1 1.1 christos #! /usr/bin/env perl 2 1.1 christos # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos # 4 1.1 christos # Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos # this file except in compliance with the License. You can obtain a copy 6 1.1 christos # in the file LICENSE in the source distribution or at 7 1.1 christos # https://www.openssl.org/source/license.html 8 1.1 christos 9 1.1 christos 10 1.1 christos use strict; 11 1.1 christos use warnings; 12 1.1 christos 13 1.1 christos use POSIX; 14 1.1 christos use File::Spec::Functions qw/devnull catfile/; 15 1.1 christos use File::Basename; 16 1.1 christos use File::Copy; 17 1.1 christos use File::Compare qw/compare/; 18 1.1 christos use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 19 1.1 christos use OpenSSL::Test::Utils; 20 1.1 christos 21 1.1 christos setup("test_ocsp"); 22 1.1 christos 23 1.1 christos plan skip_all => "OCSP is not supported by this OpenSSL build" 24 1.1 christos if disabled("ocsp"); 25 1.1 christos 26 1.1 christos my $ocspdir=srctop_dir("test", "ocsp-tests"); 27 1.1 christos # 17 December 2012 so we don't get certificate expiry errors. 28 1.1 christos my @check_time=("-attime", "1355875200"); 29 1.1 christos 30 1.1 christos sub test_ocsp { 31 1.1 christos my $title = shift; 32 1.1 christos my $inputfile = shift; 33 1.1 christos my $CAfile = shift; 34 1.1 christos my $untrusted = shift; 35 1.1 christos if ($untrusted eq "") { 36 1.1 christos $untrusted = $CAfile; 37 1.1 christos } 38 1.1 christos my $expected_exit = shift; 39 1.1 christos my $nochecks = shift; 40 1.1 christos my $outputfile = basename($inputfile, '.ors') . '.dat'; 41 1.1 christos 42 1.1 christos run(app(["openssl", "base64", "-d", 43 1.1 christos "-in", catfile($ocspdir,$inputfile), 44 1.1 christos "-out", $outputfile])); 45 1.1 christos with({ exit_checker => sub { return shift == $expected_exit; } }, 46 1.1 christos sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, 47 1.1 christos "-partial_chain", @check_time, 48 1.1 christos "-CAfile", catfile($ocspdir, $CAfile), 49 1.1 christos "-verify_other", catfile($ocspdir, $untrusted), 50 1.1 christos "-no-CApath", "-no-CAstore", 51 1.1 christos $nochecks ? "-no_cert_checks" : ()])), 52 1.1 christos $title); }); 53 1.1 christos } 54 1.1 christos 55 1.1 christos plan tests => 12; 56 1.1 christos 57 1.1 christos subtest "=== VALID OCSP RESPONSES ===" => sub { 58 1.1 christos plan tests => 7; 59 1.1 christos 60 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 61 1.1 christos "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); 62 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 63 1.1 christos "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); 64 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 65 1.1 christos "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); 66 1.1 christos test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 67 1.1 christos "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); 68 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 69 1.1 christos "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); 70 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 71 1.1 christos "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); 72 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 73 1.1 christos "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); 74 1.1 christos }; 75 1.1 christos 76 1.1 christos subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 77 1.1 christos plan tests => 6; 78 1.1 christos 79 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 80 1.1 christos "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 81 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 82 1.1 christos "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 83 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 84 1.1 christos "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 85 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 86 1.1 christos "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 87 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 88 1.1 christos "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 89 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 90 1.1 christos "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 91 1.1 christos }; 92 1.1 christos 93 1.1 christos subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 94 1.1 christos plan tests => 6; 95 1.1 christos 96 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 97 1.1 christos "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 98 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 99 1.1 christos "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 100 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 101 1.1 christos "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 102 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 103 1.1 christos "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 104 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 105 1.1 christos "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 106 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 107 1.1 christos "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 108 1.1 christos }; 109 1.1 christos 110 1.1 christos subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 111 1.1 christos plan tests => 6; 112 1.1 christos 113 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 114 1.1 christos "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 115 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 116 1.1 christos "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 117 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 118 1.1 christos "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 119 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 120 1.1 christos "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 121 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 122 1.1 christos "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 123 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 124 1.1 christos "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 125 1.1 christos }; 126 1.1 christos 127 1.1 christos subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 128 1.1 christos plan tests => 6; 129 1.1 christos 130 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 131 1.1 christos "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 132 