From 1f4f030233a895586aa7e114c92f4aa213250752 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Mon, 15 Jul 2024 06:40:07 -0700 Subject: [PATCH 2/2] WIP: move to OpenSSL-constructed index files --- src/test/ssl/conf/ocsp.config | 19 +++++++++ src/test/ssl/sslfiles.mk | 75 ++++++++++++++--------------------- 2 files changed, 48 insertions(+), 46 deletions(-) create mode 100644 src/test/ssl/conf/ocsp.config diff --git a/src/test/ssl/conf/ocsp.config b/src/test/ssl/conf/ocsp.config new file mode 100644 index 0000000000..831c2f681c --- /dev/null +++ b/src/test/ssl/conf/ocsp.config @@ -0,0 +1,19 @@ +[ ca ] +default_ca = ocsp + +# A shell of a CA, mostly duplicating the server CA, which is used only during +# the OCSP index generation recipes. +[ ocsp ] +dir = ./ssl/ + +# The database (or "index") is the main thing we want. +database = ./ssl/ocsp-certindex + +# Everything else should all be unused, so we specify whatever's most +# convenient. In particular there's no need to have a unique cert/key pair for +# this. +certificate = ./ssl/server_ca.crt +private_key = ./ssl/server_ca.key +serial = ./ssl/ocsp_ca.srl +default_md = sha256 +policy = policy_match diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk index 9ba88f0be9..bfefa6a33e 100644 --- a/src/test/ssl/sslfiles.mk +++ b/src/test/ssl/sslfiles.mk @@ -196,6 +196,7 @@ CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt) root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl +ocsp_ca_state_files := ssl/ocsp-certindex ssl/ocsp-certindex.attr ssl/ocsp_ca.srl # These are the workhorse recipes. `openssl ca` can't be safely run from # parallel processes, so we must mark the entire Makefile .NOTPARALLEL. @@ -224,6 +225,7 @@ ssl/%.csr: ssl/%.key conf/%.config # .INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files) +.INTERMEDIATE: $(ocsp_ca_state_files) # OpenSSL requires a directory to put all generated certificates in. We don't # use this for anything, but we need a location. @@ -245,68 +247,49 @@ ssl/%.srl: # OCSP # .INTERMEDIATE: $(OCSPS:%=ssl/%.idx) + # given status 'V' without 'revocation date' to generate an ocsp response with status 'good' for 10000 days -ssl/server-ocsp-good.idx: ssl/server-cn-only.crt - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ +ssl/server-ocsp-good.idx: conf/ocsp.config ssl/server-cn-only.crt | $(ocsp_ca_state_files) + : > ssl/ocsp-certindex + openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt + cp ssl/ocsp-certindex $@ # given status 'R' and 'revocation date' to generate an ocsp response with status 'revoked' for 10000 days -ssl/server-ocsp-revoked.idx: ssl/server-cn-only.crt - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" > $@ +ssl/server-ocsp-revoked.idx: conf/ocsp.config ssl/server-cn-only.crt | $(ocsp_ca_state_files) + : > ssl/ocsp-certindex + openssl ca -config conf/ocsp.config -revoke ssl/server-cn-only.crt + cp ssl/ocsp-certindex $@ # generate an ocsp response with status 'unknown' using a none-existing certificate serial number 1970010100000000 -ssl/server-ocsp-unknown.idx: ssl/server-cn-only.crt - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number="1970010100000000"; \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ +ssl/server-ocsp-unknown.idx: + touch $@ # generate an ocsp response with status 'good' but nextUpdate 'expired' in only 1 minute -ssl/server-ocsp-expired.idx: ssl/server-cn-only.crt - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@ +ssl/server-ocsp-expired.idx: ssl/server-ocsp-good.idx + cp $< $@ # server-cn-only.crt (good), ocsp response for server_ca.crt in (good|revoked|unknown|expired) # good, good -ssl/server-ca-ocsp-good.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - cat ssl/server-ocsp-good.idx > $@; \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ +ssl/server-ca-ocsp-good.idx: conf/ocsp.config ssl/server-cn-only.crt ssl/server_ca.crt | $(ocsp_ca_state_files) + : > ssl/ocsp-certindex + openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt + openssl ca -config conf/ocsp.config -valid ssl/server_ca.crt + cp ssl/ocsp-certindex $@ # good, revoked -ssl/server-ca-ocsp-revoked.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - cat ssl/server-ocsp-good.idx > $@; \ - echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" >> $@ +ssl/server-ca-ocsp-revoked.idx: conf/ocsp.config ssl/server-cn-only.crt ssl/server_ca.crt | $(ocsp_ca_state_files) + : > ssl/ocsp-certindex + openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt + openssl ca -config conf/ocsp.config -revoke ssl/server_ca.crt + cp ssl/ocsp-certindex $@ # good, unknown -ssl/server-ca-ocsp-unknown.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number="1970010100000001"; \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - cat ssl/server-ocsp-good.idx > $@; \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ +ssl/server-ca-ocsp-unknown.idx: ssl/server-ocsp-good.idx + cp $< $@ # good, expired -ssl/server-ca-ocsp-expired.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx - expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \ - serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \ - cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \ - cat ssl/server-ocsp-good.idx > $@; \ - echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@ +ssl/server-ca-ocsp-expired.idx: ssl/server-ca-ocsp-good.idx + cp $< $@ # All of the responses have the server cert in the chain. OCSPCHAIN = -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -- 2.34.1