377 lines
8.0 KiB
Bash
Executable File
377 lines
8.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
NGINX_SRC="../nginx"
|
|
if [ "$NGINX_BIN" = "" ]; then
|
|
NGINX_BIN="${NGINX_SRC}/objs/nginx"
|
|
fi
|
|
WOLFSSL_SOURCE="../wolfssl"
|
|
WOLFSSL_CLIENT="./examples/client/client"
|
|
WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp"
|
|
NGINX_CONF="./conf"
|
|
CLIENT_TMP="/tmp/nginx_client.$$"
|
|
SERVER_TMP="/tmp/nginx_server.$$"
|
|
OCSP_GOOD="ocsp-good-status.der"
|
|
OCSP_BAD="ocsp-bad-status.der"
|
|
WN_PATH=`pwd`
|
|
WN_OCSP_GOOD="$WN_PATH/conf/$OCSP_GOOD"
|
|
WN_OCSP_BAD="$WN_PATH/conf/$OCSP_BAD"
|
|
WN_LOGS="$WN_PATH/logs"
|
|
WN_ERROR_LOG="$WN_LOGS/error.log"
|
|
|
|
|
|
if [ ! -f $NGINX_BIN ]; then
|
|
echo "Could not find Nginx exe: ${NGINX_BIN}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
echo "Ngninx binary: $NGINX_BIN"
|
|
echo "wolfSSL Source directory: $WOLFSSL_SOURCE"
|
|
if [ ! -d $WOLFSSL_SOURCE ]; then
|
|
echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
if [ ! -d $WOLFSSL_OCSP_CERTS ]; then
|
|
echo "Could not find OCSP certs path: ${WOLFSSL_OCSP_CERTS}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
echo "Changing into wolfSSL source directory"
|
|
cd $WOLFSSL_SOURCE
|
|
if [ ! -e $WOLFSSL_CLIENT ]; then
|
|
echo "Could not find wolfSSL client: ${WOLFSSL_CLIENT}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
OPENSSL=`which openssl`
|
|
if [ "$?" = "1" ]; then
|
|
echo "Could not find openssl superapp"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
echo "OpenSSL superapp found: $OPENSSL"
|
|
echo
|
|
|
|
if [ ! -d $WN_LOGS ]; then
|
|
echo "Making directory: ${WN_LOGS}"
|
|
mkdir ${WN_LOGS}
|
|
fi
|
|
|
|
# Number of minutes OCSP responses will be valid for
|
|
VALID_MIN=60
|
|
|
|
declare -a EXPECT
|
|
declare -a EXPECT_SERVER
|
|
declare -a EXP
|
|
|
|
SERVER_PID=0
|
|
OCSP_PID=0
|
|
|
|
PASS=0
|
|
FAIL=0
|
|
UNKNOWN=0
|
|
|
|
run_nginx() {
|
|
${NGINX_BIN} -p ${WN_PATH} \
|
|
-g "error_log ${WN_ERROR_LOG} debug;" \
|
|
${NGINX_OPTS}
|
|
RES=$?
|
|
}
|
|
|
|
do_cleanup() {
|
|
echo "# In cleanup"
|
|
|
|
NGINX_OPTS="-s stop"
|
|
run_nginx
|
|
|
|
rm -f $CLIENT_TMP
|
|
rm -f $SERVER_TMP
|
|
|
|
if [ $SERVER_PID != '0' ]
|
|
then
|
|
echo "# Killing server"
|
|
kill -9 $SERVER_PID
|
|
fi
|
|
if [ $OCSP_PID != '0' ]
|
|
then
|
|
echo "# Killing OCSP responder"
|
|
kill -9 $OCSP_PID
|
|
fi
|
|
|
|
cd $WN_PATH
|
|
rm -rf client_body_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp
|
|
}
|
|
|
|
do_trap() {
|
|
echo "# Got trap"
|
|
do_cleanup
|
|
exit 1
|
|
}
|
|
|
|
trap do_trap INT TERM
|
|
|
|
check_log() {
|
|
DUMP_LOG="no"
|
|
if [ "$EXP" != "" ]; then
|
|
for I in ${!EXP[@]}
|
|
do
|
|
if grep "${EXP[$I]}" $LOG; then
|
|
echo "# PASS: Found: ${EXP[$I]}"
|
|
echo
|
|
PASS=$(($PASS + 1))
|
|
else
|
|
echo "# FAIL: Didn't find: ${EXP[$I]}"
|
|
echo
|
|
DUMP_LOG="yes"
|
|
FAIL=$(($FAIL + 1))
|
|
fi
|
|
done
|
|
else
|
|
DUMP_LOG="yes"
|
|
UNKNOWN=$(($UNKNOWN + 1))
|
|
fi
|
|
|
|
if [ "$DUMP_LOG" = "yes" ]; then
|
|
cat $LOG
|
|
fi
|
|
}
|
|
|
|
client() {
|
|
${WOLFSSL_CLIENT} -r -g -p $PORT $OPTS >$CLIENT_TMP 2>&1
|
|
|
|
echo "# Client Output"
|
|
LOG=$CLIENT_TMP
|
|
EXP=("${EXPECT[@]}")
|
|
check_log
|
|
}
|
|
client_test() {
|
|
OPTS="$OPTS -r -g"
|
|
client
|
|
}
|
|
stapling_test() {
|
|
OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1"
|
|
client
|
|
}
|
|
|
|
# Start the OSCP responder and generate the response files
|
|
${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index ${WOLFSSL_OCSP_CERTS}/index1.txt -rsigner ${WOLFSSL_OCSP_CERTS}/ocsp-responder-cert.pem -rkey ${WOLFSSL_OCSP_CERTS}/ocsp-responder-key.pem -CA ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem >/dev/null 2>&1 &
|
|
OCSP_PID=$!
