Use local server for auth test

Psiphon-Labs · Aug 16, 2019 · f9ba9b7 · f9ba9b7
1 parent 1970979
commit f9ba9b7
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 5 deletions.
diff --git a/Example/Tests/CertTests.m b/Example/Tests/CertTests.m
@@ -59,6 +59,8 @@ - (void)tearDown
 #pragma mark - Network request with authentication challenge
 
 // Network request with an authentication challenge to exercise OCSPAuthURLSessionDelegate
+// NOTE: start `server.go` and ensure local OCSP servers are running (see README.md)
+//       before running this test.
 - (void)testNetworkRequestWithAuthenticationChallenge {
 
     OCSPAuthURLSessionDelegate *authURLSessionDelegate =
@@ -75,7 +77,7 @@ - (void)testNetworkRequestWithAuthenticationChallenge {
     [self expectationWithDescription:@"Expected result from network request"];
 
     NSURLSessionDataTask *dataTask =
-    [session dataTaskWithURL:[NSURL URLWithString:@"https://github.com/robots.txt"]
+    [session dataTaskWithURL:[NSURL URLWithString:@"https://localhost:8083"]
            completionHandler:^(NSData * _Nullable data,
                                NSURLResponse * _Nullable response,
                                NSError * _Nullable error) {
@@ -751,7 +753,7 @@ - (SecCertificateRef)googleRootCert {
 
 - (SecCertificateRef)localOCSPURLsCert {
     return [self loadCertificateFailOnError:@"Certs/DemoCA/CA/intermediate/enduser-certs/local_ocsp_urls.der"
-                         expectedCommonName:@"Local OCSP URLs"];
+                         expectedCommonName:@"localhost"];
 }
 
 - (SecCertificateRef)badOCSPURLsCert {

diff --git a/Example/Tests/Certs/DemoCA/intermediate-ca.cnf b/Example/Tests/Certs/DemoCA/intermediate-ca.cnf
@@ -47,7 +47,7 @@ subjectAltName         = @alt_names
 authorityInfoAccess    = @${ENV::OCSP_SECTION}
 
 [ alt_names ]
-DNS.0 = example.com
+DNS.0 = localhost
 
 [ local_ocsp ]
 OCSP;URI.0 = http://127.0.0.1:8081

diff --git a/Example/Tests/Certs/DemoCA/server.go b/Example/Tests/Certs/DemoCA/server.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+    "net/http"
+    "log"
+)
+
+func Server(w http.ResponseWriter, req *http.Request) {
+    w.Header().Set("Content-Type", "text/plain")
+    w.Write([]byte("This is an example server.\n"))
+}
+
+func main() {
+    http.HandleFunc("/", Server)
+    err := http.ListenAndServeTLS(":8083", 
+                                  "./CA/cert_chain.pem", 
+                                  "./CA/intermediate/enduser-certs/local_ocsp_urls.key", 
+                                  nil)
+    if err != nil {
+        log.Fatal("ListenAndServe: ", err)
+    }
+}
+
diff --git a/Example/Tests/Certs/DemoCA/setup.sh b/Example/Tests/Certs/DemoCA/setup.sh
@@ -4,7 +4,9 @@ set -o errexit
 set -o nounset
 set -o xtrace
 
-BASE_SUBJ="C=XX/ST=state/L=city/O=company/emailAddress=example.com"
+BASE_DIR=$PWD
+
+BASE_SUBJ="C=XX/ST=state/L=city/O=company"
 
 # Setup Demo CA
 
@@ -42,6 +44,10 @@ openssl x509 -in "$ROOT_CA_CRT"\
              -outform DER\
              -out ./root_CA.der
 
+openssl x509 -in "$ROOT_CA_CRT"\
+             -outform PEM\
+             -out ./root_CA.pem
+
 ## Configure
 
 touch certindex
@@ -78,6 +84,10 @@ openssl x509 -in "$INTERMEDIATE_CA_CRT"\
              -outform DER\
              -out ./intermediate_CA.der
 
+openssl x509 -in "$INTERMEDIATE_CA_CRT"\
+             -outform PEM\
+             -out ./intermediate_CA.pem
+
 ## Configure
 
 mkdir -p "$INTERMEDIATE_CA_CERTS_DIR"
@@ -101,7 +111,7 @@ openssl req -new\
             -key local_ocsp_urls.key\
             -out local_ocsp_urls.crt\
             -config "$INTERMEDIATE_CA_CNF"\
-            -subj "/CN=Local OCSP URLs/${BASE_SUBJ}"
+            -subj "/CN=localhost/${BASE_SUBJ}"
 
 openssl x509 -x509toreq\
              -in local_ocsp_urls.crt\
@@ -125,6 +135,10 @@ openssl x509 -in ./local_ocsp_urls.crt\
              -outform DER\
              -out ./local_ocsp_urls.der
 
+openssl x509 -in ./local_ocsp_urls.crt\
+             -outform PEM\
+             -out ./local_ocsp_urls.pem
+
 # Setup End User Certificate with no OCSP URLs
 
 openssl genrsa -out no_ocsp_urls.key 1024
@@ -236,3 +250,10 @@ openssl ca -batch\
            -extensions v3_ocsp
 
 rm ocsp_signing.csr
+
+# Setup certificate chain for server
+
+cd "$BASE_DIR"/CA
+touch cert_chain.pem
+cat "$INTERMEDIATE_CA_CERTS_DIR"/local_ocsp_urls.pem >> cert_chain.pem
+cat "$ROOT_CA_CERTS_DIR"/intermediate_CA.pem >> cert_chain.pem
diff --git a/README.md b/README.md
@@ -22,6 +22,8 @@ Run [setup.sh](./Example/Tests/Certs/DemoCA/setup.sh) in [./Example/Tests/Certs/
 - Click allow
 - Navigate in the simulator to `Settings->Profiles` and click on the downloaded profile
 - Click install
+- Navigate in the simulator to `Settings->About->Certificate Trust Settings`
+- Enable the switch "Enable Full Trust For Root Certificates" for the installed certificate
 
 #### Start the OCSP Servers
 Run the root OCSP Server [run_root_ocsp_server.sh](./Example/Tests/Certs/DemoCA/run_root_ocsp_server.sh).