diff options
| -rw-r--r-- | net/test/base_test_server.cc | 4 | ||||
| -rw-r--r-- | net/test/base_test_server.h | 2 | ||||
| -rw-r--r-- | net/tools/testserver/minica.py | 28 | ||||
| -rwxr-xr-x | net/tools/testserver/testserver.py | 18 |
4 files changed, 38 insertions, 14 deletions
diff --git a/net/test/base_test_server.cc b/net/test/base_test_server.cc index 323ff70..4321614 100644 --- a/net/test/base_test_server.cc +++ b/net/test/base_test_server.cc @@ -101,6 +101,10 @@ std::string BaseTestServer::HTTPSOptions::GetOCSPArgument() const { return "revoked"; case OCSP_INVALID: return "invalid"; + case OCSP_UNAUTHORIZED: + return "unauthorized"; + case OCSP_UNKNOWN: + return "unknown"; default: NOTREACHED(); return ""; diff --git a/net/test/base_test_server.h b/net/test/base_test_server.h index 9456f37..901c0bc 100644 --- a/net/test/base_test_server.h +++ b/net/test/base_test_server.h @@ -66,6 +66,8 @@ class BaseTestServer { OCSP_OK, OCSP_REVOKED, OCSP_INVALID, + OCSP_UNAUTHORIZED, + OCSP_UNKNOWN, }; // Bitmask of bulk encryption algorithms that the test server supports diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py index 48da3c7..bfe896f 100644 --- a/net/tools/testserver/minica.py +++ b/net/tools/testserver/minica.py @@ -246,7 +246,7 @@ def MakeCertificate( ])) -def MakeOCSPResponse(issuer_cn, issuer_key, serial, revoked): +def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state): # https://tools.ietf.org/html/rfc2560 issuer_name_hash = asn1.OCTETSTRING( hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest()) @@ -255,10 +255,14 @@ def MakeOCSPResponse(issuer_cn, issuer_key, serial, revoked): hashlib.sha1(asn1.ToDER(issuer_key)).digest()) cert_status = None - if revoked: + if ocsp_state == OCSP_STATE_REVOKED: cert_status = asn1.Explicit(1, asn1.GeneralizedTime("20100101060000Z")) - else: + elif ocsp_state == OCSP_STATE_UNKNOWN: + cert_status = asn1.Raw(asn1.TagAndLength(0x80 | 2, 0)) + elif ocsp_state == OCSP_STATE_GOOD: cert_status = asn1.Raw(asn1.TagAndLength(0x80 | 0, 0)) + else: + raise ValueError('Bad OCSP state: ' + str(ocsp_state)) basic_resp_data_der = asn1.ToDER(asn1.SEQUENCE([ asn1.Explicit(2, issuer_key_hash), @@ -307,10 +311,19 @@ def DERToPEM(der): pem += '-----END CERTIFICATE-----\n' return pem +OCSP_STATE_GOOD = 1 +OCSP_STATE_REVOKED = 2 +OCSP_STATE_INVALID = 3 +OCSP_STATE_UNAUTHORIZED = 4 +OCSP_STATE_UNKNOWN = 5 + +# unauthorizedDER is an OCSPResponse with a status of 6: +# SEQUENCE { ENUM(6) } +unauthorizedDER = '30030a0106'.decode('hex') def GenerateCertKeyAndOCSP(subject = "127.0.0.1", ocsp_url = "http://127.0.0.1", - ocsp_revoked = False): + ocsp_state = OCSP_STATE_GOOD): '''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where: * cert_and_key_pem contains a certificate and private key in PEM format with the given subject common name and OCSP URL. @@ -324,6 +337,11 @@ def GenerateCertKeyAndOCSP(subject = "127.0.0.1", ocsp_der = None if ocsp_url is not None: - ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_revoked) + if ocsp_state == OCSP_STATE_UNAUTHORIZED: + ocsp_der = unauthorizedDER + elif ocsp_state == OCSP_STATE_INVALID: + ocsp_der = '3' + else: + ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state) return (cert_pem + KEY_PEM, ocsp_der) diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py index 6c1f027..c96623b 100755 --- a/net/tools/testserver/testserver.py +++ b/net/tools/testserver/testserver.py @@ -2037,15 +2037,18 @@ def main(options, args): (host, ocsp_server.server_port)) ocsp_der = None - ocsp_revoked = False - ocsp_invalid = False + ocsp_state = None if options.ocsp == 'ok': - pass + ocsp_state = minica.OCSP_STATE_GOOD elif options.ocsp == 'revoked': - ocsp_revoked = True + ocsp_state = minica.OCSP_STATE_REVOKED elif options.ocsp == 'invalid': - ocsp_invalid = True + ocsp_state = minica.OCSP_STATE_INVALID + elif options.ocsp == 'unauthorized': + ocsp_state = minica.OCSP_STATE_UNAUTHORIZED + elif options.ocsp == 'unknown': + ocsp_state = minica.OCSP_STATE_UNKNOWN else: print 'unknown OCSP status: ' + options.ocsp_status return @@ -2055,10 +2058,7 @@ def main(options, args): subject = "127.0.0.1", ocsp_url = ("http://%s:%d/ocsp" % (host, ocsp_server.server_port)), - ocsp_revoked = ocsp_revoked) - - if ocsp_invalid: - ocsp_der = '3' + ocsp_state = ocsp_state) ocsp_server.ocsp_response = ocsp_der |