Changeset ebbfb2b in mod_gnutls


Ignore:
Timestamp:
Apr 24, 2020, 2:08:26 PM (2 months ago)
Author:
Krista Karppinen <krista.celestia@…>
Branches:
master, proxy-ticket
Children:
2089d49
Parents:
199acff
git-author:
Krista Karppinen <krista.celestia@…> (04/24/20 13:20:47)
git-committer:
Krista Karppinen <krista.celestia@…> (04/24/20 14:08:26)
Message:

OCSP nonce test (36): verify nonce match

Verify that the nonce got in the stapled OCSP response actually
matches the one sent in the request. Create a new module 'ocsp'
in mgstools to help with testing.

Location:
test
Files:
1 added
1 edited

Legend:

Unmodified
Added
Removed
  • test/tests/36_OCSP_server_nonce/hooks.py

    r199acff rebbfb2b  
     1import base64
    12import os
    23import re
    3 import subprocess
    4 from mgstest import require_match
     4from mgstest import require_match, TestExpectationFailed
     5from mgstest.ocsp import OCSPRequest, OCSPResponse
     6from pathlib import Path
    57from unittest import SkipTest
    68
     9
     10LOGFILE = Path('logs/36_OCSP_server_nonce.ocsp.error.log')
     11LOGFILE_POSITION = 0
     12
     13
    714def prepare_env():
    8     if not 'OCSP_PORT' in os.environ:
     15    if 'OCSP_PORT' not in os.environ:
    916        raise SkipTest('OCSP_PORT is not set, check if openssl is available.')
     17
     18    # Seek to the end of server log
     19    if LOGFILE.exists():
     20        global LOGFILE_POSITION
     21        LOGFILE_POSITION = LOGFILE.stat().st_size
     22
    1023
    1124def post_check(conn_log, response_log):
     
    1326    print(require_match(re.compile(r'^- Options: .*OCSP status request,'),
    1427                        conn_log).group(0))
     28
     29    print('Checking for outputs/36-ocsp.der:')
     30    ocsp_response = OCSPResponse.parse_file('outputs/36-ocsp.der')
     31    print(ocsp_response)
     32
    1533    print('Checking if the client got a nonce in the stapled response:')
    16     print(require_match(
    17             re.compile(r'^\s*Nonce: [0-9a-fA-F]{46}$'),
    18             parse_ocsp_response('outputs/36-ocsp.der').split('\n')
    19         ).group(0))
     34    resp_nonce = ocsp_response.get_field('nonce').get_value()
     35    print(resp_nonce)
    2036
    21 def parse_ocsp_response(der_filename):
    22     command = ['ocsptool', '--response-info',
    23                '--infile', der_filename]
    24     return subprocess.check_output(command).decode()
     37    print('Checking if the server log contains an OCSP request')
     38    with LOGFILE.open() as log:
     39        print(f'Seeking to position {LOGFILE_POSITION}')
     40        log.seek(LOGFILE_POSITION)
     41        ocsp_request = None
     42
     43        while ocsp_request is None:
     44            log_match = require_match(
     45                    re.compile(r"Received OCSP request: '([^']*)'"),
     46                    log
     47                )
     48            test_request = OCSPRequest.parse_str(
     49                            base64.b64decode(log_match.group(1)))
     50            print(repr(test_request))
     51            if ocsp_response.matches_request(test_request):
     52                print("Request matches response")
     53                ocsp_request = test_request
     54            else:
     55                print("Request doesn't match response")
     56
     57    print('Checking if the OCSP request has a nonce')
     58    req_nonce = ocsp_request.get_field('nonce').get_value()
     59    print(req_nonce)
     60
     61    print('Checking if the request and response nonces match')
     62    if resp_nonce != req_nonce:
     63        raise TestExpectationFailed('Nonce mismatch!')
Note: See TracChangeset for help on using the changeset viewer.