This is an automated email from the ASF dual-hosted git repository. dsoumis pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b08632be6c7a5902ac41cde6ce586f58141c8c19 Author: Dimitris Soumis <[email protected]> AuthorDate: Thu Oct 9 20:48:10 2025 +0300 Ehnance tests and fix various issues in TestOcspIntegration tests --- .../tomcat/util/net/ocsp/TestOcspIntegration.java | 293 ++++++++------------- test/org/apache/tomcat/util/net/ocsp/ca-cert.pem | 34 +-- .../tomcat/util/net/ocsp/client-keystore.p12 | Bin 0 -> 3658 bytes .../apache/tomcat/util/net/ocsp/client-password | 1 + .../util/net/ocsp/generate-ocsp-test-artifacts.sh | 48 +++- .../tomcat/util/net/ocsp/ocsp-client-good.der | Bin 0 -> 1280 bytes .../tomcat/util/net/ocsp/ocsp-client-revoked.der | Bin 0 -> 1302 bytes test/org/apache/tomcat/util/net/ocsp/ocsp-good.der | Bin 1280 -> 1280 bytes .../apache/tomcat/util/net/ocsp/ocsp-revoked.der | Bin 1302 -> 1302 bytes .../apache/tomcat/util/net/ocsp/server-cert.pem | 106 ++++---- .../org/apache/tomcat/util/net/ocsp/server-key.pem | 52 ++-- .../org/apache/tomcat/util/net/ocsp/trustStore.p12 | Bin 1174 -> 1174 bytes 12 files changed, 245 insertions(+), 289 deletions(-) diff --git a/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java b/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java index 6c48046f36..71effa10b6 100644 --- a/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java +++ b/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java @@ -20,11 +20,9 @@ package org.apache.tomcat.util.net.ocsp; import java.io.Closeable; import java.io.File; import java.io.IOException; -import java.io.InputStream; import java.io.OutputStream; import java.net.InetSocketAddress; import java.net.ServerSocket; -import java.net.Socket; import java.net.URI; import java.net.URL; import java.nio.file.Files; @@ -53,6 +51,7 @@ import java.util.Set; import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLSocketFactory; @@ -76,13 +75,12 @@ import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; import org.apache.tomcat.util.net.TesterSupport; -import org.apache.tomcat.util.net.openssl.OpenSSLConf; -import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd; import org.apache.tomcat.util.net.openssl.OpenSSLImplementation; import com.sun.net.httpserver.Headers; import com.sun.net.httpserver.HttpServer; + @RunWith(Parameterized.class) public class TestOcspIntegration extends TomcatBaseTest { private static final String CA_CERTIFICATE_PATH = "ca-cert.pem"; @@ -91,9 +89,13 @@ public class TestOcspIntegration extends TomcatBaseTest { private static final String TRUSTSTORE_PATH = "trustStore.p12"; private static final String TRUSTSTORE_PASS = "trust-password"; private static final String KEYSTORE_TYPE = "PKCS12"; - private static final String OCSP_GOOD_RESPONSE = "ocsp-good.der"; - private static final String OCSP_REVOKED_RESPONSE = "ocsp-revoked.der"; - @Parameterized.Parameters(name = "{0}") + private static final String OCSP_SERVER_CERT_GOOD_RESPONSE = "ocsp-good.der"; + private static final String OCSP_SERVER_CERT_REVOKED_RESPONSE = "ocsp-revoked.der"; + private static final String CLIENT_KEYSTORE_PATH = "client-keystore.p12"; + private static final String CLIENT_KEYSTORE_PASS = "client-password"; + private static final String OCSP_CLIENT_CERT_GOOD_RESPONSE = "ocsp-client-good.der"; + private static final String OCSP_CLIENT_CERT_REVOKED_RESPONSE = "ocsp-client-revoked.der"; + @Parameterized.Parameters(name = "useFFM: {0}") public static Collection<Object[]> parameters() { List<Object[]> parameterSets = new ArrayList<>(); parameterSets.add(new Object[] { Boolean.FALSE }); @@ -106,138 +108,111 @@ public class TestOcspIntegration extends TomcatBaseTest { @Before public void runtimeCheck() { if (ffm) { - Assume.assumeTrue(JreCompat.isJre22Available()); + Assume.assumeTrue("FFM is not available.", JreCompat.isJre22Available()); } } @Test - public void testOcspGood() throws Exception { - Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_GOOD_RESPONSE, false, false, ffm)); + public void testOcspGood_ClientVerifiesServerCertificateOnly() throws Exception { + Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE, false, true, ffm)); + } + @Test + public void testOcspGood_Mutual() throws Exception { + final int ocspResponderPortForClient = 8889; + Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not available.", isPortAvailable(ocspResponderPortForClient)); + try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(Files.readAllBytes(new File(getPath(OCSP_CLIENT_CERT_GOOD_RESPONSE)).toPath()), ocspResponderPortForClient)){ + fakeOcspResponder.start(); + Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE, true, true, ffm)); + } + } + @Test + public void testOcspGood_ServerVerifiesClientCertificateOnly() throws Exception { + final int ocspResponderPortForClient = 8889; + Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not available.", isPortAvailable(ocspResponderPortForClient)); + try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(Files.readAllBytes(new File(getPath(OCSP_CLIENT_CERT_GOOD_RESPONSE)).toPath()), ocspResponderPortForClient)){ + fakeOcspResponder.start(); + Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE, true, false, ffm)); + } } @Test(expected = CertificateRevokedException.class) - public void testOcspRevoked() throws Exception { + public void testOcspRevoked_ClientVerifiesServerCertificateOnly() throws Exception { try { - testOCSP(OCSP_REVOKED_RESPONSE, false, false, ffm); + testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE, false, true, ffm); }catch (SSLHandshakeException sslHandshakeException) { - if (sslHandshakeException.getCause().getCause() instanceof CertPathValidatorException) { - CertPathValidatorException cpe = (CertPathValidatorException) sslHandshakeException.getCause().getCause(); - Assert.assertEquals("REVOKED", cpe.getReason().toString()); - Assert.assertTrue(cpe.toString().contains("reason: KEY_COMPROMISE")); - // Some JDKs only expose CertPathValidatorException - if (cpe.getCause() instanceof CertificateRevokedException) { - throw (CertificateRevokedException) cpe.getCause(); - } else { - throw new CertificateRevokedException(new Date(), CRLReason.KEY_COMPROMISE, new X500Principal(""), new HashMap<>()); - } - } + handleExceptionWhenRevoked(sslHandshakeException); } } - @Test - public void testOcspNoCheck() throws Exception { - Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_REVOKED_RESPONSE, false, true, ffm)); - } - @Test - public void testOcspNoCheck_01() throws Exception { - Assume.assumeTrue(isSslConfCtxNewAvailable()); - Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_REVOKED_RESPONSE, true, true, ffm)); + @Test(expected = CertificateRevokedException.class) + public void testOcspRevoked_Mutual() throws Exception { + try { + // The exception is thrown before server side verification, while client does OCSP verification. + testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE, true, true, ffm); + }catch (SSLHandshakeException sslHandshakeException) { + handleExceptionWhenRevoked(sslHandshakeException); + } } @Test(expected = SSLHandshakeException.class) - public void testOcspNoCheck_02() throws Exception { - Assume.assumeTrue(isSslConfCtxNewAvailable()); - testOCSP(OCSP_REVOKED_RESPONSE, true, false, ffm); + public void testOcspRevoked_ServerVerifiesClientCertificateOnly() throws Exception { + final int ocspResponderPortForClient = 8889; + Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not available.", isPortAvailable(ocspResponderPortForClient)); + try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(Files.readAllBytes(new File(getPath(OCSP_CLIENT_CERT_REVOKED_RESPONSE)).toPath()), ocspResponderPortForClient)){ + fakeOcspResponder.start(); + testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE, true, false, ffm); + } } @Test - public void testOcspNoCheck_03() throws Exception { - Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_REVOKED_RESPONSE, false, true, ffm)); + public void testOcsp_NoVerification() throws Exception { + final int ocspResponderPortForClient = 8889; + Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not available.", isPortAvailable(ocspResponderPortForClient)); + try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(Files.readAllBytes(new File(getPath(OCSP_CLIENT_CERT_REVOKED_RESPONSE)).toPath()), ocspResponderPortForClient)){ + fakeOcspResponder.start(); + Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE, false, false, ffm)); + } } @Test public void testOcspResponderUrlDiscoveryViaCertificateAIA() throws Exception { final int ocspPort = 8888; - Assume.assumeTrue(isPortAvailable(ocspPort)); - Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_GOOD_RESPONSE, false, false, ffm, - true, "127.0.0.1", ocspPort)); - } - //This test is a reference to CVE-2017-15698 of tomcat-native - @Test - public void testOcspWithLongResponderUrlViaProxy() throws Exception { - final int ocspPort = 8889; - Assume.assumeTrue(isPortAvailable(ocspPort)); - StringBuilder longHostname = new StringBuilder(); - for (int i = 0; i < 128; i++) { - longHostname.append("a"); - } - - String originalProxyHost = System.getProperty("http.proxyHost"); - String originalProxyPort = System.getProperty("http.proxyPort"); - - try (ForwardingProxy proxy = new ForwardingProxy("127.0.0.1", ocspPort)) { - Thread proxyThread = new Thread(proxy); - proxyThread.start(); - System.setProperty("http.proxyHost", "127.0.0.1"); - System.setProperty("http.proxyPort", String.valueOf(proxy.getPort())); - try { - testOCSP(OCSP_REVOKED_RESPONSE, false, false, ffm, - false, longHostname.toString(), ocspPort); - Assert.fail("Should have thrown an exception"); - } catch (SSLHandshakeException sslHandshakeException) { - Assert.assertTrue(true); - } - } finally { - if (originalProxyHost == null) { - System.clearProperty("http.proxyHost"); - } else { - System.setProperty("http.proxyHost", originalProxyHost); - } - if (originalProxyPort == null) { - System.clearProperty("http.proxyPort"); - } else { - System.setProperty("http.proxyPort", originalProxyPort); - } - } + Assume.assumeTrue("Port " + ocspPort + " is not available.", isPortAvailable(ocspPort)); + Assert.assertEquals(HttpServletResponse.SC_OK, testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE, false, true, ffm, + true, ocspPort)); } - private