]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/80-test_ocsp.t
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Raise an error on syscall failure in tls_retry_write_records
[thirdparty/openssl.git] / test / recipes / 80-test_ocsp.t
1 #! /usr/bin/env perl
2 # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9
10 use strict;
11 use warnings;
12
13 use POSIX;
14 use File::Spec::Functions qw/devnull catfile/;
15 use File::Basename;
16 use File::Copy;
17 use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
18 use OpenSSL::Test::Utils;
19
20 setup("test_ocsp");
21
22 plan skip_all => "OCSP is not supported by this OpenSSL build"
23 if disabled("ocsp");
24
25 my $ocspdir=srctop_dir("test", "ocsp-tests");
26 # 17 December 2012 so we don't get certificate expiry errors.
27 my @check_time=("-attime", "1355875200");
28
29 sub test_ocsp {
30 my $title = shift;
31 my $inputfile = shift;
32 my $CAfile = shift;
33 my $untrusted = shift;
34 if ($untrusted eq "") {
35 $untrusted = $CAfile;
36 }
37 my $expected_exit = shift;
38 my $nochecks = shift;
39 my $outputfile = basename($inputfile, '.ors') . '.dat';
40
41 run(app(["openssl", "base64", "-d",
42 "-in", catfile($ocspdir,$inputfile),
43 "-out", $outputfile]));
44 with({ exit_checker => sub { return shift == $expected_exit; } },
45 sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
46 "-partial_chain", @check_time,
47 "-CAfile", catfile($ocspdir, $CAfile),
48 "-verify_other", catfile($ocspdir, $untrusted),
49 "-no-CApath", "-no-CAstore",
50 $nochecks ? "-no_cert_checks" : ()])),
51 $title); });
52 }
53
54 plan tests => 11;
55
56 subtest "=== VALID OCSP RESPONSES ===" => sub {
57 plan tests => 7;
58
59 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
60 "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
61 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
62 "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
63 test_ocsp("NON-DELEGATED; Root CA -> EE",
64 "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
65 test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
66 "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
67 test_ocsp("DELEGATED; Intermediate CA -> EE",
68 "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
69 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
70 "D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
71 test_ocsp("DELEGATED; Root CA -> EE",
72 "D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
73 };
74
75 subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
76 plan tests => 6;
77
78 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
79 "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
80 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
81 "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
82 test_ocsp("NON-DELEGATED; Root CA -> EE",
83 "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
84 test_ocsp("DELEGATED; Intermediate CA -> EE",
85 "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
86 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
87 "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88 test_ocsp("DELEGATED; Root CA -> EE",
89 "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
90 };
91
92 subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
93 plan tests => 6;
94
95 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
96 "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
97 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
98 "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
99 test_ocsp("NON-DELEGATED; Root CA -> EE",
100 "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
101 test_ocsp("DELEGATED; Intermediate CA -> EE",
102 "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
103 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
104 "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
105 test_ocsp("DELEGATED; Root CA -> EE",
106 "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
107 };
108
109 subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
110 plan tests => 6;
111
112 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
113 "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
114 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
115 "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
116 test_ocsp("NON-DELEGATED; Root CA -> EE",
117 "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
118 test_ocsp("DELEGATED; Intermediate CA -> EE",
119 "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
120 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121 "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
122 test_ocsp("DELEGATED; Root CA -> EE",
123 "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
124 };
125
126 subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
127 plan tests => 6;
128
129 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
130 "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
131 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
132 "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
133 test_ocsp("NON-DELEGATED; Root CA -> EE",
134 "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
135 test_ocsp("DELEGATED; Intermediate CA -> EE",
136 "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
137 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
138 "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
139 test_ocsp("DELEGATED; Root CA -> EE",
140 "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
141 };
142
143 subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
144 plan tests => 3;
145
146 test_ocsp("DELEGATED; Intermediate CA -> EE",
147 "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
148 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
149 "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
150 test_ocsp("DELEGATED; Root CA -> EE",
151 "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
152 };
153
154 subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
155 plan tests => 6;
156
157 test_ocsp("DELEGATED; Intermediate CA -> EE",
158 "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
159 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
160 "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
161 test_ocsp("DELEGATED; Root CA -> EE",
162 "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
163 test_ocsp("DELEGATED; Intermediate CA -> EE",
164 "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
165 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
166 "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
167 test_ocsp("DELEGATED; Root CA -> EE",
168 "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
169 };
170
171 subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
172 plan tests => 6;
173
174 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
175 "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
176 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
177 "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
178 test_ocsp("NON-DELEGATED; Root CA -> EE",
179 "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
180 test_ocsp("DELEGATED; Intermediate CA -> EE",
181 "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
182 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
183 "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
184 test_ocsp("DELEGATED; Root CA -> EE",
185 "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
186 };
187
188 subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
189 plan tests => 6;
190
191 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
192 "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
193 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
194 "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
195 test_ocsp("NON-DELEGATED; Root CA -> EE",
196 "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
197 test_ocsp("DELEGATED; Intermediate CA -> EE",
198 "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
199 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
200 "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
201 test_ocsp("DELEGATED; Root CA -> EE",
202 "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
203 };
204
205 subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
206 plan tests => 6;
207
208 # Expect success, because we're explicitly trusting the issuer certificate.
209 test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
210 "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
211 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
212 "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
213 test_ocsp("NON-DELEGATED; Root CA -> EE",
214 "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
215 test_ocsp("DELEGATED; Intermediate CA -> EE",
216 "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
217 test_ocsp("DELEGATED; Root CA -> Intermediate CA",
218 "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
219 test_ocsp("DELEGATED; Root CA -> EE",
220 "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
221 };
222
223 subtest "=== OCSP API TESTS===" => sub {
224 plan tests => 1;
225
226 ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
227 "running ocspapitest");
228 }
A mirror of the official openssl repository