Changeset ebbfb2b in mod_gnutls

Timestamp:

Apr 24, 2020, 2:08:26 PM (3 years ago)

Author:

Krista Karppinen <krista.celestia@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

2089d49

Parents:

199acff

git-author:

Krista Karppinen <krista.celestia@…> (04/24/20 13:20:47)

git-committer:

Krista Karppinen <krista.celestia@…> (04/24/20 14:08:26)

Message:

OCSP nonce test (36): verify nonce match

Verify that the nonce got in the stapled OCSP response actually
matches the one sent in the request. Create a new module 'ocsp'
in mgstools to help with testing.

Location:

test

Files:

• mgstest/ocsp.py (added)
• tests/36_OCSP_server_nonce/hooks.py (modified) (2 diffs)

test/tests/36_OCSP_server_nonce/hooks.py

@@ +1 @@
+import base64
 import os
 import re
-import subprocess
-from mgstest import require_match
+from mgstest import require_match, TestExpectationFailed
+from mgstest.ocsp import OCSPRequest, OCSPResponse
+from pathlib import Path
 from unittest import SkipTest
 
+
+LOGFILE = Path('logs/36_OCSP_server_nonce.ocsp.error.log')
+LOGFILE_POSITION = 0
+
+
 def prepare_env():
-    if not 'OCSP_PORT' in os.environ:
+    if 'OCSP_PORT' not in os.environ:
         raise SkipTest('OCSP_PORT is not set, check if openssl is available.')
+
+    # Seek to the end of server log
+    if LOGFILE.exists():
+        global LOGFILE_POSITION
+        LOGFILE_POSITION = LOGFILE.stat().st_size
+
 
 def post_check(conn_log, response_log):
@@ -13 +26 @@
     print(require_match(re.compile(r'^- Options: .*OCSP status request,'),
                         conn_log).group(0))
+
+    print('Checking for outputs/36-ocsp.der:')
+    ocsp_response = OCSPResponse.parse_file('outputs/36-ocsp.der')
+    print(ocsp_response)
+
     print('Checking if the client got a nonce in the stapled response:')
-    print(require_match(
-            re.compile(r'^\s*Nonce: [0-9a-fA-F]{46}$'),
-            parse_ocsp_response('outputs/36-ocsp.der').split('\n')
-        ).group(0))
+    resp_nonce = ocsp_response.get_field('nonce').get_value()
+    print(resp_nonce)
 
-def parse_ocsp_response(der_filename):
-    command = ['ocsptool', '--response-info',
-               '--infile', der_filename]
-    return subprocess.check_output(command).decode()
+    print('Checking if the server log contains an OCSP request')
+    with LOGFILE.open() as log:
+        print(f'Seeking to position {LOGFILE_POSITION}')
+        log.seek(LOGFILE_POSITION)
+        ocsp_request = None
+
+        while ocsp_request is None:
+            log_match = require_match(
+                    re.compile(r"Received OCSP request: '([^']*)'"),
+                    log
+                )
+            test_request = OCSPRequest.parse_str(
+                            base64.b64decode(log_match.group(1)))
+            print(repr(test_request))
+            if ocsp_response.matches_request(test_request):
+                print("Request matches response")
+                ocsp_request = test_request
+            else:
+                print("Request doesn't match response")
+
+    print('Checking if the OCSP request has a nonce')
+    req_nonce = ocsp_request.get_field('nonce').get_value()
+    print(req_nonce)
+
+    print('Checking if the request and response nonces match')
+    if resp_nonce != req_nonce:
+        raise TestExpectationFailed('Nonce mismatch!')