From 2a77c62c18261c50805dd1e1983dc28391a09a1d Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Thu, 10 Jun 2021 13:51:16 +0200 Subject: [PATCH] REGTESTS: ssl: Add "show ssl ocsp-response" test This file adds tests for the new "show ssl ocsp-response" command and the new "show ssl cert foo.pem.ocsp" and "show ssl cert *foo.pem.ocsp" special cases. They are all used to display information about an OCSP response, committed or not. --- reg-tests/ssl/show_ocsp_server.pem | 119 ++++++++++++++++ reg-tests/ssl/show_ocsp_server.pem.issuer | 30 ++++ reg-tests/ssl/show_ocsp_server.pem.ocsp | Bin 0 -> 2281 bytes .../ssl/show_ocsp_server.pem.ocsp.revoked | Bin 0 -> 2298 bytes reg-tests/ssl/show_ssl_ocspresponse.vtc | 133 ++++++++++++++++++ 5 files changed, 282 insertions(+) create mode 100644 reg-tests/ssl/show_ocsp_server.pem create mode 100644 reg-tests/ssl/show_ocsp_server.pem.issuer create mode 100644 reg-tests/ssl/show_ocsp_server.pem.ocsp create mode 100644 reg-tests/ssl/show_ocsp_server.pem.ocsp.revoked create mode 100644 reg-tests/ssl/show_ssl_ocspresponse.vtc diff --git a/reg-tests/ssl/show_ocsp_server.pem b/reg-tests/ssl/show_ocsp_server.pem new file mode 100644 index 000000000..a65235901 --- /dev/null +++ b/reg-tests/ssl/show_ocsp_server.pem @@ -0,0 +1,119 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4111 (0x100f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=FR, O=HAProxy Technologies, CN=Root CA + Validity + Not Before: Jun 10 08:54:19 2021 GMT + Not After : Oct 26 08:54:19 2048 GMT + Subject: C=FR, O=HAProxy Technologies, CN=Server Certificate + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e9:88:7e:5e:ec:81:d0:f7:2b:9b:c9:5d:81:ea: + 9c:ff:61:2f:4b:a2:ad:08:4d:44:7c:65:fa:ab:3a: + f2:be:63:ac:34:5c:c4:05:35:be:d4:79:af:a5:fc: + 9e:92:10:75:b1:4d:70:d6:82:a3:7e:7e:b0:e6:2c: + ba:ec:1b:e9:7f:55:f3:98:6e:d5:b2:00:37:05:76: + df:28:be:3e:89:52:ec:47:58:45:7a:dd:7d:89:ae: + 7f:43:d6:a5:ce:f6:8d:8d:32:fe:33:dc:16:15:01: + 82:23:d1:77:12:75:a2:e2:2a:08:eb:cd:32:1e:5b: + 54:12:68:83:21:3a:6e:07:f5:99:f4:e7:79:eb:f7: + d0:d9:71:f2:1d:79:08:a2:63:df:ab:59:f3:ac:33: + 18:d6:0a:9c:48:0b:9a:b0:ae:79:7b:8e:5a:1d:d2: + fc:5c:6c:a5:d5:61:88:e8:50:c2:0f:f2:5b:0d:0c: + 82:18:c8:a1:98:19:8a:fc:28:c6:27:e7:94:de:3d: + 13:44:16:12:9e:e1:a8:b0:17:a1:4d:14:84:3e:44: + bc:76:5d:cd:4e:67:9c:e6:69:0b:5a:fe:cf:08:bb: + 6d:0b:be:d6:8e:5d:c6:fc:53:e2:ab:34:28:2f:ef: + 