Add client certificate test in appstest.sh

author: inoguchi <> 2020-05-18 13:55:04 +0000
committer: inoguchi <> 2020-05-18 13:55:04 +0000
commit: e73b818448057ce4fec815b7f2b2770ece5877f7 (patch)
tree: f236718018442295a965d96177a7bf43bc9003fa
parent: 0a9a6e4ba73f680e22dad2cd9d2d51f40988443f (diff)
download: openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.tar.gz
openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.tar.bz2
openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.zip
1 files changed, 89 insertions, 2 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index f198f7ecd7..98d619c539 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.41 2020/05/18 11:42:34 inoguchi Exp $
+# $OpenBSD: appstest.sh,v 1.42 2020/05/18 13:55:04 inoguchi Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -984,6 +984,47 @@ __EOF__
                -passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1
        check_exit_status $?
        
+        start_message "req ... generate private key and csr for user2"
+        
+        cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem
+        cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem
+        cl_ecdsa_pass=test-user1-pass
+        
+        if [ $mingw = 0 ] ; then
+                subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test_dummy.com/'
+        else
+                subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test_dummy.com\'
+        fi
+        
+        $openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key
+        check_exit_status $?
+        $openssl_bin req -new -subj $subj -sha256 \
+                -key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \
+                -out $cl_ecdsa_csr -outform pem
+        check_exit_status $?
+        
+        start_message "req ... generate private key and csr for user3"
+        
+        cl_gost_key=$user1_dir/cl_gost_key.pem
+        cl_gost_csr=$user1_dir/cl_gost_csr.pem
+        cl_gost_pass=test-user1-pass
+        
+        if [ $mingw = 0 ] ; then
+                subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user3.test_dummy.com/'
+        else
+                subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user3.test_dummy.com\'
+        fi
+        
+        $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \
+                -pkeyopt dgst:streebog512 -out $cl_gost_key
+        check_exit_status $?
+        $openssl_bin req -new -subj $subj -streebog512 \
+                -key $cl_gost_key -keyform pem -passin pass:$cl_gost_pass \
+                -out $cl_gost_csr -outform pem
+        check_exit_status $?
+        
        #---------#---------#---------#---------#---------#---------#---------
        
        # --- CA operations (issue cert for user1) ---
@@ -995,6 +1036,20 @@ __EOF__
        $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
                -in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1
        check_exit_status $?
+        start_message "ca ... issue cert for user2"
+        
+        cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem
+        $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+                -in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1
+        check_exit_status $?
+        
+        start_message "ca ... issue cert for user3"
+        
+        cl_gost_cert=$user1_dir/cl_gost_cert.pem
+        $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+                -in $cl_gost_csr -out $cl_gost_cert > $cl_gost_cert.log 2>&1
+        check_exit_status $?
 }
 function test_tsa {
@@ -1546,6 +1601,38 @@ function test_sc_verify {
        else
                check_exit_status 0
        fi
+        # client certificate pattern
+        
+        s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out
+        
+        start_message "s_client ... connect to tls/ssl test server with client certificate $ver"
+        if [ $ecdsa_tests = 1 ] ; then
+                echo "Using ECDSA client certificate"
+                crt=$cl_ecdsa_cert
+                key=$cl_ecdsa_key
+                pwd=$cl_ecdsa_pass
+        elif [ $gost_tests = 1 ] ; then
+                echo "Using GOST client certificate"
+                crt=$cl_gost_cert
+                key=$cl_gost_key
+                pwd=$cl_gost_pass
+        else
+                echo "Using RSA client certificate"
+                crt=$cl_rsa_cert
+                key=$cl_rsa_key
+                pwd=$cl_rsa_pass
+        fi
+        sleep $test_pause_sec
+        $c_bin s_client -connect $host:$port -CAfile $ca_cert \
+                -$ver -cert $crt -key $key -pass pass:$pwd \
+                -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
+        check_exit_status $?
+        grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
+        check_exit_status $?
 }
 function test_server_client {
@@ -1606,7 +1693,7 @@ function test_server_client {
                -cert $crt -key $key -pass pass:$pwd \
                -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
                -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \
-                -msg -tlsextdebug > $s_server_out 2>&1 &
+                -msg -tlsextdebug -verify 3 > $s_server_out 2>&1 &
        check_exit_status $?
        s_server_pid=$!
        echo "s_server pid = [ $s_server_pid ]"
author	inoguchi <>	2020-05-18 13:55:04 +0000
committer	inoguchi <>	2020-05-18 13:55:04 +0000
commit	e73b818448057ce4fec815b7f2b2770ece5877f7 (patch)
tree	f236718018442295a965d96177a7bf43bc9003fa
parent	0a9a6e4ba73f680e22dad2cd9d2d51f40988443f (diff)
download	openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.tar.gz openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.tar.bz2 openbsd-e73b818448057ce4fec815b7f2b2770ece5877f7.zip