|
|
|
|
# Generate OCSP response file that indicates certificate is good.
|
|
${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server1-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_GOOD} -no_nonce >/dev/null 2>&1
|
|
|
|
# Generate OCSP response file that indicates certificate is revoked.
|
|
${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server2-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_BAD} -no_nonce >/dev/null 2>&1
|
|
|
|
if [ ! -f $WN_OCSP_GOOD ]; then
|
|
echo "Could not find OCSP output file: ${WN_OCSP_GOOD}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
if [ ! -f $WN_OCSP_BAD ]; then
|
|
echo "Could not find OCSP output file: ${WN_OCSP_BAD}"
|
|
echo "Stopping - FAIL"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Stopping Nginx ..."
|
|
NGINX_OPTS="-s stop"
|
|
run_nginx
|
|
echo "Starting Nginx ..."
|
|
# Start Nginx
|
|
NGINX_OPTS=
|
|
run_nginx
|
|
if [ "$RES" != "0" ]; then
|
|
echo "Failed to start Nginx"
|
|
exit 1
|
|
fi
|
|
|
|
# Default certificate, DH KEA
|
|
echo
|
|
echo '#'
|
|
echo '# DH Key Exchange'
|
|
echo '#'
|
|
PORT=11443
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
|
|
client_test
|
|
# Default certificate, DH, verify client
|
|
echo
|
|
echo '#'
|
|
echo '# DH Key Exchange verify client'
|
|
echo '#'
|
|
PORT=11444
|
|
echo "# Port: $PORT"
|
|
OPTS="-x"
|
|
EXPECT=("400 No required SSL certificate was sent")
|
|
client_test
|
|
# Default certificate, ECDH with SECP384R1
|
|
echo
|
|
echo '#'
|
|
echo '# ECDH Key Exchange: SECP384R1'
|
|
echo '#'
|
|
PORT=11445
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
|
|
client_test
|
|
# ECC certificate, ECDH with default curve (prime256v1)
|
|
echo
|
|
echo '#'
|
|
echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)'
|
|
echo '#'
|
|
PORT=11446
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
|
|
client_test
|
|
# Session tickets file
|
|
echo
|
|
echo '#'
|
|
echo '# Session ticket file'
|
|
echo '#'
|
|
PORT=11450
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK")
|
|
client_test
|
|
|
|
echo
|
|
echo '#'
|
|
echo '# Session cache off'
|
|
echo '#'
|
|
PORT=11455
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
|
|
client_test
|
|
echo
|
|
echo '#'
|
|
echo '# Session cache none'
|
|
echo '#'
|
|
PORT=11456
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
|
|
client_test
|
|
echo
|
|
echo '#'
|
|
echo '# Session cache builtin'
|
|
echo '#'
|
|
PORT=11457
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("reused session id" "HTTP/1.1 200 OK")
|
|
client_test
|
|
|
|
# Proxy to localhost:11111 - DHE-RSA
|
|
echo
|
|
echo '#'
|
|
echo '# Proxy - DHE-RSA'
|
|
echo '#'
|
|
PORT=11460
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
SERVER_OPTS=
|
|
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
|
|
client_test
|
|
# Proxy to localhost:11111 - ECDHE-RSA
|
|
echo
|
|
echo '#'
|
|
echo '# Proxy - ECDHE-RSA'
|
|
echo '#'
|
|
PORT=11461
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
SERVER_OPTS=
|
|
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
|
|
client_test
|
|
# Proxy to localhost:11111 - ECDHE-ECDSA
|
|
echo
|
|
echo '#'
|
|
echo '# Proxy - ECDHE-ECDSA'
|
|
echo '#'
|
|
PORT=11462
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem"
|
|
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
|
|
client_test
|
|
# Proxy to localhost:11111 - Revoked certificate in CRL
|
|
echo
|
|
echo '#'
|
|
echo '# Proxy - Revoked certificate in CRL'
|
|
echo '#'
|
|
PORT=11465
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
SERVER_OPTS=
|
|
EXPECT=("HTTP/1.1 502")
|
|
client_test
|
|
|
|
# OCSP Stapling
|
|
# Good certificate
|
|
echo
|
|
echo '#'
|
|
echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)'
|
|
echo '#'
|
|
PORT=11470
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("HTTP/1.1 200 OK")
|
|
stapling_test
|
|
stapling_test
|
|
# Revoked certificate
|
|
echo
|
|
echo '#'
|
|
echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)'
|
|
echo '#'
|
|
PORT=11471
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("err = -360")
|
|
stapling_test
|
|
stapling_test
|
|
# Good certificate - response file
|
|
echo
|
|
echo '#'
|
|
echo '# OCSP Stapling - Good Certificate (Using pre-generated file)'
|
|
echo '#'
|
|
PORT=11472
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("HTTP/1.1 200 OK")
|
|
stapling_test
|
|
# Revoked certificate - response file
|
|
echo
|
|
echo '#'
|
|
echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)'
|
|
echo '#'
|
|
PORT=11473
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("err = -360")
|
|
stapling_test
|
|
# No certificate for verification of OCSP response
|
|
echo
|
|
echo '#'
|
|
echo '# OCSP Stapling - Using OCSP Responder but no cert to verify'
|
|
echo '#'
|
|
PORT=11474
|
|
echo "# Port: $PORT"
|
|
OPTS=
|
|
EXPECT=("HTTP/1.1 200 OK")
|
|
stapling_test
|
|
stapling_test
|
|
|
|
do_cleanup
|
|
|
|
echo
|
|
echo "##############"
|
|
echo "# PASS : $PASS"
|
|
echo "# FAIL : $FAIL"
|
|
echo "# UNKNOWN : $UNKNOWN"
|
|
echo "##############"
|
|
|