03:5a:c4:ad:b7:e8:4e:1c:89:67:78:f5:a4:41:fd: + 80:f3 + Exponent: 65537 (0x10001) + X509v3 extensions: + Authority Information Access: + OCSP - URI:http://ocsp.haproxy.com + + Signature Algorithm: sha256WithRSAEncryption + 14:c3:1a:2c:37:d4:91:74:10:be:eb:f3:1e:f3:da:cf:ed:0d: + b1:37:8e:e8:0c:44:cb:28:ce:4b:5c:ed:02:35:13:55:e1:34: + 93:aa:7d:91:fa:4c:a7:31:09:6a:23:b7:0a:d3:37:70:dd:48: + 9c:b6:af:31:d7:28:c1:cf:7d:44:f0:d5:ac:58:56:74:40:48: + a6:21:85:ea:bf:38:52:fc:8e:16:7c:4d:79:d3:b4:18:11:90: + 95:a7:f4:b6:5f:91:dc:3e:bd:e7:58:96:ff:c2:d2:59:20:ed: + 4e:de:e5:92:c9:a6:5a:37:a1:fd:00:cb:13:51:ef:ce:98:c8: + 01:b5:a1:9a:74:63:a0:da:dc:39:1e:08:8b:60:04:7f:96:c8: + 02:cd:cc:dc:04:a4:4c:84:8f:a1:30:49:99:e1:6c:0c:39:65: + 2c:03:f8:60:46:cb:28:42:6a:c4:b0:bb:7f:be:67:de:1e:55: + 10:2a:55:1f:58:d4:fc:b0:74:9e:11:95:0b:c0:cc:f6:fc:6d: + ce:25:17:48:dc:30:5e:b3:29:44:10:11:2d:47:2d:06:81:21: + 51:55:4a:4d:72:79:49:ad:29:77:64:92:e7:4e:c9:4f:4c:25: + 4d:24:3c:49:07:af:53:74:b5:14:05:e2:f2:fc:ba:d7:a0:db: + e4:e4:38:74:fe:f0:34:98:78:f4:2c:68:2d:a6:1e:2d:16:d6: + 2b:1d:95:3c:ac:9d:16:6a:7e:d4:cd:0c:94:2b:f4:94:1c:ef: + 3b:23:13:78:14:ea:ea:2f:08:f4:ed:21:3d:50:77:4b:50:fe: + db:47:19:d1:36:92:7d:7e:e3:18:40:1d:65:0e:fe:95:4f:54: + 60:15:16:57:72:06:93:03:ee:8c:89:4e:7b:0b:13:a5:ef:52: + c9:53:8d:77:b4:7f:11:f8:03:f1:ce:a0:f8:33:06:89:44:7b: + f7:14:4a:51:ba:0e:35:88:ea:69:44:bd:3f:76:78:23:86:79: + 13:00:40:1a:d0:69:42:41:72:e6:81:a7:b2:11:25:37:73:15: + 89:a7:36:5d:75:3c:e9:1b:dc:ea:8c:98:6e:24:f9:98:e1:62: + d6:12:34:a4:c1:bc:08:fd:4d:86:8e:43:a9:9a:36:26:ba:f5: + ab:13:9c:08:09:8d:bf:13:84:a0:5f:52:78:fc:1d:11:0c:d6: + e1:a3:0c:ce:4d:21:79:90:2a:bb:04:03:d9:76:71:81:36:2a: + 1c:56:79:e7:32:03:d8:41:cc:73:e5:6e:45:4e:2d:c9:b0:cc: + 70:6b:47:93:6b:00:d0:6d:94:5f:db:e1:d5:dd:73:11:9f:b7: + c1:75:50:43:17:b5:e6:51 +-----BEGIN CERTIFICATE----- +MIIEOjCCAiKgAwIBAgICEA8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UEBhMCRlIx +HTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRAwDgYDVQQDDAdSb290IENB +MB4XDTIxMDYxMDA4NTQxOVoXDTQ4MTAyNjA4NTQxOVowSTELMAkGA1UEBhMCRlIx +HTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRswGQYDVQQDDBJTZXJ2ZXIg +Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpiH5e +7IHQ9yubyV2B6pz/YS9Loq0ITUR8ZfqrOvK+Y6w0XMQFNb7Uea+l/J6SEHWxTXDW +gqN+frDmLLrsG+l/VfOYbtWyADcFdt8ovj6JUuxHWEV63X2Jrn9D1qXO9o2NMv4z +3BYVAYIj0XcSdaLiKgjrzTIeW1QSaIMhOm4H9Zn053nr99DZcfIdeQiiY9+rWfOs +MxjWCpxIC5qwrnl7jlod0vxcbKXVYYjoUMIP8lsNDIIYyKGYGYr8KMYn55TePRNE +FhKe4aiwF6FNFIQ+RLx2Xc1OZ5zmaQta/s8Iu20LvtaOXcb8U+KrNCgv7wNaxK23 +6E4ciWd49aRB/YDzAgMBAAGjNzA1MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcw +AYYXaHR0cDovL29jc3AuaGFwcm94eS5jb20wDQYJKoZIhvcNAQELBQADggIBABTD +Giw31JF0EL7r8x7z2s/tDbE3jugMRMsozktc7QI1E1XhNJOqfZH6TKcxCWojtwrT +N3DdSJy2rzHXKMHPfUTw1axYVnRASKYhheq/OFL8jhZ8TXnTtBgRkJWn9LZfkdw+ +vedYlv/C0lkg7U7e5ZLJplo3of0AyxNR786YyAG1oZp0Y6Da3DkeCItgBH+WyALN +zNwEpEyEj6EwSZnhbAw5ZSwD+GBGyyhCasSwu3++Z94eVRAqVR9Y1PywdJ4RlQvA +zPb8bc4lF0jcMF6zKUQQES1HLQaBIVFVSk1yeUmtKXdkkudOyU9MJU0kPEkHr1N0 +tRQF4vL8uteg2+TkOHT+8DSYePQsaC2mHi0W1isdlTysnRZqftTNDJQr9JQc7zsj +E3gU6uovCPTtIT1Qd0tQ/ttHGdE2kn1+4xhAHWUO/pVPVGAVFldyBpMD7oyJTnsL +E6XvUslTjXe0fxH4A/HOoPgzBolEe/cUSlG6DjWI6mlEvT92eCOGeRMAQBrQaUJB +cuaBp7IRJTdzFYmnNl11POkb3OqMmG4k+ZjhYtYSNKTBvAj9TYaOQ6maNia69asT +nAgJjb8ThKBfUnj8HREM1uGjDM5NIXmQKrsEA9l2cYE2KhxWeecyA9hBzHPlbkVO +LcmwzHBrR5NrANBtlF/b4dXdcxGft8F1UEMXteZR +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA6Yh+XuyB0Pcrm8ldgeqc/2EvS6KtCE1EfGX6qzryvmOsNFzE +BTW+1HmvpfyekhB1sU1w1oKjfn6w5iy67Bvpf1XzmG7VsgA3BXbfKL4+iVLsR1hF +et19ia5/Q9alzvaNjTL+M9wWFQGCI9F3EnWi4ioI680yHltUEmiDITpuB/WZ9Od5 +6/fQ2XHyHXkIomPfq1nzrDMY1gqcSAuasK55e45aHdL8XGyl1WGI6FDCD/JbDQyC +GMihmBmK/CjGJ+eU3j0TRBYSnuGosBehTRSEPkS8dl3NTmec5mkLWv7PCLttC77W +jl3G/FPiqzQoL+8DWsStt+hOHIlnePWkQf2A8wIDAQABAoIBAQDktypU2zrUpo6O +F6u9xkIWl17Tq7HddJdDYjkbJDODJWkNK2FLXPTVcYwGe5/tm7M4f4iofe+Tvo6Q +D3TOMxP/AvX872fY2f8JGf+7Dn9+zLjdsuTxTSVbB4xaq0lepffCNxPhRIZX8k87 +tzTv3kg1SkfMcP3J31Y6ZSMwEuKaZR9bkIT2MlLw89Qrg/o1Z1Yuu4CoJhgJ9x4Q +smJmu6uu152i0tqQDK76nHfTgK6GTyHQpP/njXZ3gD/4vTOKsZPoXEtM9gq1Ihqm +c7Pcy71q9nOBWfG3KUVhIlOahyVPewAFG7vNsPWVE0mN3FhCIEUPPLNnvAydSPaV +vbwohs4BAoGBAPqXF6cTKWIfHTn4TrcOcKslKEzVSgJabZeYw1kTRsSLCsvV3ojx +txW4A8FM+EVwX+K6FmpAxN9aKERVv1Ez3xvjmZf6czgREd8F2X2j6SwkcSwVZaxz +FCl81jz6r/9CGP6Wbq0uVKGhEdNYddhc3RvR8oWwnMEgwIkOvfnpCevzAoGBAO6T +IljTIzsZmLLFdhvS49C4bQ71vQbEnybqHENZcPdjrgbwRDLjQ4ZEGLm/O1zmKVZh +C5rRqd/fWVtzMPmZJr0aNeVN3dYob/1SS6ixu/D55jRII6RtkTrm8bmOlUXIx3BB +sgDOhG61U4LJ8n4Utcgv4go1feRNQkIo5qXkLFcBAoGALB0HE+liopxZl8fni4Am +Q2qiIox1n95tZn+E/BxRm+3iM6ntp+vtUAx51MCJAChdKNubcI8AWVVUu1rg+BmK +kC1L754uRFN08u7jr6N4O8YaiikmIeqMRRVt3YRAEU6AeejfiOscCOwC6FKtRC5s +2iXmbLR/k9wBKN+IgAMPNRMCgYEA44MIxDBFbrzQM9u+8HXCr27RAe0y4Fttcszb +Oxb2ddVnRlKmlujHoikaczh8wfD0Bt3xFSlQmKAENQO69qwolzmBoDULkolpkuiC +IlOsaPfHoqAQ7WNXlhZa+puQmsYH+3OK7t4CyRi+lQFE8RuK52dSZm3wqmFLCJC8 +tALOjgECgYEAjREmEh/o/moOfIp8x18GYkYkJCv3+/UwMD8kJUu3KtXhER6Kgi2t +GgqGV7nHm+sZjck+tcWdT7s+SJWQ2t8QkOf9xavy6mhG6ptJT7xoXSCxAUzNjLQZ +WpoLVecRfaiAwj9DbbVWhjy8RDkyAHcHveVSIH40I7K0oTbNPqyJk6U= +-----END RSA PRIVATE KEY----- diff --git a/reg-tests/ssl/show_ocsp_server.pem.issuer b/reg-tests/ssl/show_ocsp_server.pem.issuer new file mode 100644 index 000000000..bed206164 --- /dev/null +++ b/reg-tests/ssl/show_ocsp_server.pem.issuer @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGjCCAwKgAwIBAgIUHgviUJMgCZlOPOhVc09pZ4NhfxcwDQYJKoZIhvcNAQEL +BQAwPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz +MRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDQyMjE0MDEyMFoXDTQ4MDkwNzE0MDEy +MFowPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz +MRAwDgYDVQQDDAdSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC +AgEAti+5onUeFJNyF5s6xlnBxDnFhw7Q5VbBestHeQttjBWN31zq5yaf/+CYXdu+ +lY6gNZj6JBiFJ5P7VXX3DqUIJBX6byXWfIUWM+auBAMKlTz0+hWrF/UxI/3uG67N ++Z6NVffEPYbA4Emqozr0DIicWorRyHnrhEQQP87xBCUboUr3QEkNngfiJ0fPm3fj +7HfQemGL2OnTA8qdy0q1l4aUhVr9bgedP2Klvs0XhbszCGLI0Gq5lyNadlH1MEiw +SXa9rklE6NCNcyamO7Wt8LVrg6pxopa7oGnkLbnjzSuE+xsN0isOLaHH5LfYg6gT +aAHpnBHiWuDZQIyzKc+Z37gNksd46/y9B+oBZoCTcYMOsn7PK+gPzTbu3ic4L9hO +WCsTV0tn+qUGj6/J98gRgvuvZGA7NPDKNZU5p34oyApBPBUOgpn6pCuT5NlkPYAe +Rp/ypiy5NCHp0JW3JWkJ4+wEasZM34TZUYrOsicA0GV4ZVkoQ3WYyAjmLvRXmo/w +Z3sSlmHvCg9MrQ9pk24+OtvCbii0bb/Zmlx0Y4lU5TogcuJffJDVbj7oxTc2gRmI +SIZsnYLv2qVoeBoMY5otj+ef0Y8v98mKCbiWe2MzBkC2h5wmwyWedez8RysTaFHS +Z4yOYoCsEAtCxnib9d5fXf0+6aOuFtKMknkuWbYj6En647ECAwEAAaMQMA4wDAYD +VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAjVzxHzq/87uj24It5hYj4mq4 +ero0zix4fA4tJNuTpZ/5r7GUYaf/uT4xfDilBX2fGMsxVTxJC25KzhdFeTzg1Tde +/N0LAeLWHfe6jR/P5XDATD0ZA73DQALOxRM5uRMeWJDVaUeco/aXsdQaCz2STDI3 +h7VVFoaOlmxQW3BBEvg2VUp9DS2UjqqdwsUDtzwKfrmj/FqyBvGrvNeIMv28HCu7 +r1WE1Z0UEJhpc1BPbu7F/vl60gRF3bQjh2tL8pWThxTJe6Qy+pLoSShyi85AM9XK +scCmUtQWjy7KQDL8XVFvuCWvMzknZQjJcncbKddPaaSIDkKUpz9FDv+wSJj/LKf7 +bGSFPM6sblioLbLNJByRYI8G7VHvKDbUnYHbHp75NTGA2eDeNqx5bC2G/EJUTwLM +bfcZr9hv+z1QpvSLEpar30kJjc1QMQcf60ToGYIC93rsVAKou2GPGry4h/nzwro0 +jjFWNgORTXllfcQDbDNOPkV1kFFibPbAU4faZMgC+xwIwDBsndvcvXjLaRUa4fmw +1xNkOO5Lj9AuvTXdCc9yUXRzmPZhU6Q4YB2daWvs3vbMTtvkAXGyQL4b2HD+NYZs +cMUtbteGgQzwM1gpMBn4GX53vhlCXq28r3cH1/1tLDweglSrxyvZbB7pZU7BAmLk +TEj2fXcvdcX+TtYhC10= +-----END CERTIFICATE----- diff --git a/reg-tests/ssl/show_ocsp_server.pem.ocsp b/reg-tests/ssl/show_ocsp_server.pem.ocsp new file mode 100644 index 0000000000000000000000000000000000000000..5ac1457656e4dc97ddc2e3fe3ba90b8c1ddc4b7e GIT binary patch literal 2281 zcmb`Ido=q8ukaxY0r z9CuRMMw${$ZlOdQyFCddv1#wM&RP5Xb=En5ynj63=Uvb9ylZ_w&kL|cX2igtVz$Tx zz!n)165TBXhQoycFc`)b;ciL20Bf$~AmD%z2SkOShhajp5PK3v1yI@!#3Yc8w#0Bo zbPU=ffJ#5f2w~6y10pax0fp@}R06@EMw~LFQ%-H)F{Cm=QBqg{ivjjx0Kg1~15A8? z0DuZuY}JPEmV`nS;UE|?jWa1Eb!SzyFFyY&N#Bq~JvJf+L#~kO-rc@UTk454lJ6#1ET=&P#gvpQra zoDA#`64g(3OkUjq28+W%P&Nb%8W!eoqwd6!Plv_Xf<2cM`B;a??4`3l8&T(Dib9&hK)pm4;di-sS^|;b4d(^|Q+X z19v+FlC|ucm9f$KTG{|VPL1pe36r^brg(^Jnbku<$j$H^^;_OFHm5`HCq>q#>I@*; z^u2?$BSu%{jBE<8<=~|Y@65ff>MkF!?h9Xi#W#5-N%pz?b5Ka+%`SVZjsDOQ8z=F; z2UU{-{FFJNO>4u{FGu7PH+Vs#9;dQr&12F>dS=+^q#!`{q2&9R&t8O9rM83v#^$kp z{(f%-f$wnvW2tN73+uJahy{7`J-9gs_lt(_s*TgaZ!Rzc#_&`2#())zx%~V@U(CsS zCucGZu8<~EvPX7{wVz3ro{d_r!^Y2=hshJ8kdtOZqn_t~OK~CZxF{E|^1k*E#PtTj z+la#*w$S02W%5Ra+o`diM$b`LaEBnR5QE#g_j-?OjAFxbDs{~Lh-8=~>=vx9#aT?(|Ni$S&>&)3;^ zgj3-1(SOy~L54fKKWjQnYsr1?V_N-7RpQ4W*WZ4xO!%j%UQx#5xijFU_YxuIQ8nk9 zC8IM^xw57FJ0}_^N}0m&O{6bXsh8vz+>)f97&fO7UeTX1HI_lPD0IDwg;NSHOx$Y~ z>*_ zlH2!M2BAi|6mfOUUp{Cged27ByMkDh2uQm&B2 ztJU*|o%KPg_t$W_pjLPS|C@%NcwL&ZEWOH``q16_kV6$O{;Qq`R_T02!TLIDUQmgH z7J+9??&^&O&KjIZ&6Aigq8qiWI>?}B71RC^YCq79(O&iHA2~l&BRJFj98sues6~)) z5Lncs9_G0O^l0x34d$hqQhBBX132_+!e!G-BvZ<_8;rE zj@;{ie=w&Ld>0}k8#G>N8Cx;Yqu@Jm&!wT{iq-~^G1wc4Nm}ah!3H2*8~W5}i0ImC zhIhOd)V%RAb$Y}SVH=TtaY>v^kS;%6YM=az<;OXO9n{o*z4>!fDENDInF3GlklAqc zleM86LRn_+(MGu+#y1U0pD;yob#6VFdiK$oV8}Pwe{NMa=33M%2owwgm$I4xR^yMA zuObVB03bkR%daYuFnJg0!B2)8;`R4V7bGm@4nCp~tYh1%T0?o)qtL$2 z-ka8Of*09t1W(eUAALpr+gS1S%bKxxgIoR?(u3?GVqezxEYCKAm1*d5^+xs6u6%U? zgfUe%X2KY#DGvhi2Ka33lrD{?NRrkcQR>4*p@T_zN6rQZwX$OtKNwMN{&Jz=okg6^ zXk_3Ei{v7>0X~E;A4*p!f8?ZpdVS!iWwpPLV_>##J&-vU5S%;su*hyeHe&o)eOGm)kjCjJg+^44u6BW@5#~<2KB#6$tDirseeo-UOk4r!N=*WE0 wa`?lc>v1amukpNA9T2MLST7R4L_3kmR6aNqGNVQ-aZ<())}aTdYprVPY&XSx1(ngWpVs5gjo#B{KO%XNRB=eoY1=LT5f3ld;Z0ZV)q zV2KOG5WB^|aQGGg42H49Uu~p#Kw(g_?i{p#JaoLSV8mR9Z(k4o(PB zTUM8@)r|Sv4Qv%d=q1=BEN%sZCE*|_3jzimj{HGi?(u=AbD`a{huQ->t3N39>^!h| zJ%(y-*RY>&T9nPONpkyrsHyV)r;nX)@6 zex3J(S~Vt(k~M9lD)?(Jd`cN!)w03nK#GW*;k{f7Ze?vs|7EEfQSP$#Tx-`h*YoFI z?q>4+Bvsz1XZY5^^lsp+#~!Jot5?nB@(MZr#vjvpQYz!0yrwBmNS|ZMhh2t=SGrDS z>`f;sH)mJ$yon#lov9#1j@f>xx02c6LKUq&zfvDG-SAQ(ob_y_Da}aMXxvf0nV*QD zWzD~`OW^YZ@k!s(kbx)Zj{*mgck&Z1C%*u?KG>`2jR|mU34`NHvwS`NoV_94ZzUaZ$GRm+ zI7O(D2u;Y%D7iSxK&lHgI0wERJfP9|&~F{&IkP7^KmhhnCLt=j#IuwYUKfe4Irn4c z;uF+%Ml6f?P7@y3xrl>v={%3np<>K zBD00eWQJjgmVlb#)(ukdI1|8hgBcS~#jQpJEP%!R75?9l1Xz$A|9N-tccV*#Hu4gX zO~>b^?KAU({P38btu|ix5O3ErgYa%h_-9=La{2yY`2_Lx;!C6D<29U6eu^oEJ6U z^d4`qIAiR4fAB^#xC$aG7cf$0ey()1P0_3Gp2LH}U$oYon1dZ>u<`S4o;ZJb#|Pc& zG*rZ|<;98@Vw~x?7?;l(c;`APDAj( z&9fLU`=jd?QKILW&O|rzj1PT5WBFCV&2-IkR{D2*Q)LEOY^UyPtJmBf5%-w{e<@!p zfBHCALj+-t7r!!M_EnSwfCl<_EZq1`8cm5TqsLe7#-GIml5;#R1qL**B4?%yDYv`Q z9=tV+(s_A?@!Twd4cE5{;wc2v6-(Of^ukyAj+vMHdfG5DO>5iqD1@?GE+Y@-ZV2nt zW}-?un}mSaNU!$g;-9jYM2^GdG!^^2;+eGlMOJPsFH&4kQdLj0umJrt<2c$KzmjjT zyA+o>L?g?+V@S^5Z0c!YJdWF|?wXS4rptMza{ISQ3vc>FqK$cvR&bo+?l{Svc=k}> zGZKMb72R^w(Do8}<-v_Ooe+xm^(S-fs|fVlT|HUe@l&eKj9S)L2fOzTVP?dpf?bLZ zTD6LOCElkNoR8UMF3|IvIsnqIKqRsv>Wa(6xIv5(X4rv_d--tHHaN!EwvBLw^9| CM80PL literal 0 HcmV?d00001 diff --git a/reg-tests/ssl/show_ssl_ocspresponse.vtc b/reg-tests/ssl/show_ssl_ocspresponse.vtc new file mode 100644 index 000000000..3aad6d808 --- /dev/null +++ b/reg-tests/ssl/show_ssl_ocspresponse.vtc @@ -0,0 +1,133 @@ +#REGTEST_TYPE=devel + +# This reg-test uses the "show ssl ocsp-response" command to display the details +# of the OCSP responses used by HAProxy. +# It also uses the new special cases of the "show ssl cert" command, where an OCSP +# extension is provided to the certificate name (with or without preceding * for an +# ongoing transaction). +# +# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt, +# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in +# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked. +# The OSCP response is updated through the two means available in the CLI, the +# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp". +# +# It requires socat to upload the new OCSP responses. +# +# If this test does not work anymore: +# - Check that you have socat + +varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI" +#REQUIRE_VERSION=2.5 +#REQUIRE_OPTIONS=OPENSSL +#REQUIRE_BINARIES=socat +feature ignore_unknown_macro + +haproxy h1 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-cipherlist-size 1 + stats socket "${tmpdir}/h1/stats" level admin + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect 100ms + timeout client 1s + timeout server 1s + + listen clear-lst + bind "fd@${clearlst}" + server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none + + listen ssl-lst + # crt: certificate of the server + # ca-file: CA used for client authentication request + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-response add-header X-SSL-Client-Verify %[ssl_c_verify] + server s1 ${s1_addr}:${s1_port} +} -start + + +# Test the "show ssl ocsp-response" command +haproxy h1 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Cert Status: good" +} + +# Test the "show ssl cert foo.pem.ocsp" command +haproxy h1 -cli { + send "show ssl cert" + expect ~ ".*show_ocsp_server.pem" + + send "show ssl cert ${testdir}/show_ocsp_server.pem" + expect ~ "Serial: 100F" + send "show ssl cert ${testdir}/show_ocsp_server.pem" + expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + + send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" + send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + expect ~ "Cert Status: good" +} + + +# Change the server certificate's OCSP response through "set ssl ocsp-response" +shell { + printf "set ssl ocsp-response <<\n$(base64 ${testdir}/show_ocsp_server.pem.ocsp.revoked)\n\n" | socat "${tmpdir}/h1/stats" - +} + +# Check that the change was taken into account +haproxy h1 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Cert Status: revoked" + + send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + expect ~ "Cert Status: revoked" +} + + +# Change the server certificate's OCSP response through a transaction +shell { + printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(base64 ${testdir}/show_ocsp_server.pem.ocsp)\n\n" | socat "${tmpdir}/h1/stats" - +} + + +# Check that the actual tree entry was not changed and that the uncommitted +# transaction's OCSP response is the new one +haproxy h1 -cli { + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Cert Status: revoked" + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "This Update: Jun 10 08:57:45 2021 GMT" + + send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + expect ~ "Cert Status: good" + send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + expect ~ "This Update: Jun 10 08:55:04 2021 GMT" +} + + +# Commit the transaction and check that it was taken into account +haproxy h1 -cli { + send "commit ssl cert ${testdir}/show_ocsp_server.pem" + expect ~ "Success!" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "Cert Status: good" + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" + expect ~ "This Update: Jun 10 08:55:04 2021 GMT" +}