tests: Generate a fresh OCSP response for each test run

GnuTLS has a hardcoded three day limit on OCSP response age regardless of the next update value in the response. To make this work in the test scripts, try to generate a new response when starting the authentication server. The old mechanism of a response without next update value is used as a backup option if openssl is not available or fails to generate the response for some reason. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 20:17:51 +02:00 · 2015-01-11 20:17:51 +02:00 · 279a0afffb
commit 279a0afffb
parent 0ff7afbc42
7 changed files with 94 additions and 4 deletions
--- a/tests/hwsim/auth_serv/as.conf
+++ b/tests/hwsim/auth_serv/as.conf
@ -11,7 +11,7 @@ ctrl_interface_group=admin
 ca_cert=auth_serv/ca.pem
 server_cert=auth_serv/server.pem
 private_key=auth_serv/server.key
-ocsp_stapling_response=auth_serv/ocsp-server-cache.der
+ocsp_stapling_response=LOGDIR/ocsp-server-cache.der
 server_id=server.w1.fi
 eap_sim_db=unix:/tmp/hlr_auc_gw.sock
 dh_file=auth_serv/dh.conf
--- a/tests/hwsim/auth_serv/as2.conf
+++ b/tests/hwsim/auth_serv/as2.conf
@ -11,7 +11,7 @@ ctrl_interface_group=admin
 ca_cert=auth_serv/ca.pem
 server_cert=auth_serv/server.pem
 private_key=auth_serv/server.key
-ocsp_stapling_response=auth_serv/ocsp-server-cache.der
+ocsp_stapling_response=LOGDIR/ocsp-server-cache.der
 server_id=server2.w1.fi
 eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=LOGDIR/hostapd.db
 dh_file=auth_serv/dh.conf
--- a/tests/hwsim/auth_serv/index.txt
+++ b/tests/hwsim/auth_serv/index.txt
@ -0,0 +1,8 @@
+V	230627164122Z		D8D3E3A6CBE3CCC1	unknown	/C=FI/O=w1.fi/CN=Root CA
+V	150215075930Z		D8D3E3A6CBE3CCC9	unknown	/C=FI/O=w1.fi/CN=server3.w1.fi
+V	140102000000Z		D8D3E3A6CBE3CCCA	unknown	/C=FI/O=w1.fi/CN=server4.w1.fi
+V	150215083008Z		D8D3E3A6CBE3CCCB	unknown	/C=FI/O=w1.fi/CN=server5.w1.fi
+V	150228224144Z		D8D3E3A6CBE3CCCC	unknown	/C=FI/O=w1.fi/CN=server6.w1.fi
+V	160111185024Z		D8D3E3A6CBE3CCCD	unknown	/C=FI/O=w1.fi/CN=ocsp.w1.fi
+V	150929211122Z		D8D3E3A6CBE3CCD0	unknown	/C=FI/O=w1.fi/CN=server.w1.fi
+V	150929211300Z		D8D3E3A6CBE3CCD1	unknown	/C=FI/O=w1.fi/CN=Test User
--- a/tests/hwsim/auth_serv/ocsp-req.der
+++ b/tests/hwsim/auth_serv/ocsp-req.der
--- a/tests/hwsim/auth_serv/ocsp-responder.key
+++ b/tests/hwsim/auth_serv/ocsp-responder.key
@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALJeLx3nLPZsq7AW
+nvoSL7JMyCN7aAh2OIOX9T8FrF3ZganOdZKhvJbGyADuHtfw2orY58DXQsMlYufH
+YPqogkwbznOaq42z/j22fwH+WWRCdagEGActImQnufGvAbTtv6bqkXjRnDD1YTf/
+Rv4Fl9rdzL51+OdDNXDuUMW8DrDAgMBAAECgYAja1yD3aIqFQ5K21MaaX4bM/AS
+S7Eu7Prv9r72ktPVlxmOdLcYNRHUBwk0VhS94NAk/kmXG6fgRI5NZGQ3ojqtOXLV
+VhlcitYAfJvNpyKmFKgdGZQIxaaQr/F2X8tH5yFdIt+6mDOGptTb/S3ljQwNsg59
+7t/jYzSe5mK/Gbw4MQJBAN3sZqGz6ABygLTuTiXhE9sCXDSGy4d8ZWMaajuD7N6k
+sAGKsaiVozeIvg0JNiCMm02A8M/cWjGedDWFxrnvvF8CQQDNwagUpozfXMboibHI
+BNwpUzyri/5bqJ/dU7/sAOA1AZ9yoO5s2WlNutXkG3mDoQCzseG/pNxU403dU0jQ
+wpwdAkEAk5lbWUkSkNmXCL9GcqMUVaFoOfc8/suZkyRKa3L+48Wc2imop3t+przn
+yjvKKDPcRtvvThA8XKwKll53Ict0+QJBAKj7o09Sed/4EmRosdnUI/zMn8dD8mLU
+2narkbQCBCGEc69w/F/pLtLn30K4TdQNJsZuETmT7GDLTee3vtW0/wECQCtyVgw/
+aZ0QTac8ut1oG072qOA2cFGhEuDELlX8JcNy28ygmzn0KS8uiTsq6YVu8V7WCj4X
+EkAZMm19nY5ZE+A=
+-----END PRIVATE KEY-----
--- a/tests/hwsim/auth_serv/ocsp-responder.pem
+++ b/tests/hwsim/auth_serv/ocsp-responder.pem
