[thirdparty/openssl.git] / test / recipes / 80-test_ocsp.t

#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Basename;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
use OpenSSL::Test::Utils;

setup("test_ocsp");

plan skip_all => "OCSP is not supported by this OpenSSL build"
    if disabled("ocsp");

my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");

sub test_ocsp {
    my $title = shift;
    my $inputfile = shift;
    my $CAfile = shift;
    my $untrusted = shift;
    if ($untrusted eq "") {
        $untrusted = $CAfile;
    }
    my $expected_exit = shift;
    my $outputfile = basename($inputfile, '.ors') . '.dat';

    run(app(["openssl", "base64", "-d",
             "-in", catfile($ocspdir,$inputfile),
             "-out", $outputfile]));
    with({ exit_checker => sub { return shift == $expected_exit; } },
         sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
                           "-partial_chain", @check_time,
                           "-CAfile", catfile($ocspdir, $CAfile),
                           "-verify_other", catfile($ocspdir, $untrusted),
                           "-no-CApath"])),
                  $title); });
}

plan tests => 11;

subtest "=== VALID OCSP RESPONSES ===" => sub {
    plan tests => 7;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
	      "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "D1_Issuer_ICA.pem", "", 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "D2_Issuer_Root.pem", "", 0);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "D3_Issuer_Root.pem", "", 0);
};

subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 3;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 3;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
};

subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
};

subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    # Expect success, because we're explicitly trusting the issuer certificate.
    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	      "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
    test_ocsp("DELEGATED; Root CA -> EE",
	      "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
};

subtest "=== OCSP API TESTS===" => sub {
    plan tests => 1;

    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
                 "running ocspapitest");
}
Commit	Line	Data
596d6b7e RS	1	#! /usr/bin/env perl
	2	# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
	14	use File::Spec::Functions qw/devnull catfile/;
acf3360c	15	use File::Basename;
88b8a527	16	use File::Copy;
27da1343	17	use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
3e41ac35	18	use OpenSSL::Test::Utils;
88b8a527 RL	19
	20	setup("test_ocsp");
	21
3e41ac35 MC	22	plan skip_all => "OCSP is not supported by this OpenSSL build"
	23	if disabled("ocsp");
	24
42e0ccdf	25	my $ocspdir=srctop_dir("test", "ocsp-tests");
88b8a527 RL	26	# 17 December 2012 so we don't get certificate expiry errors.
	27	my @check_time=("-attime", "1355875200");
	28
	29	sub test_ocsp {
	30	my $title = shift;
	31	my $inputfile = shift;
	32	my $CAfile = shift;
121738d1 DO	33	my $untrusted = shift;
	34	if ($untrusted eq "") {
	35	$untrusted = $CAfile;
	36	}
88b8a527	37	my $expected_exit = shift;
acf3360c	38	my $outputfile = basename($inputfile, '.ors') . '.dat';
88b8a527	39
412a963c RL	40	run(app(["openssl", "base64", "-d",
412a963c RL	41	"-in", catfile($ocspdir,$inputfile),
acf3360c	42	"-out", $outputfile]));
88b8a527	43	with({ exit_checker => sub { return shift == $expected_exit; } },
acf3360c	44	sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
412a963c RL	45	"-partial_chain", @check_time,
412a963c RL	46	"-CAfile", catfile($ocspdir, $CAfile),
121738d1	47	"-verify_other", catfile($ocspdir, $untrusted),
412a963c RL	48	"-no-CApath"])),
412a963c RL	49	$title); });
88b8a527 RL	50	}
88b8a527 RL	51
27da1343	52	plan tests => 11;
88b8a527 RL	53
88b8a527 RL	54	subtest "=== VALID OCSP RESPONSES ===" => sub {
121738d1	55	plan tests => 7;
88b8a527 RL	56
88b8a527 RL	57	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	58	"ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
88b8a527	59	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	60	"ND2.ors", "ND2_Issuer_Root.pem", "", 0);
88b8a527	61	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1 DO	62	"ND3.ors", "ND3_Issuer_Root.pem", "", 0);
	63	test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
	64	"ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
88b8a527	65	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	66	"D1.ors", "D1_Issuer_ICA.pem", "", 0);
88b8a527	67	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	68	"D2.ors", "D2_Issuer_Root.pem", "", 0);
88b8a527	69	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	70	"D3.ors", "D3_Issuer_Root.pem", "", 0);
88b8a527 RL	71	};
	72
	73	subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
	74	plan tests => 6;
	75
	76	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	77	"ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
88b8a527	78	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	79	"ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
88b8a527	80	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	81	"ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
88b8a527	82	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	83	"ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	84	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	85	"ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	86	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	87	"ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	88	};
	89
	90	subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
	91	plan tests => 6;
	92
	93	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	94	"WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
88b8a527	95	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	96	"WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
88b8a527	97	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	98	"WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
88b8a527	99	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	100	"WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	101	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	102	"WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	103	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	104	"WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	105	};
	106
	107	subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
	108	plan tests => 6;
	109
	110	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	111	"WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
88b8a527	112	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	113	"WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
88b8a527	114	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	115	"WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
88b8a527	116	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	117	"WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	118	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	119	"WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	120	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	121	"WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	122	};
	123
	124	subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
	125	plan tests => 6;
	126
	127	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	128	"WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
88b8a527	129	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	130	"WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
88b8a527	131	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	132	"WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
88b8a527	133	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	134	"WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	135	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	136	"WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	137	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	138	"WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	139	};
	140
	141	subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
	142	plan tests => 3;
	143
	144	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	145	"WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	146	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	147	"WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	148	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	149	"WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	150	};
	151
	152	subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
	153	plan tests => 3;
	154
	155	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	156	"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
88b8a527	157	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	158	"ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
88b8a527	159	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	160	"ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
88b8a527 RL	161	};
	162
	163	subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
	164	plan tests => 6;
	165
	166	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	167	"ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
88b8a527	168	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	169	"ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
88b8a527	170	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	171	"ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
88b8a527	172	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	173	"D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
88b8a527	174	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	175	"D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
88b8a527	176	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	177	"D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
88b8a527 RL	178	};
	179
	180	subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
	181	plan tests => 6;
	182
	183	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	184	"ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
88b8a527	185	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	186	"ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
88b8a527	187	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	188	"ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
88b8a527	189	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	190	"D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
88b8a527	191	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	192	"D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
88b8a527	193	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	194	"D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
88b8a527 RL	195	};
	196
	197	subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
	198	plan tests => 6;
	199
	200	# Expect success, because we're explicitly trusting the issuer certificate.
	201	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
121738d1	202	"ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
88b8a527	203	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
121738d1	204	"ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
88b8a527	205	test_ocsp("NON-DELEGATED; Root CA -> EE",
121738d1	206	"ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
88b8a527	207	test_ocsp("DELEGATED; Intermediate CA -> EE",
121738d1	208	"D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
88b8a527	209	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121738d1	210	"D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
88b8a527	211	test_ocsp("DELEGATED; Root CA -> EE",
121738d1	212	"D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
88b8a527	213	};
27da1343 BK	214
	215	subtest "=== OCSP API TESTS===" => sub {
	216	plan tests => 1;
	217
	218	ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
	219	"running ocspapitest");
	220	}