[thirdparty/openssl.git] / test / recipes / 80-test_ocsp.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
use OpenSSL::Test::Utils;

setup("test_ocsp");

plan skip_all => "OCSP is not supported by this OpenSSL build"
    if disabled("ocsp");

my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");

sub test_ocsp {
    my $title = shift;
    my $inputfile = shift;
    my $CAfile = shift;
    my $expected_exit = shift;

    run(app(["openssl", "base64", "-d",
             "-in", catfile($ocspdir,$inputfile),
             "-out", "ocsp-resp-fff.dat"]));
    with({ exit_checker => sub { return shift == $expected_exit; } },
         sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
                           "-partial_chain", @check_time,
                           "-CAfile", catfile($ocspdir, $CAfile),
                           "-verify_other", catfile($ocspdir, $CAfile),
                           "-no-CApath"])),
                  $title); });
    unlink "ocsp-resp-fff.dat";
}

plan tests => 10;

subtest "=== VALID OCSP RESPONSES ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "ND1_Issuer_ICA.pem", 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "ND2_Issuer_Root.pem", 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "ND3_Issuer_Root.pem", 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "D1_Issuer_ICA.pem", 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "D2_Issuer_Root.pem", 0);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "D3_Issuer_Root.pem", 0);
};

subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "ISOP_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "ISOP_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WRID_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WRID_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WRID_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WINH_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WINH_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WINH_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WIKH_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WIKH_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 3;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 3;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);
};

subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "WKIC_D2_Issuer_Root.pem", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "WKIC_D3_Issuer_Root.pem", 1);
};

subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    # Expect success, because we're explicitly trusting the issuer certificate.
    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "ISIC_D2_Issuer_Root.pem", 0);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "ISIC_D3_Issuer_Root.pem", 0);
};
Commit	Line	Data
596d6b7e RS	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the OpenSSL license (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
	14	use File::Spec::Functions qw/devnull catfile/;
	15	use File::Copy;
42e0ccdf	16	use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
3e41ac35	17	use OpenSSL::Test::Utils;
88b8a527 RL	18
	19	setup("test_ocsp");
	20
3e41ac35 MC	21	plan skip_all => "OCSP is not supported by this OpenSSL build"
	22	if disabled("ocsp");
	23
42e0ccdf	24	my $ocspdir=srctop_dir("test", "ocsp-tests");
88b8a527 RL	25	# 17 December 2012 so we don't get certificate expiry errors.
	26	my @check_time=("-attime", "1355875200");
	27
	28	sub test_ocsp {
	29	my $title = shift;
	30	my $inputfile = shift;
	31	my $CAfile = shift;
	32	my $expected_exit = shift;
	33
412a963c RL	34	run(app(["openssl", "base64", "-d",
	35	"-in", catfile($ocspdir,$inputfile),
	36	"-out", "ocsp-resp-fff.dat"]));
88b8a527	37	with({ exit_checker => sub { return shift == $expected_exit; } },
412a963c RL	38	sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
	39	"-partial_chain", @check_time,
	40	"-CAfile", catfile($ocspdir, $CAfile),
	41	"-verify_other", catfile($ocspdir, $CAfile),
	42	"-no-CApath"])),
	43	$title); });
	44	unlink "ocsp-resp-fff.dat";
88b8a527 RL	45	}
	46
	47	plan tests => 10;
	48
	49	subtest "=== VALID OCSP RESPONSES ===" => sub {
	50	plan tests => 6;
	51
	52	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	53	"ND1.ors", "ND1_Issuer_ICA.pem", 0);
	54	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	55	"ND2.ors", "ND2_Issuer_Root.pem", 0);
	56	test_ocsp("NON-DELEGATED; Root CA -> EE",
	57	"ND3.ors", "ND3_Issuer_Root.pem", 0);
	58	test_ocsp("DELEGATED; Intermediate CA -> EE",
	59	"D1.ors", "D1_Issuer_ICA.pem", 0);
	60	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	61	"D2.ors", "D2_Issuer_Root.pem", 0);
	62	test_ocsp("DELEGATED; Root CA -> EE",
	63	"D3.ors", "D3_Issuer_Root.pem", 0);
	64	};
	65
	66	subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
	67	plan tests => 6;
	68
	69	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	70	"ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);
	71	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	72	"ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);
	73	test_ocsp("NON-DELEGATED; Root CA -> EE",
	74	"ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);
	75	test_ocsp("DELEGATED; Intermediate CA -> EE",
	76	"ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);
	77	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	78	"ISOP_D2.ors", "D2_Issuer_Root.pem", 1);
	79	test_ocsp("DELEGATED; Root CA -> EE",
	80	"ISOP_D3.ors", "D3_Issuer_Root.pem", 1);
	81	};
	82
	83	subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
	84	plan tests => 6;
	85
	86	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	87	"WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);
	88	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	89	"WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);
	90	test_ocsp("NON-DELEGATED; Root CA -> EE",
	91	"WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);
	92	test_ocsp("DELEGATED; Intermediate CA -> EE",
	93	"WRID_D1.ors", "D1_Issuer_ICA.pem", 1);
	94	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	95	"WRID_D2.ors", "D2_Issuer_Root.pem", 1);
	96	test_ocsp("DELEGATED; Root CA -> EE",
	97	"WRID_D3.ors", "D3_Issuer_Root.pem", 1);
	98	};
	99
	100	subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
	101	plan tests => 6;
	102
	103	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	104	"WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
	105	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	106	"WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);
	107	test_ocsp("NON-DELEGATED; Root CA -> EE",
	108	"WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);
109	test_ocsp("DELEGATED; Intermediate CA -> EE",
110	"WINH_D1.ors", "D1_Issuer_ICA.pem", 1);
111	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
112	"WINH_D2.ors", "D2_Issuer_Root.pem", 1);
113	test_ocsp("DELEGATED; Root CA -> EE",
114	"WINH_D3.ors", "D3_Issuer_Root.pem", 1);
115	};
116
117	subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
118	plan tests => 6;
119
120	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121	"WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
122	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
123	"WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);
124	test_ocsp("NON-DELEGATED; Root CA -> EE",
125	"WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);
126	test_ocsp("DELEGATED; Intermediate CA -> EE",
127	"WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);
128	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
129	"WIKH_D2.ors", "D2_Issuer_Root.pem", 1);
130	test_ocsp("DELEGATED; Root CA -> EE",
131	"WIKH_D3.ors", "D3_Issuer_Root.pem", 1);
132	};
133
134	subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
135	plan tests => 3;
136
137	test_ocsp("DELEGATED; Intermediate CA -> EE",
138	"WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
139	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
140	"WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
141	test_ocsp("DELEGATED; Root CA -> EE",
142	"WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
143	};
144
145	subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
146	plan tests => 3;
147
148	test_ocsp("DELEGATED; Intermediate CA -> EE",
149	"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
150	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
151	"ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
152	test_ocsp("DELEGATED; Root CA -> EE",
153	"ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
154	};
155
156	subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
157	plan tests => 6;
158
159	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
160	"ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);
161	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
162	"ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);
163	test_ocsp("NON-DELEGATED; Root CA -> EE",
164	"ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);
165	test_ocsp("DELEGATED; Intermediate CA -> EE",
166	"D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);
167	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
168	"D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);
169	test_ocsp("DELEGATED; Root CA -> EE",
170	"D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);
171	};
172
173	subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
174	plan tests => 6;
175
176	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
177	"ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);
178	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
179	"ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);
180	test_ocsp("NON-DELEGATED; Root CA -> EE",
181	"ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);
182	test_ocsp("DELEGATED; Intermediate CA -> EE",
183	"D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);
184	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
185	"D2.ors", "WKIC_D2_Issuer_Root.pem", 1);
186	test_ocsp("DELEGATED; Root CA -> EE",
187	"D3.ors", "WKIC_D3_Issuer_Root.pem", 1);
188	};
189
190	subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
191	plan tests => 6;
192
193	# Expect success, because we're explicitly trusting the issuer certificate.
194	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
195	"ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);
196	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
197	"ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);
198	test_ocsp("NON-DELEGATED; Root CA -> EE",
199	"ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);
200	test_ocsp("DELEGATED; Intermediate CA -> EE",
201	"D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);
202	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
203	"D2.ors", "ISIC_D2_Issuer_Root.pem", 0);
204	test_ocsp("DELEGATED; Root CA -> EE",
205	"D3.ors", "ISIC_D3_Issuer_Root.pem", 0);
206	};