On the ocsp-verification branch: Update test for serf_ssl_cert_certificate().
* test/test_ssl.c
(test_ssl_cert_certificate): Use the new certificate.
Check the subjectAltNames and OCSP responder URLs.
* test/certs/create_certs.py
(create_cert): Add optional parameter ocsp_responder_url.
(__main__): Generate test certificate with sAN and OCSP URI.
* test/certs/serfserver_san_ocsp_cert.pem: New.
git-svn-id: https://svn.apache.org/repos/asf/serf/branches/ocsp-verification@1773321 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/test/certs/create_certs.py b/test/certs/create_certs.py
index 2668afe..59af0b1 100755
--- a/test/certs/create_certs.py
+++ b/test/certs/create_certs.py
@@ -83,7 +83,8 @@
# subjectAltName
def create_cert(subjectkey, certfile, issuer=None, issuerkey=None, country='',
state='', city='', org='', ou='', cn='', email='', ca=False,
- valid_before=0, days_valid=VALID_DAYS, subjectAltName=None):
+ valid_before=0, days_valid=VALID_DAYS, subjectAltName=None,
+ ocsp_responder_url=None):
'''
Create a X509 signed certificate.
@@ -130,6 +131,11 @@
cert.add_extensions([
crypto.X509Extension('subjectAltName', critical, ", ".join(subjectAltName))])
+ if ocsp_responder_url:
+ cert.add_extensions([
+ crypto.X509Extension('authorityInfoAccess', False,
+ 'OCSP;URI:' + ocsp_responder_url)])
+
cert.sign(issuerkey, SIGN_ALGO)
open(certfile, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM,
@@ -204,6 +210,20 @@
days_valid=13*365,
subjectAltName=['DNS:localhost'])
+ # server certificate with OCSP responder URL
+ ocspcert = create_cert(subjectkey=serverkey,
+ certfile='serfserver_san_ocsp_cert.pem',
+ issuer=cacert, issuerkey=cakey,
+ country='BE', state='Antwerp', city='Mechelen',
+ org='In Serf we trust, Inc.',
+ ou='Test Suite Server',
+ cn='localhost',
+ email='serfserver@example.com',
+ days_valid=13*365,
+ subjectAltName=['DNS:localhost'],
+ ocsp_responder_url='http://localhost:17080')
+
+
# client key pair and certificate
clientkey = create_key('private/serfclientkey.pem', 'serftest')
diff --git a/test/certs/serfserver_san_ocsp_cert.pem b/test/certs/serfserver_san_ocsp_cert.pem
new file mode 100644
index 0000000..28970e9
--- /dev/null
+++ b/test/certs/serfserver_san_ocsp_cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIDAYa0MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYDVQQGEwJC
+RTEQMA4GA1UECAwHQW50d2VycDERMA8GA1UEBwwITWVjaGVsZW4xHzAdBgNVBAoM
+FkluIFNlcmYgd2UgdHJ1c3QsIEluYy4xFjAUBgNVBAsMDVRlc3QgU3VpdGUgQ0Ex
+EDAOBgNVBAMMB1NlcmYgQ0ExITAfBgkqhkiG9w0BCQEWEnNlcmZjYUBleGFtcGxl
+LmNvbTAeFw0xNjEyMDkwNTIzMDlaFw0yOTEyMDYwNTIzMDlaMIGqMQswCQYDVQQG
+EwJCRTEQMA4GA1UECAwHQW50d2VycDERMA8GA1UEBwwITWVjaGVsZW4xHzAdBgNV
+BAoMFkluIFNlcmYgd2UgdHJ1c3QsIEluYy4xGjAYBgNVBAsMEVRlc3QgU3VpdGUg
+U2VydmVyMRIwEAYDVQQDDAlsb2NhbGhvc3QxJTAjBgkqhkiG9w0BCQEWFnNlcmZz
