Changeset 7cfc02b in mod_gnutls


Ignore:
Timestamp:
Jul 16, 2019, 1:24:18 PM (15 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
65c84e5
Parents:
f828974
Message:

Test suite: Add an OCSP responder for the sub CA

All CAs use the same server as their OCSP responders. The OCSP URI now
includes the CA identity so the server can select the correct CA when
generating the response.

Location:
test
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • test/Makefile.am

    rf828974 r7cfc02b  
    6262        rogueca rogueca/rogueclient
    6363if ENABLE_OCSP_TEST
    64 x509_only_identities += authority/ocsp-responder
     64x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
    6565endif
    6666x509_identities = $(shared_identities) $(x509_only_identities)
     
    103103        authority/server/template.in \
    104104        authority/subca/template.in authority/subca/server/template.in \
     105        authority/subca/ocsp-responder/template \
    105106        rogueca/template rogueca/rogueclient/template.in
    106107generated_templates = authority/template authority/client/template \
     
    163164if ENABLE_OCSP_TEST
    164165# rules to build OCSP database
    165 check_DATA += authority/ocsp_index.txt
    166 MOSTLYCLEANFILES += authority/ocsp_index.txt authority/ocsp_index.txt.attr
    167 authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr
    168         ./gen_ocsp_index authority/server/x509.pem authority/client/x509.pem > $@
    169 
    170 authority/ocsp_index.txt.attr: authority/secret.key
     166ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
     167        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
     168check_DATA += $(ocsp_index_data)
     169MOSTLYCLEANFILES += $(ocsp_index_data)
     170
     171# The "find" command builds a list of all certificates directly below
     172# the CA that aren't for the ocsp-responder.
     173%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
     174        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
     175
     176%/ocsp_index.txt.attr:
     177        @mkdir -m 0700 -p $(dir $@)
    171178        echo "unique_subject = no" > $@
    172179
     
    178185        authority/subca/server/x509-chain.pem
    179186check_DATA += $(chain_tokens)
    180 MOSTLYCLEANFILES += $(chain_tokens)
     187MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
    181188endif
    182189
  • test/ocsp_server.conf.in

    rf828974 r7cfc02b  
    2222        RewriteEngine   On
    2323        RewriteRule     ^/ocsp(.*)      /ocsp.cgi$1     [L]
     24        # General rules for all OCSP handling
    2425        <Location /ocsp/>
    2526                # Some clients seem to have trouble with chunked
    2627                # encoding, so force HTTP/1.0 for now.
    2728                SetEnv  downgrade-1.0
     29                <If "-n osenv('OPENSSL')">
     30                        # Pass OPENSSL variable to CGI script if set
     31                        SetEnv  OPENSSL         ${OPENSSL}
     32                </If>
     33        </Location>
     34        <Location /ocsp/authority/>
    2835                # certificates and key for ocsp.cgi
    2936                SetEnv  CA_CERT         ${PWD}/authority/x509.pem
     
    3138                SetEnv  OCSP_CERT       ${PWD}/authority/ocsp-responder/x509.pem
    3239                SetEnv  OCSP_KEY        ${PWD}/authority/ocsp-responder/secret.key
    33                 <If "-n osenv('OPENSSL')">
    34                         # Pass OPENSSL variable to CGI script if set
    35                         SetEnv  OPENSSL         ${OPENSSL}
    36                 </If>
     40        </Location>
     41        <Location /ocsp/authority/subca/>
     42                # certificates and key for ocsp.cgi
     43                SetEnv  CA_CERT         ${PWD}/authority/subca/x509.pem
     44                SetEnv  OCSP_INDEX      ${PWD}/authority/subca/ocsp_index.txt
     45                SetEnv  OCSP_CERT       ${PWD}/authority/subca/ocsp-responder/x509.pem
     46                SetEnv  OCSP_KEY        ${PWD}/authority/subca/ocsp-responder/secret.key
    3747        </Location>
    3848        <Directory ${srcdir}/data>
  • test/test_ca.mk

    rf828974 r7cfc02b  
    1010        @mkdir -m 0700 -p $(@D)
    1111        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
    12         sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@
     12        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)$(dir $(*))," $@
    1313        for i in $(patsubst [%],%,$(TEST_IP)); do \
    1414                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
  • test/tests/27_OCSP_server/apache.conf

    rf828974 r7cfc02b  
    1212        #GnuTLSOCSPStapling     On
    1313        GnuTLSOCSPCacheTimeout  60
    14         GnuTLSCertificateFile   authority/server/x509-chain.pem
    15         GnuTLSKeyFile           authority/server/secret.key
     14        GnuTLSCertificateFile   authority/subca/server/x509-chain.pem
     15        GnuTLSKeyFile           authority/subca/server/secret.key
    1616        GnuTLSPriorities        NORMAL
    1717</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.