int testOCSP(String pathToOcspResponse, boolean serverSideOcspVerificationDisabled, boolean clientSideOcspVerificationDisabled, boolean ffm) throws Exception { - return testOCSP(pathToOcspResponse, serverSideOcspVerificationDisabled, clientSideOcspVerificationDisabled, ffm, - false, "127.0.0.1", 0); + private int testOCSP(String pathToOcspResponse, boolean serverSideVerificationEnabled, boolean clientSideOcspVerificationEnabled, boolean ffm) throws Exception { + return testOCSP(pathToOcspResponse, serverSideVerificationEnabled, clientSideOcspVerificationEnabled, ffm, + false, 0); } - private int testOCSP(String pathToOcspResponse, boolean serverSideOcspVerificationDisabled, boolean clientSideOcspVerificationDisabled, boolean ffm, - boolean discoverResponderFromAIA, String ocspResponderHostname, int ocspResponderPort) throws Exception { + private int testOCSP(String pathToOcspResponse, boolean serverSideVerificationEnabled, boolean clientSideOcspVerificationEnabled, boolean ffm, + boolean clientDiscoversResponderFromAIA, int ocspResponderPort) throws Exception { File certificateFile = new File(getPath(SERVER_CERTIFICATE_PATH)); File certificateKeyFile = new File(getPath(SERVER_CERTIFICATE_KEY_PATH)); File certificateChainFile = new File(getPath(CA_CERTIFICATE_PATH)); Tomcat tomcat = getTomcatInstance(); - initSsl(tomcat, certificateFile, certificateKeyFile, certificateChainFile); + initSsl(tomcat, serverSideVerificationEnabled, certificateFile, certificateKeyFile, certificateChainFile); TesterSupport.configureSSLImplementation(tomcat, ffm ? "org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation" : OpenSSLImplementation.class.getName(), true); - if (serverSideOcspVerificationDisabled) { - SSLHostConfig sslHostConfig = tomcat.getConnector().findSslHostConfigs()[0]; - OpenSSLConf conf = new OpenSSLConf(); - OpenSSLConfCmd cmd = new OpenSSLConfCmd(); - cmd.setName("NO_OCSP_CHECK"); - cmd.setValue("true"); - conf.addCmd(cmd); - sslHostConfig.setOpenSslConf(conf); - } Context context = tomcat.addContext("", null); Tomcat.addServlet(context, "simple", new TesterSupport.SimpleServlet()); context.addServletMappingDecoded("/", "simple"); - KeyStore trustStorePath = KeyStore.getInstance(KEYSTORE_TYPE); + KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE); String trustStorePass = new String(Files.readAllBytes(new File(getPath(TRUSTSTORE_PASS)).toPath())).trim(); - trustStorePath.load(Files.newInputStream(Paths.get(new File(getPath(TRUSTSTORE_PATH)).getAbsolutePath())), trustStorePass.toCharArray()); + trustStore.load(Files.newInputStream(Paths.get(new File(getPath(TRUSTSTORE_PATH)).getAbsolutePath())), trustStorePass.toCharArray()); + KeyStore clientKeystore = KeyStore.getInstance(KEYSTORE_TYPE); + String clientKeystorePass = new String(Files.readAllBytes(new File(getPath(CLIENT_KEYSTORE_PASS)).toPath())).trim(); + clientKeystore.load(Files.newInputStream(Paths.get(new File(getPath(CLIENT_KEYSTORE_PATH)).getAbsolutePath())), clientKeystorePass.toCharArray()); byte[] ocspResponse = Files.readAllBytes(new File(getPath(pathToOcspResponse)).toPath()); - try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(ocspResponse, ocspResponderHostname, ocspResponderPort)) { + try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(ocspResponse, ocspResponderPort)) { fakeOcspResponder.start(); tomcat.start(); URL url = new URI("https://127.0.0.1:"; + getPort() + "/").toURL(); HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); SSLSocketFactory sslSocketFactory; - if (clientSideOcspVerificationDisabled) { - sslSocketFactory = buildClientSslSocketFactoryNoOcsp(trustStorePath); + if (clientSideOcspVerificationEnabled) { + sslSocketFactory = buildClientSslSocketFactoryWithOcsp(clientDiscoversResponderFromAIA ? null : fakeOcspResponder.url(), trustStore, clientKeystore, clientKeystorePass); } else { - sslSocketFactory = buildClientSslSocketFactoryWithOcsp(discoverResponderFromAIA ? null : fakeOcspResponder.url(), trustStorePath); + sslSocketFactory = buildClientSslSocketFactoryNoOcsp(trustStore, clientKeystore, clientKeystorePass); } connection.setSSLSocketFactory(sslSocketFactory); connection.connect(); @@ -247,21 +222,29 @@ public class TestOcspIntegration extends TomcatBaseTest { } } - private static void initSsl(Tomcat tomcat, File certificateFile, File certificateKeyFile, File certificateChainFile) { + private static void initSsl(Tomcat tomcat, boolean serverSideVerificationEnabled, File certificateFile, File certificateKeyFile, File certificateChainFile) { Connector connector = tomcat.getConnector(); connector.setSecure(true); - Assert.assertTrue(connector.setProperty("SSLEnabled", "true")); + connector.setProperty("SSLEnabled", "true"); SSLHostConfig sslHostConfig = new SSLHostConfig(); SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.UNDEFINED); sslHostConfig.addCertificate(certificate); - connector.addSslHostConfig(sslHostConfig); certificate.setCertificateFile(certificateFile.getAbsolutePath()); certificate.setCertificateKeyFile(certificateKeyFile.getAbsolutePath()); certificate.setCertificateChainFile(certificateChainFile.getAbsolutePath()); + if (serverSideVerificationEnabled) { + sslHostConfig.setCertificateVerification("required"); + } else { + sslHostConfig.setCertificateVerification("optionalNoCA"); + } + sslHostConfig.setCaCertificateFile(certificateChainFile.getAbsolutePath()); + connector.addSslHostConfig(sslHostConfig); } - private static SSLSocketFactory buildClientSslSocketFactoryWithOcsp(String ocspUrl, KeyStore trustStore) throws Exception { + private static SSLSocketFactory buildClientSslSocketFactoryWithOcsp(String ocspUrl, KeyStore trustStore, KeyStore clientKeystore, String clientKeystorePass) throws Exception { + KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + kmf.init(clientKeystore, clientKeystorePass.toCharArray()); Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeystore(trustStore); PKIXRevocationChecker revocationChecker =(PKIXRevocationChecker) CertPathValidator.getInstance("PKIX").getRevocationChecker(); if (ocspUrl != null) { @@ -274,21 +257,23 @@ public class TestOcspIntegration extends TomcatBaseTest { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX"); trustManagerFactory.init(new CertPathTrustManagerParameters(pkix)); - return initSSLContext(trustManagerFactory).getSocketFactory(); + return initSSLContext(kmf, trustManagerFactory).getSocketFactory(); } - private static SSLSocketFactory buildClientSslSocketFactoryNoOcsp(KeyStore trustStore) throws Exception { + private static SSLSocketFactory buildClientSslSocketFactoryNoOcsp(KeyStore trustStore, KeyStore clientKeystore, String clientKeystorePass) throws Exception { + KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + kmf.init(clientKeystore, clientKeystorePass.toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); - return initSSLContext(trustManagerFactory).getSocketFactory(); + return initSSLContext(kmf, trustManagerFactory).getSocketFactory(); } - private static SSLContext initSSLContext(TrustManagerFactory trustManagerFactory) throws Exception { + private static SSLContext initSSLContext(KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory) throws Exception { SSLContext sslContext; if (TesterSupport.isTlsv13Available()) { sslContext = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3); } else { sslContext = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2); } - sslContext.init(null, trustManagerFactory.getTrustManagers(), null); + sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); return sslContext; } private static Set<TrustAnchor> getTrustAnchorsFromKeystore(KeyStore keyStore) throws KeyStoreException { @@ -303,16 +288,27 @@ public class TestOcspIntegration extends TomcatBaseTest { } return trustAnchors; } + private static void handleExceptionWhenRevoked(Exception exception) throws Exception { + if (exception.getCause().getCause() instanceof CertPathValidatorException) { + CertPathValidatorException cpe = (CertPathValidatorException) exception.getCause().getCause(); + Assert.assertEquals("REVOKED", cpe.getReason().toString()); + Assert.assertTrue(cpe.toString().contains("reason: KEY_COMPROMISE")); + // Some JDKs only expose CertPathValidatorException + if (cpe.getCause() instanceof CertificateRevokedException) { + throw (CertificateRevokedException) cpe.getCause(); + } else { + throw new CertificateRevokedException(new Date(), CRLReason.KEY_COMPROMISE, new X500Principal(""), new HashMap<>()); + } + } + } private static class FakeOcspResponder implements Closeable { private final byte[] ocspResponse; private HttpServer server; private int port; - private final String hostname; - FakeOcspResponder(byte[] ocspResponse, String hostname, int port) { + FakeOcspResponder(byte[] ocspResponse, int port) { this.ocspResponse = ocspResponse; - this.hostname = hostname; this.port = port; } @@ -332,7 +328,7 @@ public class TestOcspIntegration extends TomcatBaseTest { } String url() { - return "http://"; + hostname + ":" + port + "/ocsp"; + return "http://127.0.0.1:"; + port + "/ocsp"; } @Override public void close() { if (server != null) { @@ -340,69 +336,6 @@ public class TestOcspIntegration extends TomcatBaseTest { } } } - private static class ForwardingProxy implements Closeable, Runnable { - private final ServerSocket serverSocket; - private final String targetHost; - private final int targetPort; - private volatile boolean running = true; - - ForwardingProxy(String targetHost, int targetPort) throws IOException { - this.serverSocket = new ServerSocket(0); - this.targetHost = targetHost; - this.targetPort = targetPort; - } - - public int getPort() { - return serverSocket.getLocalPort(); - } - - @Override - public void close() throws IOException { - running = false; - serverSocket.close(); - } - - @Override - public void run() { - try { - while (running) { - try (Socket clientSocket = serverSocket.accept(); - Socket targetSocket = new Socket(targetHost, targetPort)) { - - Thread clientToTarget = new Thread(() -> { - try { - transfer(clientSocket.getInputStream(), targetSocket.getOutputStream()); - } catch (IOException ignored) {} - }); - - Thread targetToClient = new Thread(() -> { - try { - transfer(targetSocket.getInputStream(), clientSocket.getOutputStream()); - } catch (IOException ignored) {} - }); - - clientToTarget.start(); - targetToClient.start(); - clientToTarget.join(); - targetToClient.join(); - - } catch (IOException | InterruptedException ignored) {} - } - } finally { - try { - close(); - } catch (IOException ignored) {} - } - } - - private void transfer(InputStream in, OutputStream out) throws IOException { - byte[] buffer = new byte[4096]; - int read; - while ((read = in.read(buffer)) != -1) { - out.write(buffer, 0, read); - } - } - } private String getPath(String file) throws IOException { if (file == null) { @@ -423,16 +356,4 @@ public class TestOcspIntegration extends TomcatBaseTest { return false; } } - private boolean isSslConfCtxNewAvailable() { - if (!ffm) { - return true; - } - try { - Class.forName("org.apache.tomcat.util.openssl.openssl_h$SSL_CONF_CTX_new"); - return true; - } catch (UnsatisfiedLinkError | NoClassDefFoundError | ClassNotFoundException | ExceptionInInitializerError e) { - // This is the expected error on systems with an incompatible library (like LibreSSL). - return false; - } - } } diff --git a/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem b/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem index 868d96b85c..34d31d9595 100644 --- a/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem +++ b/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDFTCCAf2gAwIBAgIUE+fRcl8KYHYGys95XRSRV9kPoY4wDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNTEwMDYxODA5MzdaFw0zNTEwMDQx -ODA5MzdaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQC08HmXABNhVfcJzkj1f0aYwXg78ZMl1wAX5fGO0/x4S6Fe3O5P -Ktzh78IewHMZuTZCrSvc+2fTI9uV8vwxxzgxJHFKwXCGinIXkIGAvLuD4WrxTY2Y -InnSnlh+U2ThCmdbLRxv+BPofRVWfvu1P17ihhZxNQX0rdA7SS8VM4hPRMvSeIa6 -bm1WZZ7I+xNGV5bJ91zG23Vf4TOB4ArMhH03nTgF31yK/Wx1mS2PQrSdMVEsQfpw -Axsgb4GpAmpsNf20bmmYTa+s1p/kZCpZIjfDNfNrMKVwDsnaLbDdhr7iPaRJZXRf -tVsoLGAr63zdYMxTFmov0kxidiuR2eGO8eXnAgMBAAGjYzBhMA8GA1UdEwEB/wQF -MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRH8IgYod1fwuchneeQJYr4 -zAyXBzAfBgNVHSMEGDAWgBRH8IgYod1fwuchneeQJYr4zAyXBzANBgkqhkiG9w0B -AQsFAAOCAQEAdfmf8rIjMbEji5uVUJLrEySi/xqIW1QVdErPJQdn7O2XWzuzMjgE -as6aiBOmHLZRB03vnpVIEPkDYy0VRyPpuQM/BRClTh7pkl0B+zPn8/LnrJbPxIH2 -2Y8V/8ZAG3GZL4E7hciDuySOA1aRMeh1pum4Nkdb110RGsJw6ZpiAFYorVEhW90e -1IHjqETYW108MEd+ODUsPki8rs1+JSe+mlfpQx5u/KZ7sZARhk6Mycfr3Gsv6iDv -8mElWMn/qy/gbwc1sxsXs+HLZL5EP6n1Lp/Qn01+m3IDPpYOTVkiSCv/K8JS4BR4 -9r0AKHWj3iJbVLvkCrVJQJ/ibTXN6FFzlw== +MIIDFTCCAf2gAwIBAgIUAyOAYMldD+vXvTMjdb9wXBFMQhQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNTEwMDkxNzUwMTlaFw0zNTEwMDcx +NzUwMTlaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCR5uGEWWQ5x9WNSDB/38SAT30PR+DxhNL4v+sjx9u2yARgVI9q +ENLoXCrQUxMocRvwdb30owOe/vxJPaCrNQunUfSQpeKW9KYPj9tCWxrc/LPeciqO +m+XTgxowDbAY7gBGSUM75vsv0CBMo2fSGDEmQqB3+guCQBHmvV4iTnctN6jg6e1t +p+Xq4VwoTLaLMuI+G+pBvv+xVk+Mkw0L+wRChsqegaxq740V0FNfBeId4nYLAWrT +WRKmmkhrfRm2DQJ+gG46RGb1jA+3y3i+nTkEzn9ZmzAGpF3PIVhrPzYbC7AByE+T +2NqtHHp37jBvuChr20ReY+Gzx0zUdkQcF/vlAgMBAAGjYzBhMA8GA1UdEwEB/wQF +MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTI+niWdI2AaIVg+4CTF2g6 +prb8qDAfBgNVHSMEGDAWgBTI+niWdI2AaIVg+4CTF2g6prb8qDANBgkqhkiG9w0B +AQsFAAOCAQEAKKXD005JJTCSuQckD856ZzVa6ffoGMSssSOlqvS7KrpiUID/twvG +/r8SEXbguRGauyh0FY9UlbNeWjN8u92v7zILmnBUdYm7sPEi6+bTFDrjJ22rFxei +Xpwb02WY9P+Kty96DTjByrKfodtGt9Ey+R/fsBE0dNEKgqOu9H+6nVcxjO2bONJH +QJsHEn3liLj+DpHn5Pe4laQHuPpXSZgvtjL5/Y8D6G4UCNQ7gVxq8GCDK1eQuyKM +oboDINCN8/6XUmCuLk51urHcsZXOJ7PX8VirdPWBqpjGa2hMNsIak6NAyK86rDFP +brZOqWk1hfVTbW9LlIxkU7dQniz/PKFxgw== -----END CERTIFICATE----- diff --git a/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12 b/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12 new file mode 100644 index 0000000000..f763d243e8 Binary files /dev/null and b/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12 differ diff --git a/test/org/apache/tomcat/util/net/ocsp/client-password b/test/org/apache/tomcat/util/net/ocsp/client-password new file mode 100644 index 0000000000..1d40192aeb --- /dev/null +++ b/test/org/apache/tomcat/util/net/ocsp/client-password @@ -0,0 +1 @@ +changeit diff --git a/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh b/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh index bfde3bfcbf..7b8fd5c76d 100755 --- a/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh +++ b/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh @@ -56,7 +56,7 @@ default_md = sha256 policy = policy_loose copy_extensions = copy private_key = $dir/private/ca.key.pem -certificate = $dir/certs/ca.cert.pem +certificate = $dir/certs/ca-cert.pem [ policy_loose ] commonName = supplied @@ -77,6 +77,13 @@ subjectAltName = @san IP.1 = 127.0.0.1 DNS.1 = localhost +[ v3_client ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = clientAuth +# Make the AIA field >127 bytes to test CVE-2017-15698 +authorityInfoAccess = OCSP;URI:http://127.0.0.1:8889/ocsp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + [ v3_ocsp ] basicConstraints = critical,CA:FALSE keyUsage = critical,digitalSignature @@ -88,7 +95,7 @@ cd "$WORK_DIR" || (printf "Something went wrong.