test: OCSP E2E (#1172)

Added OCSP E2E test cases: valid, revoked and unknown

OCSP fallback to CRL test cases have been included in #1079 

Resolves #638
Resolves #572

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>

Author: JeyJeyGao

test/e2e/internal/notation/host.go

@@ -192,6 +192,15 @@ func CRLOptions() []utils.HostOption {
 	)
 }
 
+func OCSPOptions() []utils.HostOption {
+	return Opts(
+		AuthOption("", ""),
+		AddKeyOption(filepath.Join(NotationE2EConfigPath, "ocsp", "leaf.key"), filepath.Join(NotationE2EConfigPath, "ocsp", "certchain_with_ocsp.pem")),
+		AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "ocsp", "root.crt")),
+		AddTrustPolicyOption("trustpolicy.json"),
+	)
+}
+
 func BaseOptionsWithExperimental() []utils.HostOption {
 	return Opts(
 		AuthOption("", ""),

test/e2e/internal/utils/ocsp.go

@@ -0,0 +1,52 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func LeafOCSPRevoke() error {
+	url := "http://localhost:10088/revoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("OCSP of leaf certificate revoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+func LeafOCSPUnrevoke() error {
+	url := "http://localhost:10088/unrevoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("OCSP of leaf certificate unrevoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+func LeafOCSPUnknown() error {
+	url := "http://localhost:10088/unknown"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("OCSP of leaf certificate with unknown status with status code: %d\n", resp.StatusCode)
+	return nil
+}

test/e2e/run.sh

@@ -99,12 +99,18 @@ setup_registry
 python3 ./scripts/crl_server.py &
 CRL_SERVER_PID=$!
 
+# run the OCSP server in the background
+python3 ./scripts/ocsp_server.py --config-dir ./testdata/config/ocsp &
+OCSP_SERVER_PID=$!
+
 # defer cleanup registry
 function cleanup {
     echo "Cleaning up..."
     cleanup_registry
     echo "Stopping CRL server..."
     kill $CRL_SERVER_PID
+    echo "Stopping OCSP server..."
+    kill $OCSP_SERVER_PID
 }
 trap cleanup EXIT
 

test/e2e/scripts/gen_ocsp_testing_certs.sh

@@ -0,0 +1,134 @@
+#!/bin/bash -ex
+# Copyright The Notary Project Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Create root configuration with CA and OCSP extensions
+cat > root_ocsp.cnf <<EOF
+[ req ]
+default_bits       = 2048
+prompt             = no
+distinguished_name = root_distinguished_name
+x509_extensions    = v3_ca
+
+[ root_distinguished_name ]
+C  = US
+ST = State
+L  = City
+O  = Organization
+OU = OrgUnit
+CN = RootCA
+
+[ v3_ca ]
+basicConstraints       = critical,CA:TRUE
+keyUsage               = critical,keyCertSign,cRLSign
+subjectKeyIdentifier   = hash
+
+[ v3_ocsp ]
+extendedKeyUsage       = critical,OCSPSigning
+keyUsage               = critical,digitalSignature
+subjectKeyIdentifier   = hash
+EOF
+
+# Set up OpenSSL CA directory structure for root
+mkdir -p demoCA/newcerts
+touch demoCA/index.txt
+echo '1000' > demoCA/serial
+
+# Generate root private key and self-signed certificate with CA extensions
+openssl genrsa -out root.key 2048
+openssl req -x509 -new -key root.key -sha256 -days 36500 -out root.crt \
+  -config root_ocsp.cnf -extensions v3_ca
+
+# Create OCSP responder configuration
+cat > ocsp.cnf <<EOF
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = demoCA
+database          = demoCA/index.txt
+new_certs_dir     = demoCA/newcerts
+certificate       = root.crt
+serial            = demoCA/serial
+private_key       = root.key
+default_days      = 36500
+default_md        = sha256
+policy            = policy_strict
+
+[ policy_strict ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits       = 2048
+prompt             = no
+distinguished_name = ocsp_distinguished_name
+req_extensions     = v3_ocsp
+
+[ ocsp_distinguished_name ]
+C  = US
+ST = State
+L  = City
+O  = Organization
+OU = OrgUnit
+CN = OCSPResponder
+
+[ v3_ocsp ]
+extendedKeyUsage       = critical,OCSPSigning
+keyUsage               = critical,digitalSignature
+subjectKeyIdentifier   = hash
+EOF
+
+# Generate OCSP private key and CSR, then sign it with the root certificate
+openssl genrsa -out ocsp.key 2048
+openssl req -new -key ocsp.key -out ocsp.csr -config ocsp.cnf
+openssl x509 -req -in ocsp.csr -CA root.crt -CAkey root.key -CAcreateserial \
+  -out ocsp.crt -days 36500 -extfile ocsp.cnf -extensions v3_ocsp
+
+# Create leaf configuration with OCSP URL
+cat > leaf_ocsp.cnf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+distinguished_name = leaf_distinguished_name
+req_extensions = v3_req
+
+[ leaf_distinguished_name ]
+C = US
+ST = State
+L = City
+O = Organization
+OU = OrgUnit
+CN = LeafCert
+
+[ v3_req ]
+basicConstraints       = critical,CA:FALSE
+keyUsage               = critical,digitalSignature
+authorityInfoAccess    = OCSP;URI:http://localhost:10087
+subjectKeyIdentifier   = hash
+EOF
+
+# Generate leaf key and CSR then sign directly with the root certificate instead of an intermediate
+openssl genrsa -out leaf.key 2048
+openssl req -new -key leaf.key -out leaf.csr -config leaf_ocsp.cnf
+openssl x509 -req -in leaf.csr -CA root.crt -CAkey root.key -CAcreateserial \
+  -out leaf.crt -days 36500 -extfile leaf_ocsp.cnf -extensions v3_req
+
+# Cleanup and final message
+rm -f *.csr root_occrt.srl
+echo "OCSP testing certificates generated successfully."
+

