]>
Commit | Line | Data |
---|---|---|
596d6b7e RS |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/devnull catfile/; | |
15 | use File::Copy; | |
42e0ccdf | 16 | use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/; |
3e41ac35 | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_ocsp"); | |
20 | ||
3e41ac35 MC |
21 | plan skip_all => "OCSP is not supported by this OpenSSL build" |
22 | if disabled("ocsp"); | |
23 | ||
42e0ccdf | 24 | my $ocspdir=srctop_dir("test", "ocsp-tests"); |
88b8a527 RL |
25 | # 17 December 2012 so we don't get certificate expiry errors. |
26 | my @check_time=("-attime", "1355875200"); | |
27 | ||
28 | sub test_ocsp { | |
29 | my $title = shift; | |
30 | my $inputfile = shift; | |
31 | my $CAfile = shift; | |
32 | my $expected_exit = shift; | |
33 | ||
412a963c RL |
34 | run(app(["openssl", "base64", "-d", |
35 | "-in", catfile($ocspdir,$inputfile), | |
36 | "-out", "ocsp-resp-fff.dat"])); | |
88b8a527 | 37 | with({ exit_checker => sub { return shift == $expected_exit; } }, |
412a963c RL |
38 | sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat", |
39 | "-partial_chain", @check_time, | |
40 | "-CAfile", catfile($ocspdir, $CAfile), | |
41 | "-verify_other", catfile($ocspdir, $CAfile), | |
42 | "-no-CApath"])), | |
43 | $title); }); | |
44 | unlink "ocsp-resp-fff.dat"; | |
88b8a527 RL |
45 | } |
46 | ||
47 | plan tests => 10; | |
48 | ||
49 | subtest "=== VALID OCSP RESPONSES ===" => sub { | |
50 | plan tests => 6; | |
51 | ||
52 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
53 | "ND1.ors", "ND1_Issuer_ICA.pem", 0); | |
54 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
55 | "ND2.ors", "ND2_Issuer_Root.pem", 0); | |
56 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
57 | "ND3.ors", "ND3_Issuer_Root.pem", 0); | |
58 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
59 | "D1.ors", "D1_Issuer_ICA.pem", 0); | |
60 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
61 | "D2.ors", "D2_Issuer_Root.pem", 0); | |
62 | test_ocsp("DELEGATED; Root CA -> EE", | |
63 | "D3.ors", "D3_Issuer_Root.pem", 0); | |
64 | }; | |
65 | ||
66 | subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { | |
67 | plan tests => 6; | |
68 | ||
69 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
70 | "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1); | |
71 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
72 | "ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1); | |
73 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
74 | "ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1); | |
75 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
76 | "ISOP_D1.ors", "D1_Issuer_ICA.pem", 1); | |
77 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
78 | "ISOP_D2.ors", "D2_Issuer_Root.pem", 1); | |
79 | test_ocsp("DELEGATED; Root CA -> EE", | |
80 | "ISOP_D3.ors", "D3_Issuer_Root.pem", 1); | |
81 | }; | |
82 | ||
83 | subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { | |
84 | plan tests => 6; | |
85 | ||
86 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
87 | "WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1); | |
88 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
89 | "WRID_ND2.ors", "ND2_Issuer_Root.pem", 1); | |
90 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
91 | "WRID_ND3.ors", "ND3_Issuer_Root.pem", 1); | |
92 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
93 | "WRID_D1.ors", "D1_Issuer_ICA.pem", 1); | |
94 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
95 | "WRID_D2.ors", "D2_Issuer_Root.pem", 1); | |
96 | test_ocsp("DELEGATED; Root CA -> EE", | |
97 | "WRID_D3.ors", "D3_Issuer_Root.pem", 1); | |
98 | }; | |
99 | ||
100 | subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { | |
101 | plan tests => 6; | |
102 | ||
103 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
104 | "WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1); | |
105 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
106 | "WINH_ND2.ors", "ND2_Issuer_Root.pem", 1); | |
107 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
108 | "WINH_ND3.ors", "ND3_Issuer_Root.pem", 1); | |
109 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
110 | "WINH_D1.ors", "D1_Issuer_ICA.pem", 1); | |
111 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
112 | "WINH_D2.ors", "D2_Issuer_Root.pem", 1); | |
113 | test_ocsp("DELEGATED; Root CA -> EE", | |
114 | "WINH_D3.ors", "D3_Issuer_Root.pem", 1); | |
115 | }; | |
116 | ||
117 | subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { | |
118 | plan tests => 6; | |
119 | ||
120 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121 | "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1); | |
122 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
123 | "WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1); | |
124 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
125 | "WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1); | |
126 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
127 | "WIKH_D1.ors", "D1_Issuer_ICA.pem", 1); | |
128 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
129 | "WIKH_D2.ors", "D2_Issuer_Root.pem", 1); | |
130 | test_ocsp("DELEGATED; Root CA -> EE", | |
131 | "WIKH_D3.ors", "D3_Issuer_Root.pem", 1); | |
132 | }; | |
133 | ||
134 | subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
135 | plan tests => 3; | |
136 | ||
137 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
138 | "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1); | |
139 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
140 | "WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1); | |
141 | test_ocsp("DELEGATED; Root CA -> EE", | |
142 | "WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1); | |
143 | }; | |
144 | ||
145 | subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
146 | plan tests => 3; | |
147 | ||
148 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
149 | "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1); | |
150 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
151 | "ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1); | |
152 | test_ocsp("DELEGATED; Root CA -> EE", | |
153 | "ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1); | |
154 | }; | |
155 | ||
156 | subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { | |
157 | plan tests => 6; | |
158 | ||
159 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
160 | "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1); | |
161 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
162 | "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1); | |
163 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
164 | "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1); | |
165 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
166 | "D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1); | |
167 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
168 | "D2.ors", "WSNIC_D2_Issuer_Root.pem", 1); | |
169 | test_ocsp("DELEGATED; Root CA -> EE", | |
170 | "D3.ors", "WSNIC_D3_Issuer_Root.pem", 1); | |
171 | }; | |
172 | ||
173 | subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { | |
174 | plan tests => 6; | |
175 | ||
176 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
177 | "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1); | |
178 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
179 | "ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1); | |
180 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
181 | "ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1); | |
182 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
183 | "D1.ors", "WKIC_D1_Issuer_ICA.pem", 1); | |
184 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
185 | "D2.ors", "WKIC_D2_Issuer_Root.pem", 1); | |
186 | test_ocsp("DELEGATED; Root CA -> EE", | |
187 | "D3.ors", "WKIC_D3_Issuer_Root.pem", 1); | |
188 | }; | |
189 | ||
190 | subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { | |
191 | plan tests => 6; | |
192 | ||
193 | # Expect success, because we're explicitly trusting the issuer certificate. | |
194 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
195 | "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0); | |
196 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", | |
197 | "ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0); | |
198 | test_ocsp("NON-DELEGATED; Root CA -> EE", | |
199 | "ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0); | |
200 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
201 | "D1.ors", "ISIC_D1_Issuer_ICA.pem", 0); | |
202 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
203 | "D2.ors", "ISIC_D2_Issuer_Root.pem", 0); | |
204 | test_ocsp("DELEGATED; Root CA -> EE", | |
205 | "D3.ors", "ISIC_D3_Issuer_Root.pem", 0); | |
206 | }; |