From: Tobias Brunner Date: Tue, 31 Oct 2023 08:28:33 +0000 (+0100) Subject: testing: Use pki --ocsp as OCSP responder X-Git-Tag: 5.9.12rc1~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c10a13589ea7aae04bb40eadafe5b581ad9eecac;p=thirdparty%2Fstrongswan.git testing: Use pki --ocsp as OCSP responder The only exception is the ikev2/ocsp-no-signer-cert scenario as the pki command won't sign an OCSP response with a certificate that isn't the CA certificate or marked as an OCSP signer. --- diff --git a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 230bbf346c..92543cac34 100755 --- a/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0 diff --git a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi index 4154f5d823..58596b1936 100755 --- a/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi +++ b/testing/hosts/winnetou/etc/ca/research/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca/research echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert researchCert.pem --index index.txt \ + --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0 diff --git a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi index 05d304dc3c..3b067a10cf 100755 --- a/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi +++ b/testing/hosts/winnetou/etc/ca/sales/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca/sales echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert salesCert.pem --index index.txt \ + --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index ea9be3d92f..bf76e6a750 100755 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ - -resp_no_certs -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert-self.pem --key ocspKey-self.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 8c7b9cd136..6b033d0aa0 100755 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -5,7 +5,8 @@ cd /etc/ca echo "Content-type: application/ocsp-response" echo "" +# we have to use OpenSSL here as pki --ocsp rejects signing with such a +# non-OCSP-signer certificate cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ -rkey winnetouKey.pem -rsigner winnetouCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat + -nmin 5 -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 74ca4181cc..1755af9c16 100755 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey strongswanKey.pem -rsigner strongswanCert.pem \ - -resp_no_certs -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --key strongswanKey.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 7dd3ddb0f8..ef1b89611f 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -8,7 +8,5 @@ echo "" # simulate a delayed response sleep 2 -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index 7dd3ddb0f8..ef1b89611f 100755 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -8,7 +8,5 @@ echo "" # simulate a delayed response sleep 2 -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert.pem --key ocspKey.pem --lifetime 5 --debug 0 diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi index bce963fadd..bf76e6a750 100755 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/ca/ocsp/ocsp.cgi @@ -5,7 +5,5 @@ cd /etc/ca echo "Content-type: application/ocsp-response" echo "" -cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout | cat +cat | pki --ocsp --respond --cacert strongswanCert.pem --index index.txt \ + --cert ocspCert-self.pem --key ocspKey-self.pem --lifetime 5 --debug 0