1 1.1 christos #! /usr/bin/env perl 2 1.1.1.3 christos # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos # 4 1.1.1.3 christos # Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos # this file except in compliance with the License. You can obtain a copy 6 1.1 christos # in the file LICENSE in the source distribution or at 7 1.1 christos # https://www.openssl.org/source/license.html 8 1.1 christos 9 1.1 christos 10 1.1 christos use strict; 11 1.1 christos use warnings; 12 1.1 christos 13 1.1 christos use POSIX; 14 1.1 christos use File::Spec::Functions qw/devnull catfile/; 15 1.1.1.3 christos use File::Basename; 16 1.1 christos use File::Copy; 17 1.1.1.2 christos use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 18 1.1 christos use OpenSSL::Test::Utils; 19 1.1 christos 20 1.1 christos setup("test_ocsp"); 21 1.1 christos 22 1.1 christos plan skip_all => "OCSP is not supported by this OpenSSL build" 23 1.1 christos if disabled("ocsp"); 24 1.1 christos 25 1.1 christos my $ocspdir=srctop_dir("test", "ocsp-tests"); 26 1.1 christos # 17 December 2012 so we don't get certificate expiry errors. 27 1.1 christos my @check_time=("-attime", "1355875200"); 28 1.1 christos 29 1.1 christos sub test_ocsp { 30 1.1 christos my $title = shift; 31 1.1 christos my $inputfile = shift; 32 1.1 christos my $CAfile = shift; 33 1.1 christos my $untrusted = shift; 34 1.1 christos if ($untrusted eq "") { 35 1.1 christos $untrusted = $CAfile; 36 1.1 christos } 37 1.1 christos my $expected_exit = shift; 38 1.1.1.3 christos my $nochecks = shift; 39 1.1.1.3 christos my $outputfile = basename($inputfile, '.ors') . '.dat'; 40 1.1 christos 41 1.1 christos run(app(["openssl", "base64", "-d", 42 1.1 christos "-in", catfile($ocspdir,$inputfile), 43 1.1.1.3 christos "-out", $outputfile])); 44 1.1 christos with({ exit_checker => sub { return shift == $expected_exit; } }, 45 1.1.1.3 christos sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, 46 1.1 christos "-partial_chain", @check_time, 47 1.1 christos "-CAfile", catfile($ocspdir, $CAfile), 48 1.1 christos "-verify_other", catfile($ocspdir, $untrusted), 49 1.1.1.3 christos "-no-CApath", "-no-CAstore", 50 1.1.1.3 christos $nochecks ? "-no_cert_checks" : ()])), 51 1.1 christos $title); }); 52 1.1 christos } 53 1.1 christos 54 1.1.1.2 christos plan tests => 11; 55 1.1 christos 56 1.1 christos subtest "=== VALID OCSP RESPONSES ===" => sub { 57 1.1 christos plan tests => 7; 58 1.1 christos 59 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 60 1.1.1.3 christos "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); 61 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 62 1.1.1.3 christos "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); 63 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 64 1.1.1.3 christos "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); 65 1.1 christos test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 66 1.1.1.3 christos "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); 67 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 68 1.1.1.3 christos "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); 69 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 70 1.1.1.3 christos "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); 71 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 72 1.1.1.3 christos "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); 73 1.1 christos }; 74 1.1 christos 75 1.1 christos subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 76 1.1 christos plan tests => 6; 77 1.1 christos 78 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 79 1.1.1.3 christos "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 80 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 81 1.1.1.3 christos "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 82 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 83 1.1.1.3 christos "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 84 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 85 1.1.1.3 christos "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 86 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 87 1.1.1.3 christos "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 88 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 89 1.1.1.3 christos "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 90 1.1 christos }; 91 1.1 christos 92 1.1 christos subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 93 1.1 christos plan tests => 6; 94 1.1 christos 95 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 96 1.1.1.3 christos "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 97 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 98 1.1.1.3 christos "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 99 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 100 1.1.1.3 christos "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 101 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 102 1.1.1.3 christos "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 103 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 104 1.1.1.3 christos "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 105 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 106 1.1.1.3 christos "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 107 1.1 christos }; 108 1.1 christos 109 1.1 christos subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 110 1.1 christos plan tests => 6; 111 1.1 christos 112 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 113 1.1.1.3 christos "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 114 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 115 1.1.1.3 christos "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 116 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 117 1.1.1.3 christos "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 118 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 119 1.1.1.3 christos "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 120 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 121 1.1.1.3 christos "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 122 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 123 1.1.1.3 christos "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 124 1.1 christos }; 125 1.1 christos 126 1.1 christos subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 127 1.1 christos plan tests => 6; 128 1.1 christos 129 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 130 1.1.1.3 christos "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 131 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 132 1.1.1.3 christos "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 133 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 134 1.1.1.3 christos "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 135 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 136 1.1.1.3 christos "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 137 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 138 1.1.1.3 christos "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 139 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 140 1.1.1.3 christos "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 141 1.1 christos }; 142 1.1 christos 143 1.1 christos subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 144 1.1 christos plan tests => 3; 145 1.1 christos 146 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 147 1.1.1.3 christos "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 148 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 149 1.1.1.3 christos "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 150 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 151 1.1.1.3 christos "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 152 1.1 christos }; 153 1.1 christos 154 1.1 christos subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 155 1.1.1.3 christos plan tests => 6; 156 1.1 christos 157 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 158 1.1.1.3 christos "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 159 1.1.1.3 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 160 1.1.1.3 christos "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 161 1.1.1.3 christos test_ocsp("DELEGATED; Root CA -> EE", 162 1.1.1.3 christos "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 163 1.1.1.3 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 164 1.1.1.3 christos "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); 165 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 166 1.1.1.3 christos "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); 167 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 168 1.1.1.3 christos "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); 169 1.1 christos }; 170 1.1 christos 171 1.1 christos subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 172 1.1 christos plan tests => 6; 173 1.1 christos 174 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 175 1.1.1.3 christos "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); 176 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 177 1.1.1.3 christos "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); 178 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 179 1.1.1.3 christos "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); 180 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 181 1.1.1.3 christos "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); 182 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 183 1.1.1.3 christos "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); 184 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 185 1.1.1.3 christos "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); 186 1.1 christos }; 187 1.1 christos 188 1.1 christos subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 189 1.1 christos plan tests => 6; 190 1.1 christos 191 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 192 1.1.1.3 christos "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); 193 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 194 1.1.1.3 christos "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); 195 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 196 1.1.1.3 christos "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); 197 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 198 1.1.1.3 christos "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); 199 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 200 1.1.1.3 christos "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); 201 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 202 1.1.1.3 christos "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); 203 1.1 christos }; 204 1.1 christos 205 1.1 christos subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 206 1.1 christos plan tests => 6; 207 1.1 christos 208 1.1 christos # Expect success, because we're explicitly trusting the issuer certificate. 209 1.1 christos test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 210 1.1.1.3 christos "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); 211 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 212 1.1.1.3 christos "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); 213 1.1 christos test_ocsp("NON-DELEGATED; Root CA -> EE", 214 1.1.1.3 christos "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); 215 1.1 christos test_ocsp("DELEGATED; Intermediate CA -> EE", 216 1.1.1.3 christos "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); 217 1.1 christos test_ocsp("DELEGATED; Root CA -> Intermediate CA", 218 1.1.1.3 christos "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); 219 1.1 christos test_ocsp("DELEGATED; Root CA -> EE", 220 1.1.1.3 christos "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); 221 1.1 christos }; 222 1.1.1.2 christos 223 1.1.1.2 christos subtest "=== OCSP API TESTS===" => sub { 224 1.1.1.2 christos plan tests => 1; 225 1.1.1.2 christos 226 1.1.1.2 christos ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), 227 1.1.1.2 christos "running ocspapitest"); 228 1.1.1.2 christos } 229
Indexes created Sat Feb 28 05:31:39 UTC 2026