@ -0,0 +1,54 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162829 (0xd8d3e3a6cbe3cccd)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Jan 11 18:50:24 2015 GMT
+            Not After : Jan 11 18:50:24 2016 GMT
+        Subject: C=FI, O=w1.fi, CN=ocsp.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:b2:5e:2f:1d:e7:2c:f6:6c:ab:b0:16:9e:fa:12:
+                    2f:b2:4c:c8:23:7b:68:08:76:38:83:97:f5:3f:05:
+                    ac:5d:d9:81:a9:ce:75:92:a1:bc:96:c6:c8:00:ee:
+                    1e:d7:f0:da:8a:d8:e7:c0:d7:42:c3:25:62:e7:c7:
+                    60:fa:a8:82:4c:1b:ce:73:9a:ab:8d:b3:fe:3d:b6:
+                    7f:01:fe:59:64:42:75:a8:04:18:07:2d:22:64:27:
+                    b9:f1:af:01:b4:ed:bf:a6:ea:91:78:d1:9c:30:f5:
+                    61:37:ff:f9:1b:f8:16:5f:6b:77:32:f9:d7:e3:9d:
+                    0c:d5:c3:b9:43:16:f0:3a:c3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                OCSP Signing
+    Signature Algorithm: sha256WithRSAEncryption
+         41:42:b6:70:4a:70:1f:ad:d9:25:f7:02:94:bd:91:b7:69:ad:
+         31:59:c6:2a:4e:5e:4a:ed:5d:c1:24:09:98:94:15:42:86:2c:
+         b2:9d:62:7a:e0:ec:60:39:47:93:c9:c7:61:01:b5:2c:00:53:
+         86:6e:66:99:ee:b3:57:5d:fb:83:6b:d3:77:26:0c:c7:2d:16:
+         ea:84:69:59:b7:a8:de:35:61:0b:7a:f3:62:1e:1a:94:91:c4:
+         bd:85:4a:63:10:09:11:88:75:c9:f5:57:84:9a:ef:d1:78:29:
+         5e:76:fc:33:76:84:b2:b5:f6:88:cc:fb:f9:cf:9f:b4:88:29:
+         3c:9d
+-----BEGIN CERTIFICATE-----
+MIICDjCCAXegAwIBAgIJANjT46bL48zNMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTAx
+MTExODUwMjRaFw0xNjAxMTExODUwMjRaMDIxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTETMBEGA1UEAwwKb2NzcC53MS5maTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAsl4vHecs9myrsBae+hIvskzII3toCHY4g5f1PwWsXdmBqc51kqG8
+lsbIAO4e1/DaitjnwNdCwyVi58dg+qiCTBvOc5qrjbP+PbZ/Af5ZZEJ1qAQYBy0i
+ZCe58a8BtO2/puqReNGcMPVhN//5G/gWX2t3MvnX450M1cO5QxbwOsMCAwEAAaMv
+MC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwkw
+DQYJKoZIhvcNAQELBQADgYEAQUK2cEpwH63ZJfcClL2Rt2mtMVnGKk5eSu1dwSQJ
+mJQVQoYssp1ieuDsYDlHk8nHYQG1LABThm5mme6zV137g2vTdyYMxy0W6oRpWbeo
+3jVhC3rzYh4alJHEvYVKYxAJEYh1yfVXhJrv0XgpXnb8M3aEsrX2iMz7+c+ftIgp
+PJ0=
+-----END CERTIFICATE-----
--- a/tests/hwsim/start.sh
+++ b/tests/hwsim/start.sh
@ -65,8 +65,8 @@ for i in 0 1 2; do
    sed "s/ GROUP=.*$/ GROUP=$GROUP/" "$DIR/p2p$i.conf" > "$LOGDIR/p2p$i.conf"
 done

-sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
-sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"
+sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
+sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"

 if [ "$1" = "valgrind" ]; then
    VALGRIND=y
@ -122,6 +122,18 @@ if [ -x $HLR_AUC_GW ]; then
    sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw &
 fi

+openssl ocsp -index $DIR/auth_serv/index.txt \
+    -rsigner $DIR/auth_serv/ocsp-responder.pem \
+    -rkey $DIR/auth_serv/ocsp-responder.key \
+    -CA $DIR/auth_serv/ca.pem \
+    -issuer $DIR/auth_serv/ca.pem \
+    -verify_other $DIR/auth_serv/ca.pem -trust_other \
+    -ndays 7 \
+    -reqin $DIR/auth_serv/ocsp-req.der \
+    -respout $LOGDIR/ocsp-server-cache.der > $LOGDIR/ocsp.log 2>&1
+if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
+    cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
+fi
 touch $LOGDIR/hostapd.db
 sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &