serfserver_san_ocsp_cert.pem test_ssl.c

brane Thu, 08 Dec 2016 21:37:27 -0800

Author: brane
Date: Fri Dec  9 05:37:01 2016
New Revision: 1773321

URL: http://svn.apache.org/viewvc?rev=1773321&view=rev
Log:
On the ocsp-validation branch: Update test for serf_ssl_cert_certificate().


* test/test_ssl.c
  (test_ssl_cert_certificate): Use the new certificate.
   Check the subjectAltNames and OCSP responder URLs.

* test/certs/create_certs.py
  (create_cert): Add optional parameter ocsp_responder_url.
  (__main__): Generate test certificate with sAN and OCSP URI.
* test/certs/serfserver_san_ocsp_cert.pem: New.

Added:
    serf/branches/ocsp-verification/test/certs/serfserver_san_ocsp_cert.pem
Modified:
    serf/branches/ocsp-verification/test/certs/create_certs.py
    serf/branches/ocsp-verification/test/test_ssl.c

Modified: serf/branches/ocsp-verification/test/certs/create_certs.py
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/certs/create_certs.py?rev=1773321&r1=1773320&r2=1773321&view=diff
==============================================================================
--- serf/branches/ocsp-verification/test/certs/create_certs.py (original)
+++ serf/branches/ocsp-verification/test/certs/create_certs.py Fri Dec  9 
05:37:01 2016
@@ -83,7 +83,8 @@ def create_crl(revokedcert, cakey, cacer
 # subjectAltName
 def create_cert(subjectkey, certfile, issuer=None, issuerkey=None, country='', 
                 state='', city='', org='', ou='', cn='', email='', ca=False, 
-                valid_before=0, days_valid=VALID_DAYS, subjectAltName=None):
+                valid_before=0, days_valid=VALID_DAYS, subjectAltName=None,
+                ocsp_responder_url=None):
     '''
     Create a X509 signed certificate.
     
@@ -130,6 +131,11 @@ def create_cert(subjectkey, certfile, is
         cert.add_extensions([
             crypto.X509Extension('subjectAltName', critical, ", 
".join(subjectAltName))])
 
+    if ocsp_responder_url:
+        cert.add_extensions([
+            crypto.X509Extension('authorityInfoAccess', False,
+                                 'OCSP;URI:' + ocsp_responder_url)])
+
     cert.sign(issuerkey, SIGN_ALGO)
 
     open(certfile, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, 
@@ -204,6 +210,20 @@ if __name__ == '__main__':
                                days_valid=13*365,
                                subjectAltName=['DNS:localhost'])
 
+    # server certificate with OCSP responder URL
+    ocspcert = create_cert(subjectkey=serverkey,
+                           certfile='serfserver_san_ocsp_cert.pem',
+                           issuer=cacert, issuerkey=cakey,
+                           country='BE', state='Antwerp', city='Mechelen',
+                           org='In Serf we trust, Inc.',
+                           ou='Test Suite Server',
+                           cn='localhost',
+                           email='serfser...@example.com',
+                           days_valid=13*365,
+                           subjectAltName=['DNS:localhost'],
+                           ocsp_responder_url='http://localhost:17080')
+
+
     # client key pair and certificate
     clientkey = create_key('private/serfclientkey.pem', 'serftest')
 

Added: serf/branches/ocsp-verification/test/certs/serfserver_san_ocsp_cert.pem
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/certs/serfserver_san_ocsp_cert.pem?rev=1773321&view=auto
==============================================================================
--- serf/branches/ocsp-verification/test/certs/serfserver_san_ocsp_cert.pem 
(added)
+++ serf/branches/ocsp-verification/test/certs/serfserver_san_ocsp_cert.pem Fri 
Dec  9 05:37:01 2016
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIDAYa0MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYDVQQGEwJC
+RTEQMA4GA1UECAwHQW50d2VycDERMA8GA1UEBwwITWVjaGVsZW4xHzAdBgNVBAoM
+FkluIFNlcmYgd2UgdHJ1c3QsIEluYy4xFjAUBgNVBAsMDVRlc3QgU3VpdGUgQ0Ex
+EDAOBgNVBAMMB1NlcmYgQ0ExITAfBgkqhkiG9w0BCQEWEnNlcmZjYUBleGFtcGxl
+LmNvbTAeFw0xNjEyMDkwNTIzMDlaFw0yOTEyMDYwNTIzMDlaMIGqMQswCQYDVQQG
+EwJCRTEQMA4GA1UECAwHQW50d2VycDERMA8GA1UEBwwITWVjaGVsZW4xHzAdBgNV
+BAoMFkluIFNlcmYgd2UgdHJ1c3QsIEluYy4xGjAYBgNVBAsMEVRlc3QgU3VpdGUg
+U2VydmVyMRIwEAYDVQQDDAlsb2NhbGhvc3QxJTAjBgkqhkiG9w0BCQEWFnNlcmZz
+ZXJ2ZXJAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDXzZBsDTAl0j5MKCElC3LtmOMv+PH1CRItKIHXEA//dIJbtr6RAxwgJmD8sY8K
+89kkLXdAnmWDlYb95no6sONB1xNFjeNf/lUnxuU5P5VUzpCAkWj9BzIcvOmkTKuJ
+aOH7u1TQRDJxyds/r2lrsJ1Fv63JK+I3mdAKINElqKxHCy4D18FP5g+slndvYPWs
+47mpSqt0on6pplmLWJjDqzdDPQJU5YYSFHKvHEenk7finjh/qkB+q941FGeoNjNv
+nB0fP6BmzMwg2Zvwi4xELic3CDY4jdXfSb0RZo/WVJr2N4Ivi70IiC6zFkvjV6Yn
+tLOftmpakMi/eOSQpqqRGChfAgMBAAGjTDBKMBQGA1UdEQQNMAuCCWxvY2FsaG9z
+dDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6
+MTcwODAwDQYJKoZIhvcNAQELBQADggEBAJoCiAuiVEiuvDSQ7JS9lodlyYlGKedq
+UMnTTTKULKBqO4MMT8gXgGzlQukZZQj1T5IvgLUa3vt40m6wjWDSD9q4gIS3m2vO
+dHuUbBePqn9iNqKh4i++288WCmIr60IdvSp98ureWUyjilEXBp7ZqlNkGehmBqi7
+HuOag3bpejCKjKK1rw5UfNlJ94gzWnDoJsfrGs4ZwVGF2xZKPXVDQXJsQV5gsxa/
+UXkumapzUFj/RnjwKYRydTPZCKUQdY8CzlQG6uba1iKeuq12P9zGZi9FiP0Ahova
+SSBQMjk5JThVE/7OsJReA9BPTFt2lMq88fCu9muiRoBvzTs9q96zq6o=
+-----END CERTIFICATE-----

