From 86ede124f0ce622b4f73e05504abc11fece021e3 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 17 Oct 2019 21:45:32 +0100 Subject: OpenSSL: full-chain OCSP stapling. Bug 1466 --- .../server1.example.com/fullchain.ocsp.resp.pem | 52 ++++++++++++++++++++++ test/aux-fixed/exim-ca/genall | 27 +++++------ 2 files changed, 66 insertions(+), 13 deletions(-) create mode 100644 test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.ocsp.resp.pem (limited to 'test/aux-fixed/exim-ca') diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.ocsp.resp.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.ocsp.resp.pem new file mode 100644 index 000000000..9667e069c --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.ocsp.resp.pem @@ -0,0 +1,52 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Thu Oct 10 20:08:22 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: 5af082e51d62fe01fd706baebeb878db64e68f76e74a36f36d914297ddee24b8 + Issuer Key Hash: 333db14364b98e78a33dd8a4fae8d8378ea9b0f5fbca97b25685aa0d32116091 + Serial Number: 65 + Certificate Status: good + This Update: Thu Oct 10 20:08:22 UTC 2019 + Next Update: Tue Oct 09 20:08:22 UTC 2029 + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 42 + Certificate Status: good + This Update: Thu Oct 10 20:08:22 UTC 2019 + Next Update: Tue Oct 09 20:08:22 UTC 2029 + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 41 + Certificate Status: good + This Update: Thu Oct 10 20:08:22 UTC 2019 + Next Update: Tue Oct 09 20:08:22 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIIC/AoBAKCCAvUwggLxBgkrBgEFBQcwAQEEggLiMIIC3jCCAcahLzAtMRQwEgYD +VQQKEwtleGFtcGxlLmNvbTEVMBMGA1UEAxMMY2xpY2EgQ0EgcnNhGA8yMDE5MTAx +MDIwMDgyMlowggGAMH4wVjANBglghkgBZQMEAgEFAAQgWvCC5R1i/gH9cGuuvrh4 +22Tmj3bnSjbzbZFCl93uJLgEIDM9sUNkuY54oz3YpPro2DeOqbD1+8qXslaFqg0y +EWCRAgFlgAAYDzIwMTkxMDEwMjAwODIyWqARGA8yMDI5MTAwOTIwMDgyMlowfjBW +MA0GCWCGSAFlAwQCAQUABCC/pydaVm79S+LfgtvZ0SkNRwGG9v8qzYwWZZ80KrVh +CQQgII+dKMfAvJFBRN+owL49Wzv867YiyKjcJ+hl/AbKDhICAUKAABgPMjAxOTEw +MTAyMDA4MjJaoBEYDzIwMjkxMDA5MjAwODIyWjB+MFYwDQYJYIZIAWUDBAIBBQAE +IL+nJ1pWbv1L4t+C29nRKQ1HAYb2/yrNjBZlnzQqtWEJBCAgj50ox8C8kUFE36jA +vj1bO/zrtiLIqNwn6GX8BsoOEgIBQYAAGA8yMDE5MTAxMDIwMDgyMlqgERgPMjAy +OTEwMDkyMDA4MjJaMA0GCSqGSIb3DQEBCwUAA4IBAQBm8uLIawRny88oLSzr7sxj +IgGjhC+S2OXWjAlTxErHoEsJ0JPKkQAt/s5YLy4IKiPbCg6CIm9KotgE4vnpMFjg +297pSrdYKdtb2iBPKq5afB2Iv6ET78L/j2HhBFyJaxlt6lhI0Ly6JE75IbUrdP24 +c5uIh+KpJaC60bTZehgcRnrw9fR7HJ5W9ln9mbOZDggNQeM9hmFLUmQYPQWxav2x +IjCYAZOfIp8ficETnLhuDuILsohFRnQnFAaf1YTgvW2zoKLMeLUWzMm8a6IoBpXQ +0ecpPJs2FFiaYL78EcRNN47YbClcfDQRAjTvlSZupk59YuxedlwiH6uc7Cwa3RnN +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index 8efda889f..6998108b0 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -75,12 +75,6 @@ do #### - # so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the - # CA cert itself. The existing bits below only create for the leaf certs, next layer down. - # - # First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert - # to sign that. - # create OCSP reqs & resps CADIR=$idir/CA @@ -160,11 +154,11 @@ EOF done # convert one good leaf-resp to PEM - $server=server1 + server=server1 RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp ocsptool -S $RESP -j > $RESP.pem - # Then, ocsp request and responses for the signer cert + # Then, ocsp request and (valid, revoked) responses for the signer cert REQ=$CADIR/Signer.ocsp.req RESP=$CADIR/Signer.ocsp.signernocert.good.resp openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ @@ -177,11 +171,18 @@ EOF -ndays 3652 -reqin $REQ -respout $RESP ocsptool -S $RESP -j > $RESP.pem - # Then, ocsp request and response for the CA cert - REQ=$CADIR/CA.ocsp.req - RESP=$CADIR/CA.ocsp.signernocert.good.resp - openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ - openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + # Finally, a full-chain all-good request and response + REQ=$idir/$server.$iname/fullchain.ocsp.req + leafcert=$idir/$server.$iname/$server.$iname.pem + signercert=$CADIR/Signer.pem + cacert=$CADIR/CA.pem + openssl ocsp -sha256 -no_nonce -reqout $REQ \ + -issuer $signercert -cert $leafcert \ + -issuer $cacert -cert $CADIR/Signer.pem -cert $CADIR/CA.pem + + RESP=$idir/$server.$iname/fullchain.ocsp.resp + authorities=$idir/$server.$iname/ca_chain.pem + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $authorities -resp_no_certs -noverify \ -ndays 3652 -reqin $REQ -respout $RESP ocsptool -S $RESP -j > $RESP.pem -- cgit v1.2.3