\r\n" && exit) printf "Generating CA key and certificate...\r\n" openssl genrsa -out private/ca.key.pem 2048 -openssl req -x509 -new -nodes -key private/ca.key.pem -days 3650 -subj "/CN=Test CA" -config openssl.cnf -extensions v3_ca -out certs/ca.cert.pem +openssl req -x509 -new -nodes -key private/ca.key.pem -days 3650 -subj "/CN=Test CA" -config openssl.cnf -extensions v3_ca -out certs/ca-cert.pem printf "Done.\r\n" printf "Generating server key and certificate...\r\n" @@ -104,11 +111,11 @@ openssl ca -batch -config openssl.cnf -extensions v3_ocsp -in ocsp.csr.pem -out printf "Done.\r\n" printf "Building OCSP request for the server certificate...\r\n" -openssl ocsp -issuer certs/ca.cert.pem -cert certs/server.cert.pem -no_nonce -reqout request.der +openssl ocsp -issuer certs/ca-cert.pem -cert certs/server.cert.pem -no_nonce -reqout request.der printf "Done.\r\n" printf "Answering request with good status (ocsp-good.der)...\r\n" -openssl ocsp -index index -CA certs/ca.cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout ../ocsp-good.der +openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout ../ocsp-good.der printf "Done.\r\n" printf "Revoking the server certificate in the CA database...\r\n" @@ -116,17 +123,44 @@ openssl ca -config openssl.cnf -revoke certs/server.cert.pem -crl_reason keyComp printf "Done.\r\n" printf "Answering request with REVOKED status (ocsp-revoked.der)...\r\n" -openssl ocsp -index index -CA certs/ca.cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout ../ocsp-revoked.der +openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout ../ocsp-revoked.der printf "Done.\r\n" -cp certs/ca.cert.pem ../ca-cert.pem +cp certs/ca-cert.pem .. cp private/server.key.pem ../server-key.pem cp certs/server.cert.pem ../server-cert.pem printf "Creating PKCS12 client's truststore (trustStore.p12) with the CA...\r\n" rm -f ../trustStore.p12 echo "$PASS" > ../trust-password -keytool -importcert -alias ocsp-ca -file certs/ca.cert.pem -keystore ../trustStore.p12 -storetype PKCS12 -storepass "$PASS" -noprompt +keytool -importcert -alias ocsp-ca -file certs/ca-cert.pem -keystore ../trustStore.p12 -storetype PKCS12 -storepass "$PASS" -noprompt +printf "Done.\r\n" + +printf "Generating client key and certificate...\r\n" +openssl genrsa -out private/client.key.pem 2048 +openssl req -new -key private/client.key.pem -out client.csr.pem -subj "/CN=test-client" +openssl ca -batch -config openssl.cnf -extensions v3_client -in client.csr.pem -out certs/client.cert.pem -days 365 +printf "Done.\r\n" + +printf "Building OCSP request for the CLIENT certificate...\r\n" +openssl ocsp -issuer certs/ca-cert.pem -cert certs/client.cert.pem -no_nonce -reqout client-request.der +printf "Done.\r\n" + +printf "Answering request with good status for client (ocsp-client-good.der)...\r\n" +openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin client-request.der -respout ../ocsp-client-good.der +printf "Done.\r\n" + +printf "Revoking the client certificate in the CA database...\r\n" +openssl ca -config openssl.cnf -revoke certs/client.cert.pem -crl_reason keyCompromise +printf "Done.\r\n" + +printf "Answering request with REVOKED status for client (ocsp-client-revoked.der)...\r\n" +openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem -rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin client-request.der -respout ../ocsp-client-revoked.der +printf "Done.\r\n" + +printf "Creating PKCS12 client keystore for mutual TLS...\r\n" +echo "$PASS" > ../client-password +openssl pkcs12 -export -name ocsp-client -out ../client-keystore.p12 -inkey private/client.key.pem -in certs/client.cert.pem -certfile certs/ca-cert.pem -passout pass:"$PASS" printf "Done.\r\n" printf "\r\nOptional verification:\r\n" diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der new file mode 100644 index 0000000000..1194788bff Binary files /dev/null and b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der differ diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der new file mode 100644 index 0000000000..55676882c0 Binary files /dev/null and b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der differ diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der b/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der index ad00418349..b4f2dadaa0 100644 Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der and b/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der differ diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der b/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der index f8e28dc2bc..f0b7c51a17 100644 Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der and b/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der differ diff --git a/test/org/apache/tomcat/util/net/ocsp/server-cert.pem b/test/org/apache/tomcat/util/net/ocsp/server-cert.pem index 5fafe64727..7f7097bc4d 100644 --- a/test/org/apache/tomcat/util/net/ocsp/server-cert.pem +++ b/test/org/apache/tomcat/util/net/ocsp/server-cert.pem @@ -5,31 +5,31 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Test CA Validity - Not Before: Oct 6 18:09:37 2025 GMT - Not