Modified: serf/branches/ocsp-verification/test/test_ssl.c
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/test_ssl.c?rev=1773321&r1=1773320&r2=1773321&view=diff
==============================================================================
--- serf/branches/ocsp-verification/test/test_ssl.c (original)
+++ serf/branches/ocsp-verification/test/test_ssl.c Fri Dec  9 05:37:01 2016
@@ -168,29 +168,38 @@ static void test_ssl_cert_certificate(Cu
     apr_hash_t *kv;
     serf_ssl_certificate_t *cert = NULL;
     apr_array_header_t *san_arr;
+    apr_array_header_t *ocsp_arr;
     apr_status_t status;
 
 
-    status = serf_ssl_load_cert_file(&cert,
-                                     get_srcdir_file(tb->pool,
-                                                     "test/serftestca.pem"),
-                                     tb->pool);
+    status = serf_ssl_load_cert_file(
+        &cert,
+        get_srcdir_file(tb->pool, "test/certs/serfserver_san_ocsp_cert.pem"),
+        tb->pool);
     CuAssertIntEquals(tc, APR_SUCCESS, status);
     CuAssertPtrNotNull(tc, cert);
 
     kv = serf_ssl_cert_certificate(cert, tb->pool);
     CuAssertPtrNotNull(tc, kv);
 
-    CuAssertStrEquals(tc, 
"8A:4C:19:D5:F2:52:4E:35:49:5E:7A:14:80:B2:02:BD:B4:4D:22:18",
+    CuAssertStrEquals(tc, 
"3D:EC:C8:3B:C7:DB:FD:FB:9C:5D:5E:29:9F:ED:C1:A8:79:3B:28:14",
                       apr_hash_get(kv, "sha1", APR_HASH_KEY_STRING));
-    CuAssertStrEquals(tc, "Mar 21 13:18:17 2008 GMT",
+    CuAssertStrEquals(tc, "Dec  9 05:23:09 2016 GMT",
                       apr_hash_get(kv, "notBefore", APR_HASH_KEY_STRING));
-    CuAssertStrEquals(tc, "Mar 21 13:18:17 2011 GMT",
+    CuAssertStrEquals(tc, "Dec  6 05:23:09 2029 GMT",
                       apr_hash_get(kv, "notAfter", APR_HASH_KEY_STRING));
 
-    /* TODO: create a new test certificate with a/some sAN's. */
     san_arr = apr_hash_get(kv, "subjectAltName", APR_HASH_KEY_STRING);
-    CuAssertTrue(tc, san_arr == NULL);
+    CuAssertPtrNotNull(tc, san_arr);
+    CuAssertIntEquals(tc, 1, san_arr->nelts);
+    CuAssertStrEquals(tc, "localhost",
+                      APR_ARRAY_IDX(san_arr, 0, const char*));
+
+    ocsp_arr = apr_hash_get(kv, "OCSP", APR_HASH_KEY_STRING);
+    CuAssertPtrNotNull(tc, ocsp_arr);
+    CuAssertIntEquals(tc, 1, ocsp_arr->nelts);
+    CuAssertStrEquals(tc, "http://localhost:17080";,
+                      APR_ARRAY_IDX(ocsp_arr, 0, const char*));
 }
 
 static const char *extract_cert_from_pem(const char *pemdata,

svn commit: r1773321 - in /serf/branches/ocsp-verification/test: certs/create_certs.py certs/serfserver_san_ocsp_cert.pem test_ssl.c

Reply via email to