test/e2e/scripts/ocsp_server.py

@@ -0,0 +1,117 @@
+# Copyright The Notary Project Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import argparse
+import subprocess
+import threading
+from http.server import BaseHTTPRequestHandler
+from socketserver import TCPServer
+
+# Global variable to hold the OCSP server process
+ocsp_process = None
+ocsp_lock = threading.Lock()
+
+def start_ocsp_server(config_dir):
+    global ocsp_process
+    # Start OCSP server in background in config_dir
+    cmd = [
+        "openssl", "ocsp",
+        "-port", "10087",
+        "-index", "demoCA/index.txt",
+        "-CA", "root.crt",
+        "-rkey", "ocsp.key",
+        "-rsigner", "ocsp.crt",
+        "-nmin", "5",
+        "-text",
+    ]
+    ocsp_process = subprocess.Popen(cmd, cwd=config_dir)
+    print("OCSP server started with PID:", ocsp_process.pid)
+
+def stop_ocsp_server():
+    global ocsp_process
+    if ocsp_process:
+        ocsp_process.terminate()
+        ocsp_process.wait()
+        print("OCSP server with PID", ocsp_process.pid, "terminated")
+        ocsp_process = None
+
+def restart_ocsp_server(config_dir):
+    with ocsp_lock:
+        stop_ocsp_server()
+        start_ocsp_server(config_dir)
+
+def update_index_file(config_dir, new_content):
+    index_path = os.path.join(config_dir, "demoCA", "index.txt")
+    with open(index_path, "w") as f:
+        f.write(new_content + "\n")
+    print("Updated", index_path)
+
+class OCSPRequestHandler(BaseHTTPRequestHandler):
+    def do_POST(self):
+        response = ""
+        # Ensure path is processed without query parameters.
+        path = self.path.split("?")[0]
+        if path == "/revoke":
+            # Revoke: update index.txt with revoked entry
+            revoke_content = ("R	21250121012109Z	250214013720Z	520D9B1364D98367711DA2B6A0A0F34B23E3D02A	unknown	/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=LeafCert")
+            update_index_file(self.server.config_dir, revoke_content)
+            restart_ocsp_server(self.server.config_dir)
+            response = "OCSP server restarted with index updated (revoke)."
+        elif path == "/unrevoke":
+            # Unrevoke: update index.txt with valid entry
+            unrevoke_content = ("V	21250121012109Z	250214013720Z	520D9B1364D98367711DA2B6A0A0F34B23E3D02A	unknown	/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=LeafCert")
+            update_index_file(self.server.config_dir, unrevoke_content)
+            restart_ocsp_server(self.server.config_dir)
+            response = "OCSP server restarted with index updated (unrevoke)."
+        elif path == "/unknown":
+            # Unknown endpoint
+            empty_content = ""
+            update_index_file(self.server.config_dir, empty_content)
+            restart_ocsp_server(self.server.config_dir)
+            response = "OCSP server restarted with empty index."
+        else:
+            response = "Invalid endpoint. Use /revoke or /unrevoke."
+
+        self.send_response(200)
+        self.send_header("Content-type", "text/plain")
+        self.end_headers()
+        self.wfile.write(response.encode("utf-8"))
+
+class ReusableTCPServer(TCPServer):
+    allow_reuse_address = True
+
+def run_server(config_dir, host="localhost", port=10088):
+    server_address = (host, port)
+    httpd = ReusableTCPServer(server_address, OCSPRequestHandler)
+    httpd.config_dir = config_dir  # attach config directory to server instance
+    print(f"HTTP control server running on {host}:{port}")
+    httpd.serve_forever()
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Start OCSP server control HTTP server."
+    )
+    parser.add_argument(
+        "--config-dir",
+        required=True,
+        help="Path to OCSP configuration folder."
+    )
+    args = parser.parse_args()
+    config_dir = os.path.abspath(args.config_dir)
+    # Change to config_dir to ensure all commands run there (optional)
+    os.chdir(config_dir)
+    # Start the OCSP server in background
+    start_ocsp_server(config_dir)
+    # Run HTTP control server on port 10088
+    run_server(config_dir)