('OCSP Response Status: successful (0x0)', output)
            serialNumber2 = self.getOCSPSerial(output)
            self.assertTrue(serialNumber2)
            self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingDoH(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _dohWithNGHTTP2ServerPort = pickAvailablePort()
    _dohWithH2OServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
    addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})

    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (DoH)
        """
        for port in [self._dohWithNGHTTP2ServerPort, self._dohWithH2OServerPort]:
            output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
            self.assertNotIn('OCSP Response Status: successful (0x0)', output)

class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testOCSPStapling(self):
        """
        OCSP Stapling: TLS (GnuTLS)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "gnutls")

        serialNumber = self.getOCSPSerial(output)
        self.assertTrue(serialNumber)

        self.generateNewCertificateAndKey('server-ocsp')
        self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
        self.sendConsoleCommand("reloadAllCertificates()")

        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        serialNumber2 = self.getOCSPSerial(output)
        self.assertTrue(serialNumber2)
        self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (GnuTLS)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertNotIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "gnutls")

class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _ocspFile = 'server.ocsp'
    _caCert = 'ca.pem'
    _caKey = 'ca.key'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    -- generate an OCSP response file for our certificate, valid one day
    generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testOCSPStapling(self):
        """
        OCSP Stapling: TLS (OpenSSL)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "openssl")

        serialNumber = self.getOCSPSerial(output)
        self.assertTrue(serialNumber)

        self.generateNewCertificateAndKey('server-ocsp')
        self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
        self.sendConsoleCommand("reloadAllCertificates()")

        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertIn('OCSP Response Status: successful (0x0)', output)
        serialNumber2 = self.getOCSPSerial(output)
        self.assertTrue(serialNumber2)
        self.assertNotEqual(serialNumber, serialNumber2)

class TestBrokenOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-ocsp.key'
    _serverCert = 'server-ocsp.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    # invalid OCSP file!
    _ocspFile = '/dev/null'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
    """
    _config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']

