tests: Move ocsp-resp-*-signed*.der generation into test case
There is no need to generate these OCSP responses for every single test session. Generate these more dynamically if a test case that uses these files is executed. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
b6bb4cd8c5
commit
d07ca835cb
2 changed files with 57 additions and 32 deletions
|
@ -155,26 +155,6 @@ if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
|
||||||
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
|
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
|
||||||
fi
|
fi
|
||||||
|
|
||||||
openssl ocsp -reqout $LOGDIR/ocsp-req.der -issuer $DIR/auth_serv/ca.pem \
|
|
||||||
-sha256 -serial 0xD8D3E3A6CBE3CD1F -no_nonce >> $LOGDIR/ocsp.log 2>&1
|
|
||||||
for i in "" "-unknown" "-revoked"; do
|
|
||||||
openssl ocsp -index $DIR/auth_serv/index$i.txt \
|
|
||||||
-rsigner $DIR/auth_serv/ca.pem \
|
|
||||||
-rkey $DIR/auth_serv/ca-key.pem \
|
|
||||||
-CA $DIR/auth_serv/ca.pem \
|
|
||||||
-ndays 7 \
|
|
||||||
-reqin $LOGDIR/ocsp-req.der \
|
|
||||||
-resp_no_certs \
|
|
||||||
-respout $LOGDIR/ocsp-resp-ca-signed$i.der >> $LOGDIR/ocsp.log 2>&1
|
|
||||||
done
|
|
||||||
openssl ocsp -index $DIR/auth_serv/index.txt \
|
|
||||||
-rsigner $DIR/auth_serv/server.pem \
|
|
||||||
-rkey $DIR/auth_serv/server.key \
|
|
||||||
-CA $DIR/auth_serv/ca.pem \
|
|
||||||
-ndays 7 \
|
|
||||||
-reqin $LOGDIR/ocsp-req.der \
|
|
||||||
-respout $LOGDIR/ocsp-resp-server-signed.der >> $LOGDIR/ocsp.log 2>&1
|
|
||||||
|
|
||||||
touch $LOGDIR/hostapd.db
|
touch $LOGDIR/hostapd.db
|
||||||
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
|
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
|
||||||
|
|
||||||
|
|
|
@ -4163,13 +4163,59 @@ def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
|
||||||
private_key_passwd="whatever", ocsp=2,
|
private_key_passwd="whatever", ocsp=2,
|
||||||
scan_freq="2412")
|
scan_freq="2412")
|
||||||
|
|
||||||
|
def ocsp_req(outfile):
|
||||||
|
if os.path.exists(outfile):
|
||||||
|
return
|
||||||
|
arg = ["openssl", "ocsp",
|
||||||
|
"-reqout", outfile,
|
||||||
|
'-issuer', 'auth_serv/ca.pem',
|
||||||
|
'-sha256',
|
||||||
|
'-serial', '0xD8D3E3A6CBE3CD1F',
|
||||||
|
'-no_nonce']
|
||||||
|
run_openssl(arg)
|
||||||
|
if not os.path.exists(outfile):
|
||||||
|
raise HwsimSkip("Failed to generate OCSP request")
|
||||||
|
|
||||||
|
def ocsp_resp_ca_signed(reqfile, outfile, status):
|
||||||
|
ocsp_req(reqfile)
|
||||||
|
if os.path.exists(outfile):
|
||||||
|
return
|
||||||
|
arg = ["openssl", "ocsp",
|
||||||
|
"-index", "auth_serv/index%s.txt" % status,
|
||||||
|
"-rsigner", "auth_serv/ca.pem",
|
||||||
|
"-rkey", "auth_serv/ca-key.pem",
|
||||||
|
"-CA", "auth_serv/ca.pem",
|
||||||
|
"-ndays", "7",
|
||||||
|
"-reqin", reqfile,
|
||||||
|
"-resp_no_certs",
|
||||||
|
"-respout", outfile]
|
||||||
|
run_openssl(arg)
|
||||||
|
if not os.path.exists(outfile):
|
||||||
|
raise HwsimSkip("No OCSP response available")
|
||||||
|
|
||||||
|
def ocsp_resp_server_signed(reqfile, outfile):
|
||||||
|
ocsp_req(reqfile)
|
||||||
|
if os.path.exists(outfile):
|
||||||
|
return
|
||||||
|
arg = ["openssl", "ocsp",
|
||||||
|
"-index", "auth_serv/index.txt",
|
||||||
|
"-rsigner", "auth_serv/server.pem",
|
||||||
|
"-rkey", "auth_serv/server.key",
|
||||||
|
"-CA", "auth_serv/ca.pem",
|
||||||
|
"-ndays", "7",
|
||||||
|
"-reqin", reqfile,
|
||||||
|
"-respout", outfile]
|
||||||
|
run_openssl(arg)
|
||||||
|
if not os.path.exists(outfile):
|
||||||
|
raise HwsimSkip("No OCSP response available")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
|
def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
|
||||||
"""EAP-TLS and CA signed OCSP response (good)"""
|
"""EAP-TLS and CA signed OCSP response (good)"""
|
||||||
check_ocsp_support(dev[0])
|
check_ocsp_support(dev[0])
|
||||||
check_pkcs12_support(dev[0])
|
check_pkcs12_support(dev[0])
|
||||||
|
req = os.path.join(params['logdir'], "ocsp-req.der")
|
||||||
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
|
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
|
||||||
if not os.path.exists(ocsp):
|
ocsp_resp_ca_signed(req, ocsp, "")
|