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 133 1.1 christos "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 134 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 135 1.1 christos "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 136 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 137 1.1 christos "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 138 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 139 1.1 christos "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 140 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 141 1.1 christos "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 142 1.1 christos }; 143 1.1 christos 144 1.1 christos subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 145 1.1 christos plan tests => 3; 146 1.1 christos 147 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 148 1.1 christos "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 149 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 150 1.1 christos "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 151 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 152 1.1 christos "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 153 1.1 christos }; 154 1.1 christos 155 1.1 christos subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 156 1.1 christos plan tests => 6; 157 1.1 christos 158 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 159 1.1 christos "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 160 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 161 1.1 christos "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 162 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 163 1.1 christos "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 164 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 165 1.1 christos "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); 166 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 167 1.1 christos "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); 168 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 169 1.1 christos "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); 170 1.1 christos }; 171 1.1 christos 172 1.1 christos subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 173 1.1 christos plan tests => 6; 174 1.1 christos 175 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 176 1.1 christos "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); 177 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 178 1.1 christos "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); 179 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 180 1.1 christos "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); 181 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 182 1.1 christos "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); 183 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 184 1.1 christos "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); 185 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 186 1.1 christos "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); 187 1.1 christos }; 188 1.1 christos 189 1.1 christos subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 190 1.1 christos plan tests => 6; 191 1.1 christos 192 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 193 1.1 christos "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); 194 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 195 1.1 christos "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); 196 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 197 1.1 christos "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); 198 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 199 1.1 christos "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); 200 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 201 1.1 christos "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); 202 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 203 1.1 christos "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); 204 1.1 christos }; 205 1.1 christos 206 1.1 christos subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 207 1.1 christos plan tests => 6; 208 1.1 christos 209 1.1 christos # Expect success, because we're explicitly trusting the issuer certificate. 210 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 211 1.1 christos "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); 212 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 213 1.1 christos "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); 214 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 215 1.1 christos "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); 216 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 217 1.1 christos "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); 218 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 219 1.1 christos "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); 220 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 221 1.1 christos "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); 222 1.1 christos }; 223 1.1 christos 224 1.1 christos my $cert = data_file("cert.pem"); 225 1.1 christos my $key = data_file("key.pem"); 226 1.1 christos subtest "=== OCSP API TESTS===" => sub { 227 1.1 christos plan tests => 1; 228 1.1 christos 229 1.1 christos ok(run(test(["ocspapitest", $cert, $key])), 230 1.1 christos "running ocspapitest"); 231 1.1 christos }; 232 1.1 christos 233 1.1 christos subtest "=== OCSP handling of identical input and output files ===" => sub { 234 1.1 christos plan tests => 5; 235 1.1 christos 236 1.1 christos my $inout1 = "req.der"; 237 1.1 christos my $backup1 = "backup.der"; 238 1.1 christos ok(run(app(['openssl', 'ocsp', '-issuer', $cert, '-cert', $cert, 239 1.1 christos '-reqout', $inout1])), "produce dummy request input"); 240 1.1 christos copy($inout1, $backup1); 241 1.1 christos ok(run(app(['openssl', 'ocsp', '-reqin', $inout1, '-reqout', $inout1]))); 242 1.1 christos ok(!compare($inout1, $backup1), "copied request $inout1 did not change"); 243 1.1 christos 244 1.1 christos my $inout2 = "ND1.dat"; 245 1.1 christos my $backup2 = "backup.dat"; 246 1.1 christos copy($inout2, $backup2); 247 1.1 christos ok(run(app(['openssl', 'ocsp', '-respin', $inout2, '-respout', $inout2, '-noverify']))); 248 1.1 christos ok(!compare($inout2, $backup2), "copied response $inout2 did not change"); 249 1.1 christos }; 250
Indexes created Sat Feb 28 05:31:39 UTC 2026