diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:28:53 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:34:09 +0100 |
commit | e326959e5e455e1b46124b023e0b202e4892e501 (patch) | |
tree | 94df809ddf19d7eb97ec9eca348836510f832b86 /test/aux-fixed/exim-ca | |
parent | 6219e0ec4a59a06b84eaabb6b3ae5d9e8f166672 (diff) |
GnuTLS: full-chain OCSP stapling. Bug 1466
Diffstat (limited to 'test/aux-fixed/exim-ca')
6 files changed, 155 insertions, 3 deletions
diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem new file mode 100644 index 000000000..6b5d6217e --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem @@ -0,0 +1,31 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Thu Sep 26 12:14:05 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 41 + Certificate Status: good + This Update: Thu Sep 26 12:14:05 UTC 2019 + Next Update: Tue Sep 25 12:14:05 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIIB+goBAKCCAfMwggHvBgkrBgEFBQcwAQEEggHgMIIB3DCBxaEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI2 +MTIxNDA1WjCBgDB+MFYwDQYJYIZIAWUDBAIBBQAEIL+nJ1pWbv1L4t+C29nRKQ1H +AYb2/yrNjBZlnzQqtWEJBCAgj50ox8C8kUFE36jAvj1bO/zrtiLIqNwn6GX8BsoO +EgIBQYAAGA8yMDE5MDkyNjEyMTQwNVqgERgPMjAyOTA5MjUxMjE0MDVaMA0GCSqG +SIb3DQEBCwUAA4IBAQAIVtY+mV3cbK0Z/itrRAJKrQGjWz4nUKK2t84KN/K/NxJd +oDvgN9sp4qp8P0RDE/fwqDLTNp35/7vHPaSB5Bi+L6U2aUwz46LJsX0/q6DuprE+ +e6Z8rOrfycACBY18h8X3foCJwP3/Igon1B7ERbJHYKut77eXJh8EEpxQDxYaDdoj +d0aFylyMjNH5Cm1nSkksC0islm5sk+ggEZjOnvM6y6ZzlPHl1nyI6TOWrTSoqm69 +mK2Gf9V59oHJPSM3OaVWL5OoUIZ57RrtDdxs3H3HO8QNPCSJY80Dk2uwpZICzYP3 +ko2KEu5rKChZ74PB59D6wAuUTEYdzF08s9waWL1m +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem new file mode 100644 index 000000000..5a44d61af --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem @@ -0,0 +1,31 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Wed Sep 25 16:52:00 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 42 + Certificate Status: good + This Update: Wed Sep 25 16:52:00 UTC 2019 + Next Update: Mon Sep 24 16:52:00 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIIB+goBAKCCAfMwggHvBgkrBgEFBQcwAQEEggHgMIIB3DCBxaEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI1 +MTY1MjAwWjCBgDB+MFYwDQYJYIZIAWUDBAIBBQAEIL+nJ1pWbv1L4t+C29nRKQ1H +AYb2/yrNjBZlnzQqtWEJBCAgj50ox8C8kUFE36jAvj1bO/zrtiLIqNwn6GX8BsoO +EgIBQoAAGA8yMDE5MDkyNTE2NTIwMFqgERgPMjAyOTA5MjQxNjUyMDBaMA0GCSqG +SIb3DQEBCwUAA4IBAQAD/6WpB4+oK4S81aIp48J0CPqqPkd2tMBaAHZQ+0FG2A9c +8VPPjWfVhTYikeILbVukABNpcP5G3bWOiTrYK0bp2f+Wf3NQyiP+VXj0pGmnX4lI +Jwwg0ZvejHddoU192DTYu+fjj80YVOv09VHoehLsnsYPe16nW+2Ul2eDJ5IQv1qo +5PUjRqc1X8W0ixAR34zXnkO+tDbpkGtUo/WcGt0zVxmoqXwvWsEG65PN/OYS2rEu +q5TkTweFZllPdNfRJAXHBlZf1ndA9XpTzp4U/RGlWHP4Mp92BH9Ry50admEvObCe +ayhmuSWTc/8mrunDn+qidRFYccHtDTeoAy2XRnGA +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem new file mode 100644 index 000000000..dfbed044e --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem @@ -0,0 +1,33 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Thu Sep 26 07:51:09 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 42 + Certificate Status: revoked + Revocation time: Mon Feb 01 14:27:09 UTC 2010 + This Update: Thu Sep 26 07:51:09 UTC 2019 + Next Update: Tue Sep 25 07:51:09 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIICEQoBAKCCAgowggIGBgkrBgEFBQcwAQEEggH3MIIB8zCB3KEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI2 +MDc1MTA5WjCBlzCBlDBWMA0GCWCGSAFlAwQCAQUABCC/pydaVm79S+LfgtvZ0SkN +RwGG9v8qzYwWZZ80KrVhCQQgII+dKMfAvJFBRN+owL49Wzv867YiyKjcJ+hl/AbK +DhICAUKhFhgPMjAxMDAyMDExNDI3MDlaoAMKAQQYDzIwMTkwOTI2MDc1MTA5WqAR +GA8yMDI5MDkyNTA3NTEwOVowDQYJKoZIhvcNAQELBQADggEBABxA6J6zKoEXgmgG +/I1hZc08x4T8WibqkGhS/1hcq66STgqYY1m3GmaOHQiwHhxsZzAUfOp1wChNgRCI +x2pFp5rsQCZPvSL244SaTRqSK6eFONnic+s7nND3b/DZuelx3Zq1y/vrg+WaNxxt +HWC1sRk2c/jAMqdHbH5obXzWB88qN8dh9Xwi8VXYCFlKjlURa6q6z5b5jhPI1BDW +oLK66ZIzSxryPGu/70EWUAAMub5NAMhGi0Vf1eoIl87PMKQRaGTkwgKe3KgqU+o9 +Oa15HFRL0iFaVBxdYEQyy/MW6iSA+1KiyqSpWEZxCvisKjUTVopx/BiVb9sEpvwE +yRNnGe8= +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt index d69d74d0c..4670f59f0 