    def testBrokenOCSPStapling(self):
        """
        OCSP Stapling: Broken (OpenSSL)
        """
        output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
        self.assertNotIn('OCSP Response Status: successful (0x0)', output)
        self.assertEqual(self.getTLSProvider(), "openssl")
Commit	Line	Data
8c15553e	1	#!/usr/bin/env python
1d896c34	2	import base64
8c15553e	3	import dns
13291274	4	import os
8c15553e	5	import subprocess
13291274	6	import unittest
630eb526	7	from dnsdisttests import DNSDistTest, pickAvailablePort
8c15553e RG	8
	9	class DNSDistOCSPStaplingTest(DNSDistTest):
	10
	11	@classmethod
	12	def checkOCSPStaplingStatus(cls, addr, port, serverName, caFile):
	13	testcmd = ['openssl', 's_client', '-CAfile', caFile, '-connect', '%s:%d' % (addr, port), '-status', '-servername', serverName ]
	14	output = None
	15	try:
	16	process = subprocess.Popen(testcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
	17	output = process.communicate(input='')
	18	except subprocess.CalledProcessError as exc:
1d896c34	19	raise AssertionError('openssl s_client failed (%d): %s' % (exc.returncode, exc.output))
8c15553e RG	20
	21	return output[0].decode()
	22
1d896c34 RG	23	@classmethod
	24	def getOCSPSerial(cls, output):
	25	serialNumber = None
	26	for line in output.splitlines():
	27	line = line.strip()
	28	print(line)
	29	if line.startswith('Serial Number:'):
	30	(_, serialNumber) = line.split(':')
	31	break
	32
	33	return serialNumber
	34
98222dfc RG	35	def getTLSProvider(self):
	36	return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
	37
58ae5410 RG	38	@classmethod
	39	def setUpClass(cls):
	40	cls.generateNewCertificateAndKey('server-ocsp')
	41	cls.startResponders()
	42	cls.startDNSDist()
	43	cls.setUpSockets()
	44
13291274	45	@unittest.skipIf('SKIP_DOH_TESTS' in os.environ, 'DNS over HTTPS tests are disabled')
8c15553e RG	46	class TestOCSPStaplingDOH(DNSDistOCSPStaplingTest):
8c15553e RG	47
1d896c34 RG	48	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	49	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	50	_serverKey = 'server-ocsp.key'
58ae5410 RG	51	_serverCert = 'server-ocsp.chain'
8c15553e RG	52	_serverName = 'tls.tests.dnsdist.org'
	53	_ocspFile = 'server.ocsp'
	54	_caCert = 'ca.pem'
	55	_caKey = 'ca.key'
8015d525 RG	56	_dohWithNGHTTP2ServerPort = pickAvailablePort()
8015d525 RG	57	_dohWithH2OServerPort = pickAvailablePort()
8c15553e	58	_config_template = """
8015d525	59	newServer{address="127.0.0.1:%d"}
1d896c34	60	setKey("%s")
8015d525	61	controlSocket("127.0.0.1:%d")
8c15553e RG	62
	63	-- generate an OCSP response file for our certificate, valid one day
	64	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
8015d525 RG	65	addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
8015d525 RG	66	addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})
8c15553e	67	"""
8015d525	68	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e	69
13291274 RG	70	@classmethod
	71	def setUpClass(cls):
	72
	73	# for some reason, @unittest.skipIf() is not applied to derived classes with some versions of Python
	74	if 'SKIP_DOH_TESTS' in os.environ:
	75	raise unittest.SkipTest('DNS over HTTPS tests are disabled')
	76
58ae5410	77	cls.generateNewCertificateAndKey('server-ocsp')
13291274 RG	78	cls.startResponders()
	79	cls.startDNSDist()
	80	cls.setUpSockets()
	81
	82	print("Launching tests..")
	83
8c15553e RG	84	def testOCSPStapling(self):
	85	"""
	86	OCSP Stapling: DOH
	87	"""
8015d525 RG	88	for port in [self._dohWithNGHTTP2ServerPort, self._dohWithH2OServerPort]:
	89	output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
	90	self.assertIn('OCSP Response Status: successful (0x0)', output)
8c15553e	91
8015d525 RG	92	serialNumber = self.getOCSPSerial(output)
8015d525 RG	93	self.assertTrue(serialNumber)
1d896c34	94
58ae5410	95	self.generateNewCertificateAndKey('server-ocsp')
8015d525 RG	96	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
8015d525 RG	97	self.sendConsoleCommand("reloadAllCertificates()")
1d896c34	98
8015d525 RG	99	output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
	100	self.assertIn('OCSP Response Status: successful (0x0)', output)
	101	serialNumber2 = self.getOCSPSerial(output)
	102	self.assertTrue(serialNumber2)
	103	self.assertNotEqual(serialNumber, serialNumber2)
1d896c34	104
d1ce3058 RG	105	class TestBrokenOCSPStaplingDoH(DNSDistOCSPStaplingTest):
	106
	107	_consoleKey = DNSDistTest.generateConsoleKey()
	108	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	109	_serverKey = 'server-ocsp.key'
58ae5410 RG	110	_serverCert = 'server-ocsp.chain'
d1ce3058 RG	111	_serverName = 'tls.tests.dnsdist.org'
	112	_caCert = 'ca.pem'
	113	# invalid OCSP file!
	114	_ocspFile = '/dev/null'
8015d525 RG	115	_dohWithNGHTTP2ServerPort = pickAvailablePort()
8015d525 RG	116	_dohWithH2OServerPort = pickAvailablePort()
d1ce3058 RG	117	_config_template = """
	118	newServer{address="127.0.0.1:%s"}
	119	setKey("%s")
	120	controlSocket("127.0.0.1:%s")
	121
8015d525 RG	122	addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='nghttp2'})
	123	addDOHLocal("127.0.0.1:%d", "%s", "%s", { "/" }, { ocspResponses={"%s"}, library='h2o'})
	124
d1ce3058	125	"""
8015d525	126	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_ocspFile', '_dohWithH2OServerPort', '_serverCert', '_serverKey', '_ocspFile']
d1ce3058 RG	127
	128	def testBrokenOCSPStapling(self):
	129	"""
	130	OCSP Stapling: Broken (DoH)
	131	"""
8015d525 RG	132	for port in [self._dohWithNGHTTP2ServerPort, self._dohWithH2OServerPort]:
	133	output = self.checkOCSPStaplingStatus('127.0.0.1', port, self._serverName, self._caCert)
	134	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
d1ce3058	135
8c15553e RG	136	class TestOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):
8c15553e RG	137