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index f198f7ecd7..98d619c539 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $OpenBSD: appstest.sh,v 1.41 2020/05/18 11:42:34 inoguchi Exp $	3	# $OpenBSD: appstest.sh,v 1.42 2020/05/18 13:55:04 inoguchi Exp $
4	#	4	#
5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>	5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6	#	6	#
@@ -984,6 +984,47 @@ __EOF__
984	-passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1	984	-passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1
985	check_exit_status $?	985	check_exit_status $?
986		986
		987	start_message "req ... generate private key and csr for user2"
		988
		989	cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem
		990	cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem
		991	cl_ecdsa_pass=test-user1-pass
		992
		993	if [ $mingw = 0 ] ; then
		994	subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test_dummy.com/'
		995	else
		996	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test_dummy.com\'
		997	fi
		998
		999	$openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key
		1000	check_exit_status $?
		1001
		1002	$openssl_bin req -new -subj $subj -sha256 \
		1003	-key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \
		1004	-out $cl_ecdsa_csr -outform pem
		1005	check_exit_status $?
		1006
		1007	start_message "req ... generate private key and csr for user3"
		1008
		1009	cl_gost_key=$user1_dir/cl_gost_key.pem
		1010	cl_gost_csr=$user1_dir/cl_gost_csr.pem
		1011	cl_gost_pass=test-user1-pass
		1012
		1013	if [ $mingw = 0 ] ; then
		1014	subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user3.test_dummy.com/'
		1015	else
		1016	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user3.test_dummy.com\'
		1017	fi
		1018
		1019	$openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \
		1020	-pkeyopt dgst:streebog512 -out $cl_gost_key
		1021	check_exit_status $?
		1022
		1023	$openssl_bin req -new -subj $subj -streebog512 \
		1024	-key $cl_gost_key -keyform pem -passin pass:$cl_gost_pass \
		1025	-out $cl_gost_csr -outform pem
		1026	check_exit_status $?
		1027
987	#---------#---------#---------#---------#---------#---------#---------	1028	#---------#---------#---------#---------#---------#---------#---------
988		1029
989	# --- CA operations (issue cert for user1) ---	1030	# --- CA operations (issue cert for user1) ---
@@ -995,6 +1036,20 @@ __EOF__
995	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \	1036	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
996	-in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1	1037	-in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1
997	check_exit_status $?	1038	check_exit_status $?
		1039
		1040	start_message "ca ... issue cert for user2"
		1041
		1042	cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem
		1043	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
		1044	-in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1
		1045	check_exit_status $?
		1046
		1047	start_message "ca ... issue cert for user3"
		1048
		1049	cl_gost_cert=$user1_dir/cl_gost_cert.pem
		1050	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
		1051	-in $cl_gost_csr -out $cl_gost_cert > $cl_gost_cert.log 2>&1
		1052	check_exit_status $?
998	}	1053	}
999		1054
1000	function test_tsa {	1055	function test_tsa {
@@ -1546,6 +1601,38 @@ function test_sc_verify {
1546	else	1601	else
1547	check_exit_status 0	1602	check_exit_status 0
1548	fi	1603	fi
		1604
		1605	# client certificate pattern
		1606
		1607	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out
		1608
		1609	start_message "s_client ... connect to tls/ssl test server with client certificate $ver"
		1610
		1611	if [ $ecdsa_tests = 1 ] ; then
		1612	echo "Using ECDSA client certificate"
		1613	crt=$cl_ecdsa_cert
		1614	key=$cl_ecdsa_key
		1615	pwd=$cl_ecdsa_pass
		1616	elif [ $gost_tests = 1 ] ; then
		1617	echo "Using GOST client certificate"
		1618	crt=$cl_gost_cert
		1619	key=$cl_gost_key
		1620	pwd=$cl_gost_pass
		1621	else
		1622	echo "Using RSA client certificate"
		1623	crt=$cl_rsa_cert
		1624	key=$cl_rsa_key
		1625	pwd=$cl_rsa_pass
		1626	fi
		1627
		1628	sleep $test_pause_sec
		1629	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
		1630	-$ver -cert $crt -key $key -pass pass:$pwd \
		1631	-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
		1632	check_exit_status $?
		1633
		1634	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
		1635	check_exit_status $?
1549	}	1636	}
1550		1637
1551	function test_server_client {	1638	function test_server_client {
@@ -1606,7 +1693,7 @@ function test_server_client {
1606	-cert $crt -key $key -pass pass:$pwd \	1693	-cert $crt -key $key -pass pass:$pwd \
1607	-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \	1694	-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
1608	-alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \	1695	-alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \
1609	-msg -tlsextdebug > $s_server_out 2>&1 &	1696	-msg -tlsextdebug -verify 3 > $s_server_out 2>&1 &
1610	check_exit_status $?	1697	check_exit_status $?
1611	s_server_pid=$!	1698	s_server_pid=$!
1612	echo "s_server pid = [ $s_server_pid ]"	1699	echo "s_server pid = [ $s_server_pid ]"