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt @@ -4,3 +4,4 @@ R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.com R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.com R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.com R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.com +R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt index 126acf7e4..61dc8ac70 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt @@ -4,3 +4,5 @@ V 130110200751Z 67 unknown CN=expired1.example.com V 130110200751Z c9 unknown CN=server2.example.com V 130110200751Z ca unknown CN=revoked2.example.com V 130110200751Z cb unknown CN=expired2.example.com +V 130110200751Z 42 unknown CN=clica Signing Cert rsa +V 130110200751Z 41 unknown CN=clica CA rsa diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index a5e51e3e5..9904cfa6f 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -26,6 +26,14 @@ do rm -fr "$idir" # create CA cert + templates + # -D dir to work in + # -p passwd for cert + # -B keysize in bits + # -I create CA cert + # -N org name + # -F create sub-signing cert + # -C CRL + # -O create OCSP responder cert clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ # create server certs @@ -67,8 +75,15 @@ do #### + # so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the + # CA cert itself. The existing bits below only create for the leaf certs, next layer down. + # + # First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert + # to sign that. + # create OCSP reqs & resps CADIR=$idir/CA + #give ourselves an OSCP key to work with pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key @@ -77,12 +92,17 @@ do pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key + # ditto for CA + # - the "-n names" here appear to be hardcoded in clica + pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password + openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key + # create some index files for the ocsp responder to work with -# tab-sep +# tab-sep, and fields can be empty # 0: Revoked/Expired/Valid letter # 1: Expiry date (ASN1_UTCTIME) # 2: Revocation date -# 3: Serial no. (unique) +# 3: Serial no. (unique, in hex) # 4: file # 5: DN, index @@ -93,6 +113,8 @@ V 130110200751Z 67 unknown CN=expired1.$iname V 130110200751Z c9 unknown CN=server2.$iname V 130110200751Z ca unknown CN=revoked2.$iname V 130110200751Z cb unknown CN=expired2.$iname +V 130110200751Z 42 unknown CN=clica Signing Cert rsa +V 130110200751Z 41 unknown CN=clica CA rsa EOF cat >$CADIR/index.revoked.txt <<EOF R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname @@ -101,9 +123,10 @@ R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname +R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa EOF - # Now create all the ocsp requests and responses + # Now create all the ocsp requests and responses for the leaf certs IVALID="-index $CADIR/index.valid.txt" IREVOKED="-index $CADIR/index.revoked.txt" @@ -116,6 +139,8 @@ EOF openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req REQIN="-reqin $SPFX.ocsp.req" + # These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is + # signed by the signer of the leaf-cert being attested to. OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp @@ -126,11 +151,40 @@ EOF openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp + # These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the + # signer of the leaf-cert being attested to. OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp done + + # convert one good leaf-resp to PEM + $server=server1 + RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp + ocsptool -S $RESP -j > $RESP.pem + + # Then, ocsp request and responses for the signer cert + REQ=$CADIR/Signer.ocsp.req + RESP=$CADIR/Signer.ocsp.signernocert.good.resp + openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp + openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + # Then, ocsp request and response for the CA cert + REQ=$CADIR/CA.ocsp.req + RESP=$CADIR/CA.ocsp.signernocert.good.resp + openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + #### done |