After : Oct 6 18:09:37 2026 GMT + Not Before: Oct 9 17:50:19 2025 GMT + Not After : Oct 9 17:50:19 2026 GMT Subject: CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: - 00:e6:13:ec:d0:11:cc:5e:32:43:94:a0:5f:c2:b7: - 9c:9b:f3:3c:33:55:8f:fd:48:28:71:b9:e4:6d:64: - a9:62:3a:df:c8:35:a4:d6:5f:d4:08:0c:c1:9e:18: - 20:08:9c:0f:d4:2f:79:ab:34:ab:f7:4a:7c:ab:4b: - 38:6f:44:c3:93:a3:2e:2f:af:c9:a5:16:69:50:10: - 06:8c:96:34:15:5c:f9:98:06:a9:a6:6f:64:a2:8a: - b2:3a:68:33:7a:34:42:72:a7:59:e7:59:9c:6c:fa: - da:2e:18:d2:61:61:99:59:2f:bb:1a:64:9b:bd:9a: - 77:03:96:9b:9e:af:96:e2:3c:68:b1:fd:44:b8:86: - 3e:3e:ac:b0:f1:89:01:1f:6f:dc:ef:36:23:b3:3d: - ca:97:9a:b8:ac:77:a7:7c:ee:23:6c:86:66:94:45: - 7f:fe:f2:c3:27:84:e1:4f:40:09:83:28:2c:d5:c3: - ed:05:bc:30:eb:db:8d:74:1f:88:ac:e6:19:5b:a0: - 8d:b6:21:eb:72:84:3d:19:90:f8:26:ad:2c:13:ad: - 3c:a0:fd:c6:5d:49:9d:a1:33:2e:86:2c:c3:4d:7f: - 78:ce:aa:c6:30:36:f2:d8:4e:4d:f5:b5:21:27:e1: - e1:71:a0:99:97:db:c4:d9:5f:f6:be:6c:28:70:2d: - 21:61 + 00:b3:a6:2f:95:ec:a3:9f:18:df:92:02:2f:f6:d8: + e5:90:0d:45:b7:9b:fb:2c:63:62:a0:5d:06:a2:c6: + 5a:38:d0:02:7e:bf:ae:22:05:5a:c9:83:e1:5f:7b: + 74:00:b6:7e:58:e2:1e:40:29:b1:5f:2c:3c:5a:c2: + 5a:04:bb:4e:0f:1a:ae:f0:bc:cb:16:49:c4:6a:59: + 2e:56:e7:73:e0:c1:01:72:b0:d5:a0:86:b0:f5:77: + 16:24:57:9b:51:24:97:af:bc:3a:2c:9f:c2:89:b0: + cc:f2:d9:f9:1d:6d:25:90:2a:1a:36:3e:cb:8a:13: + 7c:e2:99:6d:7e:a1:ef:a8:36:b1:3b:75:36:14:88: + 3e:32:7b:c0:5a:55:ec:2c:9f:f8:32:f7:55:86:22: + 46:ea:ba:19:46:d0:e0:77:df:f3:95:d3:98:f8:62: + 1c:b7:fe:11:01:e7:bb:5d:82:d9:ee:32:44:9f:88: + e1:7d:f9:20:83:02:f8:8d:4d:76:26:69:c7:b1:fd: + 82:7f:a9:c9:0a:8d:26:a4:18:05:ee:04:e9:61:04: + 9f:e5:80:cc:f4:d5:3d:f7:d3:ce:1f:00:27:b5:d1: + 09:b6:cb:93:36:b4:4c:58:e3:65:f6:85:4d:51:55: + 5f:25:01:35:b5:a7:5a:44:7f:0b:69:70:5d:8e:eb: + ff:b9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical @@ -43,44 +43,44 @@ Certificate: X509v3 Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost X509v3 Subject Key Identifier: - AF:63:43:43:2B:E3:A2:F8:1E:13:7D:23:E1:D7:35:3F:3F:E7:D7:83 + F0:0D:29:83:76:05:84:3A:15:D1:D7:3D:7C:80:B1:A2:B9:B2:34:E9 X509v3 Authority Key Identifier: - 47:F0:88:18:A1:DD:5F:C2:E7:21:9D:E7:90:25:8A:F8:CC:0C:97:07 + C8:FA:78:96:74:8D:80:68:85:60:FB:80:93:17:68:3A:A6:B6:FC:A8 Signature Algorithm: sha256WithRSAEncryption Signature Value: - 83:2c:30:77:81:7e:0d:92:4f:f9:2e:76:1b:e0:8c:b7:f3:f6: - 73:46:0a:86:0f:81:49:08:b4:86:88:48:71:1f:75:2b:15:8a: - 97:4a:17:4e:35:7a:ff:5e:38:9b:d8:1e:88:69:42:e4:ba:33: - 37:f1:c7:26:b1:04:52:2f:e9:6b:c3:51:ee:ad:c6:f2:ae:80: - e0:c3:a4:82:7a:90:2f:6c:80:d2:ab:8b:f4:33:a3:8b:d5:30: - ec:08:4f:6f:5a:94:ed:c3:36:a5:64:19:59:b3:7c:07:54:ab: - a9:f8:a2:a7:42:67:0a:37:9f:43:86:aa:63:07:c0:a2:b7:d3: - c1:30:f7:de:e8:74:72:57:f6:e7:da:b5:cb:ec:2d:58:58:f9: - fd:09:e9:6e:db:3d:76:3d:0e:2d:6c:63:13:f9:81:50:c1:5e: - 1a:b4:d6:dc:e5:e7:ba:d0:83:7f:c9:ef:84:de:86:a4:6c:0a: - 40:df:16:80:3d:28:72:56:3a:3f:d7:02:58:93:05:78:2a:7c: - 2b:cd:5b:4f:0c:ce:96:40:e1:4a:ae:d9:9c:74:34:bc:16:1f: - 73:45:af:d6:4a:ef:6b:97:3e:0f:8e:d4:4b:50:7e:1a:7a:ac: - 07:20:ed:5a:78:16:13:ab:c6:84:b6:e4:09:0b:51:b1:a9:4f: - 16:f6:34:67 + 55:20:97:f2:f9:44:63:65:50:f5:a2:92:99:d2:ef:90:1b:97: + aa:0d:3a:bb:6f:a1:d1:dd:99:64:86:f0:ba:f2:12:61:b6:c4: + 22:20:f1:5b:b4:8c:19:68:57:18:a4:63:47:52:e9:2e:d1:68: + b2:de:da:02:a8:4f:8f:ec:c1:d4:f7:e4:69:09:25:de:d2:60: + 5f:bf:e9:fe:12:74:ae:f1:25:59:04:53:e1:a3:3c:b9:c2:99: + 91:78:3d:79:a3:29:f9:3a:5b:59:32:b1:2c:c3:f0:3f:c2:49: + 14:36:b9:3e:c5:3f:47:1c:14:bc:da:4f:39:2d:e1:16:f6:a6: + c7:fa:f4:b8:bb:95:d9:49:b7:0b:51:ae:9b:67:b6:01:c2:30: + aa:db:17:21:6f:64:cd:2d:ff:ea:9a:ce:4a:a7:44:f5:8f:a7: + b5:f8:87:48:bf:03:8e:3e:ab:8e:44:e7:a6:64:9a:f2:06:5a: + 33:21:e1:01:8c:bf:c7:61:36:90:e4:5f:b6:e7:26:55:9e:44: + 7c:d8:52:75:f9:1b:df:7a:ef:ea:b1:a3:08:19:ae:e1:39:42: + ec:d2:ad:dc:63:a8:f4:54:db:8d:9f:12:ea:fe:94:cf:af:eb: + 88:66:bb:3c:cf:a9:a3:5e:4a:c5:09:94:f8:4e:03:a2:01:a1: + e5:24:92:eb -----BEGIN CERTIFICATE----- MIIDbTCCAlWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVz -dCBDQTAeFw0yNTEwMDYxODA5MzdaFw0yNjEwMDYxODA5MzdaMBQxEjAQBgNVBAMM -CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYT7NAR -zF4yQ5SgX8K3nJvzPDNVj/1IKHG55G1kqWI638g1pNZf1AgMwZ4YIAicD9Qveas0 -q/dKfKtLOG9Ew5OjLi+vyaUWaVAQBoyWNBVc+ZgGqaZvZKKKsjpoM3o0QnKnWedZ -nGz62i4Y0mFhmVkvuxpkm72adwOWm56vluI8aLH9RLiGPj6ssPGJAR9v3O82I7M9 -ypeauKx3p3zuI2yGZpRFf/7ywyeE4U9ACYMoLNXD7QW8MOvbjXQfiKzmGVugjbYh -63KEPRmQ+CatLBOtPKD9xl1JnaEzLoYsw01/eM6qxjA28thOTfW1ISfh4XGgmZfb -xNlf9r5sKHAtIWECAwEAAaOByjCBxzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE +dCBDQTAeFw0yNTEwMDkxNzUwMTlaFw0yNjEwMDkxNzUwMTlaMBQxEjAQBgNVBAMM +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOmL5Xs +o58Y35ICL/bY5ZANRbeb+yxjYqBdBqLGWjjQAn6/riIFWsmD4V97dAC2fljiHkAp +sV8sPFrCWgS7Tg8arvC8yxZJxGpZLlbnc+DBAXKw1aCGsPV3FiRXm1Ekl6+8Oiyf +womwzPLZ+R1tJZAqGjY+y4oTfOKZbX6h76g2sTt1NhSIPjJ7wFpV7Cyf+DL3VYYi +Ruq6GUbQ4Hff85XTmPhiHLf+EQHnu12C2e4yRJ+I4X35IIMC+I1NdiZpx7H9gn+p +yQqNJqQYBe4E6WEEn+WAzPTVPffTzh8AJ7XRCbbLkza0TFjjZfaFTVFVXyUBNbWn +WkR/C2lwXY7r/7kCAwEAAaOByjCBxzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA2BggrBgEFBQcBAQQqMCgwJgYIKwYB BQUHMAGGGmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC9vY3NwMBoGA1UdEQQTMBGHBH8A -AAGCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUr2NDQyvjovgeE30j4dc1Pz/n14MwHwYD -VR0jBBgwFoAUR/CIGKHdX8LnIZ3nkCWK+MwMlwcwDQYJKoZIhvcNAQELBQADggEB -AIMsMHeBfg2ST/kudhvgjLfz9nNGCoYPgUkItIaISHEfdSsVipdKF041ev9eOJvY -HohpQuS6MzfxxyaxBFIv6WvDUe6txvKugODDpIJ6kC9sgNKri/Qzo4vVMOwIT29a -lO3DNqVkGVmzfAdUq6n4oqdCZwo3n0OGqmMHwKK308Ew997odHJX9ufatcvsLVhY -+f0J6W7bPXY9Di1sYxP5gVDBXhq01tzl57rQg3/J74TehqRsCkDfFoA9KHJWOj/X -AliTBXgqfCvNW08MzpZA4Uqu2Zx0NLwWH3NFr9ZK72uXPg+O1EtQfhp6rAcg7Vp4 -FhOrxoS25AkLUbGpTxb2NGc= +AAGCCWxvY2FsaG9zdDAdBgNVHQ4EFgQU8A0pg3YFhDoV0dc9fICxormyNOkwHwYD +VR0jBBgwFoAUyPp4lnSNgGiFYPuAkxdoOqa2/KgwDQYJKoZIhvcNAQELBQADggEB +AFUgl/L5RGNlUPWikpnS75Abl6oNOrtvodHdmWSG8LryEmG2xCIg8Vu0jBloVxik +Y0dS6S7RaLLe2gKoT4/swdT35GkJJd7SYF+/6f4SdK7xJVkEU+GjPLnCmZF4PXmj +Kfk6W1kysSzD8D/CSRQ2uT7FP0ccFLzaTzkt4Rb2psf69Li7ldlJtwtRrptntgHC +MKrbFyFvZM0t/+qazkqnRPWPp7X4h0i/A44+q45E56ZkmvIGWjMh4QGMv8dhNpDk +X7bnJlWeRHzYUnX5G9967+qxowgZruE5QuzSrdxjqPRU242fEur+lM+v64hmuzzP +qaNeSsUJlPhOA6IBoeUkkus= -----END CERTIFICATE----- diff --git a/test/org/apache/tomcat/util/net/ocsp/server-key.pem b/test/org/apache/tomcat/util/net/ocsp/server-key.pem index 9ae76c0640..1a63661cef 100644 --- a/test/org/apache/tomcat/util/net/ocsp/server-key.pem +++ b/test/org/apache/tomcat/util/net/ocsp/server-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmE+zQEcxeMkOU -oF/Ct5yb8zwzVY/9SChxueRtZKliOt/INaTWX9QIDMGeGCAInA/UL3mrNKv3Snyr -SzhvRMOToy4vr8mlFmlQEAaMljQVXPmYBqmmb2SiirI6aDN6NEJyp1nnWZxs+tou -GNJhYZlZL7saZJu9mncDlpuer5biPGix/US4hj4+rLDxiQEfb9zvNiOzPcqXmris -d6d87iNshmaURX/+8sMnhOFPQAmDKCzVw+0FvDDr2410H4is5hlboI22IetyhD0Z -kPgmrSwTrTyg/cZdSZ2hMy6GLMNNf3jOqsYwNvLYTk31tSEn4eFxoJmX28TZX/a+ -bChwLSFhAgMBAAECggEAMKHaDuIQOYH05HvgufMfNJydpzkpAi/oMp/JL7FVF2kb -58ElClY/poLxwyXU0ZURSHfPhzePOOqC/x8bevOFRpX5u4U0AYQC9zQn+jv+ntxj -+rU/02kc07mu8icX6HcW647Bs2Pu61870n4XLBPZ+u7apPnKrLFzgivp0YlKgp+9 -JSVH+hiTNS3t7ujvB3msmBFe0SrYBZfh623aUniPaH2mwogt6Ii5nty8kT0RvqZZ -+xYm3F5xSbObaalF21fAAzFf9byT4wfLLej/ewO4vIb3r5cfi/XWLa5BFS5918Vl -ugWrNk26EOYsA+8iHAlF9rJfTuBy2lnIdE3P9ToRBQKBgQDzMUF8ZOq9sLpq+UJm -ShysL0/IuXpzqwa4IJGIAEREEv3x6yDTFTmSfijvXMC4dRAfk59ODo69BYtMuqIh -WFThb2SKxJUj8+kS8OxtPt015qls7hb/NZT1kkaerwee1CTVZccyk4FOft3hM3Gv -9ZZZqiIl8CaUB/+k4I9/K92kJQKBgQDyMdt1sfYO5uEW4YPyKtCQCtUl3ifLNhNA -Stps0fS5QbhoKi+q5jprIFYqsNlS/c1OghFdnW2TYxadrwWnAFegwIuCj3Kb9BcE -2lprxoyQkoWwprZ37e85/sYSfb3e5XLpdcDHZgJ2JGf59WZTv/vosHwSh0ZtEj+B -4+Gsd8EFjQKBgQCkhyRYtiWh49ia2ruzXFx9mRyPHfzcGE7Zbx9GNXf53idz7bEt -XWSv2S50kfnIUVpxInxaYLrs4r1VUcaybIIwah5JS6niwvdiWyB44FjkSINDMOja -DDQU17tzS9MJ/1hUDyFu9CA9LNOLsjQt6SaoztN/ezN+XtLzhwFN9i1jCQKBgQDM -8ZWUvZfKumJke0atCL/d89y0I44m7kZSFEVK6kuc7FkAhBo8EoACoKVpkKcGDFDM -C1Jolkvf+Wxs2Gr/C1IbbHNhcsN35pAIAkGbi7Lsr6BDgH9NcuEJgWbYxOCDmkOn -/IW59b9Fe78kjB0f54hiOd1zzFay+0sUPeJ8kAWdDQKBgGd5VQHSJIYU+eH/jceO -AynVdbO5RqI2J7XSRNQNbevc9657qQ++9ws2r73pSVOx9GhuN7pSworNhpw7SACt -0vNkWFM/GaQZZTwxVP7bmKcqxZUOAdw5zpVuXVKgn8YJfja+kYa28ohUZ7PTBAXh -cSer5Nnjs7kgD3axyGKoyNeB +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzpi+V7KOfGN+S +Ai/22OWQDUW3m/ssY2KgXQaixlo40AJ+v64iBVrJg+Ffe3QAtn5Y4h5AKbFfLDxa +wloEu04PGq7wvMsWScRqWS5W53PgwQFysNWghrD1dxYkV5tRJJevvDosn8KJsMzy +2fkdbSWQKho2PsuKE3zimW1+oe+oNrE7dTYUiD4ye8BaVewsn/gy91WGIkbquhlG +0OB33/OV05j4Yhy3/hEB57tdgtnuMkSfiOF9+SCDAviNTXYmacex/YJ/qckKjSak +GAXuBOlhBJ/lgMz01T33084fACe10Qm2y5M2tExY42X2hU1RVV8lATW1p1pEfwtp +cF2O6/+5AgMBAAECggEABdjR0apbBPGVTTY/A2S5y/9ylnBAM4ikjB2a+q9D/nde +rWtlqnvMIaTmL+pfsyo9YH0ziNkSictxx25t6ZuDBeDTcshiP7504xU1+eQclGMT +vfzdZxUbK1IN6W7kgjaTrUeOCSfF+B9F/F11yyxjPZbxNXTDwSGzPdjKhIWWvD3F +T0xUHKm+XKHWmEveporOmH1M6wxVfZ8NbAqWYRhFaUp+GZwjv2M+trXdyDmlNPWQ +k66FdZNM+Roa2nGVcgXDdue/+Xah5eNrNzIm7ilodBQzS7Z5ADYVFktyBTGfRCs3 +Uc2BUGZrVZSRu10DybZo+0XE7HLgdMzlTxTax65hBQKBgQD8ltIYCRBzbRn7EC9O +tbmyKCutxUCNe8t5cLm6iFTILOR2DZSsQH8cav0uGNMgXo0oHvY2H49xw5DqfSy2 +jcVhIKXoDKvHOrU7Ph/attIvyTTizprupAEi7dnZGf0sENQBR1BuSRMGv4B8hYKL +51PfkspTBtsaZZhDAjJlYjYZVwKBgQC2EzfFeNKF9IZ4Gfexsrvj84Y8S3kfkxzT +jZkT+JZFRDhNCA7tORZJcriQnitK1M2dA0L1xNFQH+5mVLnn2YwZMgWGYWWKNfD9 +r/oS7yVy9qr3yf5i+XHk/Dr4LvDsyYlGuRLVfLltcggj5g84JTYabvVzo6j5ss/3 +VVbzMIg1bwKBgQDjDTP31RYLm/Pxwf+0chhldESnJJu9Up16IYFikrAbbHdFQzn0 +iNl6ExZY/Im0HCoo+YP67O3FprU6g6DQzKmzgGSCLfmv0i8c/OAne5V+zRAUHQIa +KCS5YDMmO31fwhTAvXkoWdmXhEccJ+tMlXnIjCwA7DXCCbcP7QaeKeVVawKBgQCw +HPCiOpbvaTE0NHHo2OhyuhgKdDpJd0O3wUvjDF1VzIHkyLmfbcuH6cZqZAOeEy57 +BC+dh+2qYeh35NYZU8z2hfLgI49S25Ap4jCyZc1EYSHIIgLEe2FWSz9C1izF7L6y +wMtd4pF9MoJ7Lslj1mJ5uQAEBbapJ/OO2mYLPtNRUwKBgQCC4aV+boMhDfvYpAir +PTk+od7rBBcBZnV2dnqz4BHl7cfZCzD2GmJesgBLEBuf3r3sMGov3tItLkCteCqt +cc3vwC+tNCpz8INLUMCR8i64J4ZgrwUgUbmt+myoAIDx/46GVGsknvuzSabLRH3h +L9eCqiIiXCbiXjWw4vDfkXqdIA== -----END PRIVATE KEY----- diff --git a/test/org/apache/tomcat/util/net/ocsp/trustStore.p12 b/test/org/apache/tomcat/util/net/ocsp/trustStore.p12 index 62d6a603cf..5b66a7d8d8 100644 Binary files a/test/org/apache/tomcat/util/net/ocsp/trustStore.p12 and b/test/org/apache/tomcat/util/net/ocsp/trustStore.p12 differ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
