testing: Use pki --ocsp as OCSP responder

The only exception is the ikev2/ocsp-no-signer-cert scenario as the
pki command won't sign an OCSP response with a certificate that isn't
the CA certificate or marked as an OCSP signer.

diff --git a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index 230bbf346cc7717747d371210558584a26568873..92543cac347043b22b942793c5670e6ea88c0938 100755 (executable)
--- a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey.pem -rsigner ocspCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0

diff --git a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi
index 4154f5d823dac2cb39e7359f1a9ead4cf12af833..58596b193653a5f376cf5569a468e4b533f24998 100755 (executable)
--- a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca/research
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
-       -rkey ocspKey.pem -rsigner ocspCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert researchCert.pem --index index.txt \
+                 --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0

diff --git a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi
index 05d304dc3cf6138881ce7b881b96fbfc601465e4..3b067a10cf1ef237def505152126d4dbe6a59b19 100755 (executable)
--- a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca/sales
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
-       -rkey ocspKey.pem -rsigner ocspCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert salesCert.pem --index index.txt \
+                 --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0

diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index ea9be3d92f524e5346d0248488e444be4832fbed..bf76e6a75030907c43a1ed44795343ba69c3e116 100755 (executable)
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-       -resp_no_certs -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --cert ocspCert-self.pem --key ocspKey-self.pem --lifetime 5 --debug 0

diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index 8c7b9cd1364eb8c4cb09ad61016059176a845cf8..6b033d0aa025d2de43a02143cf51e88cd8ba8e6d 100755 (executable)
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -5,7 +5,8 @@ cd /etc/ca
 echo "Content-type: application/ocsp-response"
 echo ""
 
+# we have to use OpenSSL here as pki --ocsp rejects signing with such a
+# non-OCSP-signer certificate
 cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
        -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+       -nmin 5 -reqin /dev/stdin -respout /dev/stdout | cat

diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index 74ca4181ccaa6c01defe8809fba15e2ec829712e..1755af9c169641a0fd248fd69c654a1083925c06 100755 (executable)
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey strongswanKey.pem -rsigner strongswanCert.pem \
-       -resp_no_certs -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --key strongswanKey.pem --lifetime 5 --debug 0

diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index 7dd3ddb0f86446081de86e5fd1b12a01c6e7b21b..ef1b89611f0bca320eb76f2b02a55f57dbc4f887 100755 (executable)
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -8,7 +8,5 @@ echo ""
 # simulate a delayed response
 sleep 2
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey.pem -rsigner ocspCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0

diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index 7dd3ddb0f86446081de86e5fd1b12a01c6e7b21b..ef1b89611f0bca320eb76f2b02a55f57dbc4f887 100755 (executable)
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -8,7 +8,5 @@ echo ""
 # simulate a delayed response
 sleep 2
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey.pem -rsigner ocspCert.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0

diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
index bce963faddf19b0f11161c0d1bbdbb80ce0b2700..bf76e6a75030907c43a1ed44795343ba69c3e116 100755 (executable)
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi
@@ -5,7 +5,5 @@ cd /etc/ca
 echo "Content-type: application/ocsp-response"
 echo ""
 
-cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-       -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-       -nmin 5 \
-       -reqin /dev/stdin -respout /dev/stdout | cat
+cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \
+                 --cert ocspCert-self.pem --key ocspKey-self.pem --lifetime 5 --debug 0