1d896c34 RG	138	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	139	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	140	_serverKey = 'server-ocsp.key'
58ae5410 RG	141	_serverCert = 'server-ocsp.chain'
8c15553e RG	142	_serverName = 'tls.tests.dnsdist.org'
	143	_ocspFile = 'server.ocsp'
	144	_caCert = 'ca.pem'
	145	_caKey = 'ca.key'
630eb526	146	_tlsServerPort = pickAvailablePort()
8c15553e RG	147	_config_template = """
8c15553e RG	148	newServer{address="127.0.0.1:%s"}
1d896c34 RG	149	setKey("%s")
1d896c34 RG	150	controlSocket("127.0.0.1:%s")
8c15553e RG	151
	152	-- generate an OCSP response file for our certificate, valid one day
	153	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
	154	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
	155	"""
1d896c34	156	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e RG	157
	158	def testOCSPStapling(self):
	159	"""
	160	OCSP Stapling: TLS (GnuTLS)
	161	"""
	162	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	163	self.assertIn('OCSP Response Status: successful (0x0)', output)
630eb526	164	self.assertEqual(self.getTLSProvider(), "gnutls")
8c15553e	165
1d896c34 RG	166	serialNumber = self.getOCSPSerial(output)
	167	self.assertTrue(serialNumber)
	168
58ae5410	169	self.generateNewCertificateAndKey('server-ocsp')
1d896c34 RG	170	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
	171	self.sendConsoleCommand("reloadAllCertificates()")
	172
	173	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	174	self.assertIn('OCSP Response Status: successful (0x0)', output)
	175	serialNumber2 = self.getOCSPSerial(output)
	176	self.assertTrue(serialNumber2)
4bfebc93	177	self.assertNotEqual(serialNumber, serialNumber2)
1d896c34	178
d1ce3058 RG	179	class TestBrokenOCSPStaplingTLSGnuTLS(DNSDistOCSPStaplingTest):
	180
	181	_consoleKey = DNSDistTest.generateConsoleKey()
	182	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	183	_serverKey = 'server-ocsp.key'
58ae5410 RG	184	_serverCert = 'server-ocsp.chain'
d1ce3058 RG	185	_serverName = 'tls.tests.dnsdist.org'
	186	_caCert = 'ca.pem'
	187	# invalid OCSP file!
	188	_ocspFile = '/dev/null'
630eb526	189	_tlsServerPort = pickAvailablePort()
d1ce3058 RG	190	_config_template = """
	191	newServer{address="127.0.0.1:%s"}
	192	setKey("%s")
	193	controlSocket("127.0.0.1:%s")
	194
	195	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls", ocspResponses={"%s"}})
	196	"""
	197	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
	198
	199	def testBrokenOCSPStapling(self):
	200	"""
	201	OCSP Stapling: Broken (GnuTLS)
	202	"""
	203	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	204	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
630eb526	205	self.assertEqual(self.getTLSProvider(), "gnutls")
d1ce3058	206
8c15553e RG	207	class TestOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):
8c15553e RG	208
1d896c34 RG	209	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	210	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	211	_serverKey = 'server-ocsp.key'
58ae5410 RG	212	_serverCert = 'server-ocsp.chain'
8c15553e RG	213	_serverName = 'tls.tests.dnsdist.org'
	214	_ocspFile = 'server.ocsp'
	215	_caCert = 'ca.pem'
	216	_caKey = 'ca.key'
630eb526	217	_tlsServerPort = pickAvailablePort()
8c15553e RG	218	_config_template = """
8c15553e RG	219	newServer{address="127.0.0.1:%s"}
1d896c34 RG	220	setKey("%s")
1d896c34 RG	221	controlSocket("127.0.0.1:%s")
8c15553e RG	222
	223	-- generate an OCSP response file for our certificate, valid one day
	224	generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)
	225	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
	226	"""
1d896c34	227	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_serverCert', '_caCert', '_caKey', '_ocspFile', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
8c15553e RG	228
	229	def testOCSPStapling(self):
	230	"""
	231	OCSP Stapling: TLS (OpenSSL)
	232	"""
	233	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	234	self.assertIn('OCSP Response Status: successful (0x0)', output)
630eb526	235	self.assertEqual(self.getTLSProvider(), "openssl")
1d896c34 RG	236
	237	serialNumber = self.getOCSPSerial(output)
	238	self.assertTrue(serialNumber)
	239
58ae5410	240	self.generateNewCertificateAndKey('server-ocsp')
1d896c34 RG	241	self.sendConsoleCommand("generateOCSPResponse('%s', '%s', '%s', '%s', 1, 0)" % (self._serverCert, self._caCert, self._caKey, self._ocspFile))
	242	self.sendConsoleCommand("reloadAllCertificates()")
	243
	244	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	245	self.assertIn('OCSP Response Status: successful (0x0)', output)
	246	serialNumber2 = self.getOCSPSerial(output)
	247	self.assertTrue(serialNumber2)
4bfebc93	248	self.assertNotEqual(serialNumber, serialNumber2)
d1ce3058 RG	249
	250	class TestBrokenOCSPStaplingTLSOpenSSL(DNSDistOCSPStaplingTest):
	251
	252	_consoleKey = DNSDistTest.generateConsoleKey()
	253	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	254	_serverKey = 'server-ocsp.key'
58ae5410 RG	255	_serverCert = 'server-ocsp.chain'
d1ce3058 RG	256	_serverName = 'tls.tests.dnsdist.org'
	257	_caCert = 'ca.pem'
	258	# invalid OCSP file!
	259	_ocspFile = '/dev/null'
630eb526	260	_tlsServerPort = pickAvailablePort()
d1ce3058 RG	261	_config_template = """
	262	newServer{address="127.0.0.1:%s"}
	263	setKey("%s")
	264	controlSocket("127.0.0.1:%s")
	265
	266	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", ocspResponses={"%s"}})
	267	"""
	268	_config_params = ['_testServerPort', '_consoleKeyB64', '_consolePort', '_tlsServerPort', '_serverCert', '_serverKey', '_ocspFile']
	269
	270	def testBrokenOCSPStapling(self):
	271	"""
	272	OCSP Stapling: Broken (OpenSSL)
	273	"""
	274	output = self.checkOCSPStaplingStatus('127.0.0.1', self._tlsServerPort, self._serverName, self._caCert)
	275	self.assertNotIn('OCSP Response Status: successful (0x0)', output)
630eb526	276	self.assertEqual(self.getTLSProvider(), "openssl")