tests: Move ocsp-resp-*-signed*.der generation into test case

There is no need to generate these OCSP responses for every single test
session. Generate these more dynamically if a test case that uses these
files is executed.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-12-27 20:01:38 +02:00
parent b6bb4cd8c5
commit d07ca835cb
2 changed files with 57 additions and 32 deletions

View file

@ -155,26 +155,6 @@ if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
fi fi
openssl ocsp -reqout $LOGDIR/ocsp-req.der -issuer $DIR/auth_serv/ca.pem \
-sha256 -serial 0xD8D3E3A6CBE3CD1F -no_nonce >> $LOGDIR/ocsp.log 2>&1
for i in "" "-unknown" "-revoked"; do
openssl ocsp -index $DIR/auth_serv/index$i.txt \
-rsigner $DIR/auth_serv/ca.pem \
-rkey $DIR/auth_serv/ca-key.pem \
-CA $DIR/auth_serv/ca.pem \
-ndays 7 \
-reqin $LOGDIR/ocsp-req.der \
-resp_no_certs \
-respout $LOGDIR/ocsp-resp-ca-signed$i.der >> $LOGDIR/ocsp.log 2>&1
done
openssl ocsp -index $DIR/auth_serv/index.txt \
-rsigner $DIR/auth_serv/server.pem \
-rkey $DIR/auth_serv/server.key \
-CA $DIR/auth_serv/ca.pem \
-ndays 7 \
-reqin $LOGDIR/ocsp-req.der \
-respout $LOGDIR/ocsp-resp-server-signed.der >> $LOGDIR/ocsp.log 2>&1
touch $LOGDIR/hostapd.db touch $LOGDIR/hostapd.db
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv & sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &

View file

@ -4163,13 +4163,59 @@ def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
private_key_passwd="whatever", ocsp=2, private_key_passwd="whatever", ocsp=2,
scan_freq="2412") scan_freq="2412")
def ocsp_req(outfile):
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-reqout", outfile,
'-issuer', 'auth_serv/ca.pem',
'-sha256',
'-serial', '0xD8D3E3A6CBE3CD1F',
'-no_nonce']
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("Failed to generate OCSP request")
def ocsp_resp_ca_signed(reqfile, outfile, status):
ocsp_req(reqfile)
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-index", "auth_serv/index%s.txt" % status,
"-rsigner", "auth_serv/ca.pem",
"-rkey", "auth_serv/ca-key.pem",
"-CA", "auth_serv/ca.pem",
"-ndays", "7",
"-reqin", reqfile,
"-resp_no_certs",
"-respout", outfile]
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("No OCSP response available")
def ocsp_resp_server_signed(reqfile, outfile):
ocsp_req(reqfile)
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-index", "auth_serv/index.txt",
"-rsigner", "auth_serv/server.pem",
"-rkey", "auth_serv/server.key",
"-CA", "auth_serv/ca.pem",
"-ndays", "7",
"-reqin", reqfile,
"-respout", outfile]
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("No OCSP response available")
def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params): def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (good)""" """EAP-TLS and CA signed OCSP response (good)"""
check_ocsp_support(dev[0]) check_ocsp_support(dev[0])
check_pkcs12_support(dev[0]) check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
if not os.path.exists(ocsp): ocsp_resp_ca_signed(req, ocsp, "")
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params() params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params) hostapd.add_ap(apdev[0], params)
@ -4183,9 +4229,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (revoked)""" """EAP-TLS and CA signed OCSP response (revoked)"""
check_ocsp_support(dev[0]) check_ocsp_support(dev[0])
check_pkcs12_support(dev[0]) check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
if not os.path.exists(ocsp): ocsp_resp_ca_signed(req, ocsp, "-revoked")
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params() params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params) hostapd.add_ap(apdev[0], params)
@ -4215,9 +4261,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (unknown)""" """EAP-TLS and CA signed OCSP response (unknown)"""
check_ocsp_support(dev[0]) check_ocsp_support(dev[0])
check_pkcs12_support(dev[0]) check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
if not os.path.exists(ocsp): ocsp_resp_ca_signed(req, ocsp, "-unknown")
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params() params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params) hostapd.add_ap(apdev[0], params)
@ -4245,9 +4291,9 @@ def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
"""EAP-TLS and server signed OCSP response""" """EAP-TLS and server signed OCSP response"""
check_ocsp_support(dev[0]) check_ocsp_support(dev[0])
check_pkcs12_support(dev[0]) check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
if not os.path.exists(ocsp): ocsp_resp_server_signed(req, ocsp)
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params() params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params) hostapd.add_ap(apdev[0], params)
@ -4705,14 +4751,13 @@ def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
check_ocsp_multi_support(dev[0]) check_ocsp_multi_support(dev[0])
check_pkcs12_support(dev[0]) check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp_revoked = os.path.join(params['logdir'], ocsp_revoked = os.path.join(params['logdir'],
"ocsp-resp-ca-signed-revoked.der") "ocsp-resp-ca-signed-revoked.der")
if not os.path.exists(ocsp_revoked):
raise HwsimSkip("No OCSP response (revoked) available")
ocsp_unknown = os.path.join(params['logdir'], ocsp_unknown = os.path.join(params['logdir'],
"ocsp-resp-ca-signed-unknown.der") "ocsp-resp-ca-signed-unknown.der")
if not os.path.exists(ocsp_unknown): ocsp_resp_ca_signed(req, ocsp_revoked, "-revoked")
raise HwsimSkip("No OCSP response(unknown) available") ocsp_resp_ca_signed(req, ocsp_unknown, "-unknown")
with open(ocsp_revoked, "rb") as f: with open(ocsp_revoked, "rb") as f:
resp_revoked = f.read() resp_revoked = f.read()