||||||
raise HwsimSkip("No OCSP response available")
|
|
||||||
params = int_eap_server_params()
|
params = int_eap_server_params()
|
||||||
params["ocsp_stapling_response"] = ocsp
|
params["ocsp_stapling_response"] = ocsp
|
||||||
hostapd.add_ap(apdev[0], params)
|
hostapd.add_ap(apdev[0], params)
|
||||||
|
@ -4183,9 +4229,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
|
||||||
"""EAP-TLS and CA signed OCSP response (revoked)"""
|
"""EAP-TLS and CA signed OCSP response (revoked)"""
|
||||||
check_ocsp_support(dev[0])
|
check_ocsp_support(dev[0])
|
||||||
check_pkcs12_support(dev[0])
|
check_pkcs12_support(dev[0])
|
||||||
|
req = os.path.join(params['logdir'], "ocsp-req.der")
|
||||||
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
|
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
|
||||||
if not os.path.exists(ocsp):
|
ocsp_resp_ca_signed(req, ocsp, "-revoked")
|
||||||
raise HwsimSkip("No OCSP response available")
|
|
||||||
params = int_eap_server_params()
|
params = int_eap_server_params()
|
||||||
params["ocsp_stapling_response"] = ocsp
|
params["ocsp_stapling_response"] = ocsp
|
||||||
hostapd.add_ap(apdev[0], params)
|
hostapd.add_ap(apdev[0], params)
|
||||||
|
@ -4215,9 +4261,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
|
||||||
"""EAP-TLS and CA signed OCSP response (unknown)"""
|
"""EAP-TLS and CA signed OCSP response (unknown)"""
|
||||||
check_ocsp_support(dev[0])
|
check_ocsp_support(dev[0])
|
||||||
check_pkcs12_support(dev[0])
|
check_pkcs12_support(dev[0])
|
||||||
|
req = os.path.join(params['logdir'], "ocsp-req.der")
|
||||||
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
|
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
|
||||||
if not os.path.exists(ocsp):
|
ocsp_resp_ca_signed(req, ocsp, "-unknown")
|
||||||
raise HwsimSkip("No OCSP response available")
|
|
||||||
params = int_eap_server_params()
|
params = int_eap_server_params()
|
||||||
params["ocsp_stapling_response"] = ocsp
|
params["ocsp_stapling_response"] = ocsp
|
||||||
hostapd.add_ap(apdev[0], params)
|
hostapd.add_ap(apdev[0], params)
|
||||||
|
@ -4245,9 +4291,9 @@ def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
|
||||||
"""EAP-TLS and server signed OCSP response"""
|
"""EAP-TLS and server signed OCSP response"""
|
||||||
check_ocsp_support(dev[0])
|
check_ocsp_support(dev[0])
|
||||||
check_pkcs12_support(dev[0])
|
check_pkcs12_support(dev[0])
|
||||||
|
req = os.path.join(params['logdir'], "ocsp-req.der")
|
||||||
ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
|
ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
|
||||||
if not os.path.exists(ocsp):
|
ocsp_resp_server_signed(req, ocsp)
|
||||||
raise HwsimSkip("No OCSP response available")
|
|
||||||
params = int_eap_server_params()
|
params = int_eap_server_params()
|
||||||
params["ocsp_stapling_response"] = ocsp
|
params["ocsp_stapling_response"] = ocsp
|
||||||
hostapd.add_ap(apdev[0], params)
|
hostapd.add_ap(apdev[0], params)
|
||||||
|
@ -4705,14 +4751,13 @@ def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
|
||||||
check_ocsp_multi_support(dev[0])
|
check_ocsp_multi_support(dev[0])
|
||||||
check_pkcs12_support(dev[0])
|
check_pkcs12_support(dev[0])
|
||||||
|
|
||||||
|
req = os.path.join(params['logdir'], "ocsp-req.der")
|
||||||
ocsp_revoked = os.path.join(params['logdir'],
|
ocsp_revoked = os.path.join(params['logdir'],
|
||||||
"ocsp-resp-ca-signed-revoked.der")
|
"ocsp-resp-ca-signed-revoked.der")
|
||||||
if not os.path.exists(ocsp_revoked):
|
|
||||||
raise HwsimSkip("No OCSP response (revoked) available")
|
|
||||||
ocsp_unknown = os.path.join(params['logdir'],
|
ocsp_unknown = os.path.join(params['logdir'],
|
||||||
"ocsp-resp-ca-signed-unknown.der")
|
"ocsp-resp-ca-signed-unknown.der")
|
||||||
if not os.path.exists(ocsp_unknown):
|
ocsp_resp_ca_signed(req, ocsp_revoked, "-revoked")
|
||||||
raise HwsimSkip("No OCSP response(unknown) available")
|
ocsp_resp_ca_signed(req, ocsp_unknown, "-unknown")
|
||||||
|
|
||||||
with open(ocsp_revoked, "rb") as f:
|
with open(ocsp_revoked, "rb") as f:
|
||||||
resp_revoked = f.read()
|
resp_revoked = f.read()
|
||||||
|
|
Loading…
Reference in a new issue