+ZXJ2ZXJAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDXzZBsDTAl0j5MKCElC3LtmOMv+PH1CRItKIHXEA//dIJbtr6RAxwgJmD8sY8K
+89kkLXdAnmWDlYb95no6sONB1xNFjeNf/lUnxuU5P5VUzpCAkWj9BzIcvOmkTKuJ
+aOH7u1TQRDJxyds/r2lrsJ1Fv63JK+I3mdAKINElqKxHCy4D18FP5g+slndvYPWs
+47mpSqt0on6pplmLWJjDqzdDPQJU5YYSFHKvHEenk7finjh/qkB+q941FGeoNjNv
+nB0fP6BmzMwg2Zvwi4xELic3CDY4jdXfSb0RZo/WVJr2N4Ivi70IiC6zFkvjV6Yn
+tLOftmpakMi/eOSQpqqRGChfAgMBAAGjTDBKMBQGA1UdEQQNMAuCCWxvY2FsaG9z
+dDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6
+MTcwODAwDQYJKoZIhvcNAQELBQADggEBAJoCiAuiVEiuvDSQ7JS9lodlyYlGKedq
+UMnTTTKULKBqO4MMT8gXgGzlQukZZQj1T5IvgLUa3vt40m6wjWDSD9q4gIS3m2vO
+dHuUbBePqn9iNqKh4i++288WCmIr60IdvSp98ureWUyjilEXBp7ZqlNkGehmBqi7
+HuOag3bpejCKjKK1rw5UfNlJ94gzWnDoJsfrGs4ZwVGF2xZKPXVDQXJsQV5gsxa/
+UXkumapzUFj/RnjwKYRydTPZCKUQdY8CzlQG6uba1iKeuq12P9zGZi9FiP0Ahova
+SSBQMjk5JThVE/7OsJReA9BPTFt2lMq88fCu9muiRoBvzTs9q96zq6o=
+-----END CERTIFICATE-----
diff --git a/test/test_ssl.c b/test/test_ssl.c
index b27e1e0..6f56aae 100644
--- a/test/test_ssl.c
+++ b/test/test_ssl.c
@@ -168,29 +168,38 @@
apr_hash_t *kv;
serf_ssl_certificate_t *cert = NULL;
apr_array_header_t *san_arr;
+ apr_array_header_t *ocsp_arr;
apr_status_t status;
- status = serf_ssl_load_cert_file(&cert,
- get_srcdir_file(tb->pool,
- "test/serftestca.pem"),
- tb->pool);
+ status = serf_ssl_load_cert_file(
+ &cert,
+ get_srcdir_file(tb->pool, "test/certs/serfserver_san_ocsp_cert.pem"),
+ tb->pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertPtrNotNull(tc, cert);
kv = serf_ssl_cert_certificate(cert, tb->pool);
CuAssertPtrNotNull(tc, kv);
- CuAssertStrEquals(tc, "8A:4C:19:D5:F2:52:4E:35:49:5E:7A:14:80:B2:02:BD:B4:4D:22:18",
+ CuAssertStrEquals(tc, "3D:EC:C8:3B:C7:DB:FD:FB:9C:5D:5E:29:9F:ED:C1:A8:79:3B:28:14",
apr_hash_get(kv, "sha1", APR_HASH_KEY_STRING));
- CuAssertStrEquals(tc, "Mar 21 13:18:17 2008 GMT",
+ CuAssertStrEquals(tc, "Dec 9 05:23:09 2016 GMT",
apr_hash_get(kv, "notBefore", APR_HASH_KEY_STRING));
- CuAssertStrEquals(tc, "Mar 21 13:18:17 2011 GMT",
+ CuAssertStrEquals(tc, "Dec 6 05:23:09 2029 GMT",
apr_hash_get(kv, "notAfter", APR_HASH_KEY_STRING));
- /* TODO: create a new test certificate with a/some sAN's. */
san_arr = apr_hash_get(kv, "subjectAltName", APR_HASH_KEY_STRING);
- CuAssertTrue(tc, san_arr == NULL);
+ CuAssertPtrNotNull(tc, san_arr);
+ CuAssertIntEquals(tc, 1, san_arr->nelts);
+ CuAssertStrEquals(tc, "localhost",
+ APR_ARRAY_IDX(san_arr, 0, const char*));
+
+ ocsp_arr = apr_hash_get(kv, "OCSP", APR_HASH_KEY_STRING);
+ CuAssertPtrNotNull(tc, ocsp_arr);
+ CuAssertIntEquals(tc, 1, ocsp_arr->nelts);
+ CuAssertStrEquals(tc, "http://localhost:17080",
+ APR_ARRAY_IDX(ocsp_arr, 0, const char*));
}
static const char *extract_cert_from_pem(const char *pemdata,