[glib-networking/pgriffis/ocsp-must-staple-test: 1/2] tests: Add OCSP MustStaple test

From: Patrick Griffis <pgriffis src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/pgriffis/ocsp-must-staple-test: 1/2] tests: Add OCSP MustStaple test
Date: Sat, 31 Jul 2021 23:52:00 +0000 (UTC)

commit 5287fefb693701021110c62803e5dab0ee069033
Author: Patrick Griffis <pgriffis igalia com>
Date:   Sat Jul 31 13:09:57 2021 -0500

    tests: Add OCSP MustStaple test

 tls/tests/connection.c          | 54 +++++++++++++++++++++++++++++++++++++++++
 tls/tests/files/create-files.sh | 21 ++++++++++++++++
 2 files changed, 75 insertions(+)
---
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index f63aa9a1..9ba8a998 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -2971,6 +2971,58 @@ test_tls_info (TestConnection *test,
   g_free (ciphersuite_name);
 }
 
+static void
+test_connection_oscp_must_staple (TestConnection *test,
+                                  gconstpointer   data)
+{
+  GSocketClient *client;
+  GIOStream *connection;
+  GError *error = NULL;
+
+#ifdef BACKEND_IS_OPENSSL
+  g_test_skip ("OCSP Must-Staple is not supported with the openssl backend");
+  return;
+#endif
+
+  test->database = g_tls_file_database_new (tls_test_file_path ("ca-ocsp.pem"), &error);
+  g_assert_no_error (error);
+  g_assert_nonnull (test->database);
+
+  test->server_certificate = g_tls_certificate_new_from_file (tls_test_file_path 
("server-ocsp-missing-and-key.pem"), &error);
+  g_assert_no_error (error);
+  start_async_server_service (test, G_TLS_AUTHENTICATION_NONE, WRITE_THEN_WAIT);
+
+  client = g_socket_client_new ();
+  connection = G_IO_STREAM (g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
+                                                     NULL, &error));
+  g_assert_no_error (error);
+  g_object_unref (client);
+
+  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+  g_assert_no_error (error);
+  g_assert_nonnull (test->client_connection);
+  g_object_unref (connection);
+
+  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+                                                G_TLS_CERTIFICATE_VALIDATE_ALL);
+
+  read_test_data_async (test);
+  g_main_loop_run (test->loop);
+
+  close_server_connection (test);
+  wait_until_server_finished (test);
+
+  /* The CA certificate states it supports status_request but our server does not
+   * actually set or support that.
+   * To be secure this must error as a bad certificate. */
+  g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+
+  g_clear_error (&test->read_error);
+  g_clear_error (&test->server_error);
+}
+
 int
 main (int   argc,
       char *argv[])
@@ -3103,6 +3155,8 @@ main (int   argc,
               setup_connection, test_connection_binding_match_tls_exporter, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/tls-info", TestConnection, NULL,
               setup_connection, test_tls_info, teardown_connection);
+  g_test_add ("/tls/" BACKEND "/connection/oscp/must-staple", TestConnection, NULL,
+              setup_connection, test_connection_oscp_must_staple, teardown_connection);
 
   ret = g_test_run ();
 
diff --git a/tls/tests/files/create-files.sh b/tls/tests/files/create-files.sh
index 4724ace3..b699e7c8 100755
--- a/tls/tests/files/create-files.sh
+++ b/tls/tests/files/create-files.sh
@@ -39,6 +39,13 @@ openssl genrsa -out ca-key.pem 2048
 msg "Creating CA certificate"
 openssl req -x509 -new -config ssl/ca.conf -days 10950 -key ca-key.pem -out ca.pem
 
+#######################################################################
+### New Root CA with OCSP MustStaple
+#######################################################################
+
+msg "Creating CA (OCSP) certificate"
+openssl req -x509 -new -config ssl/ca.conf -addext tlsfeature=status_request -days 10950 -key ca-key.pem 
-out ca-ocsp.pem
+
 #######################################################################
 ### New Root CA, issued by Obsolete/Untrusted Root CA
 #######################################################################
@@ -80,6 +87,20 @@ msg "Converting server private key to PKCS #8"
 openssl pkcs8 -topk8 -in server-key.pem -outform PEM -nocrypt -out server-key-pkcs8.pem
 openssl pkcs8 -topk8 -in server-key.pem -outform DER -nocrypt -out server-key-pkcs8.der
 
+#######################################################################
+### Server (OCSP Missing)
+#######################################################################
+
+msg "Creating server (OCSP Missing) certificate request"
+openssl req -config ssl/server.conf -key server-key.pem -new -out server-ocsp-missing-csr.pem
+
+msg "Creating server (OCSP Missing) certificate"
+openssl x509 -req -in server-ocsp-missing-csr.pem -days 9125 -CA ca-ocsp.pem -CAkey ca-key.pem -CAserial 
serial -extfile ssl/server.conf -extensions v3_req_ext -out server-ocsp-missing.pem
+
+msg "Concatenating server (OCSP Missing) certificate and private key into a single file"
+cat server-ocsp-missing.pem > server-ocsp-missing-and-key.pem
+cat server-key.pem >> server-ocsp-missing-and-key.pem
+
 #######################################################################
 ### Server (self-signed)
 #######################################################################
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]