]>
Commit | Line | Data |
---|---|---|
596d6b7e RS |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/devnull catfile/; | |
acf3360c | 15 | use File::Basename; |
88b8a527 | 16 | use File::Copy; |
27da1343 | 17 | use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; |
3e41ac35 | 18 | use OpenSSL::Test::Utils; |
88b8a527 RL |
19 | |
20 | setup("test_ocsp"); | |
21 | ||
3e41ac35 MC |
22 | plan skip_all => "OCSP is not supported by this OpenSSL build" |
23 | if disabled("ocsp"); | |
24 | ||
42e0ccdf | 25 | my $ocspdir=srctop_dir("test", "ocsp-tests"); |
88b8a527 RL |
26 | # 17 December 2012 so we don't get certificate expiry errors. |
27 | my @check_time=("-attime", "1355875200"); | |
28 | ||
29 | sub test_ocsp { | |
30 | my $title = shift; | |
31 | my $inputfile = shift; | |
32 | my $CAfile = shift; | |
121738d1 DO |
33 | my $untrusted = shift; |
34 | if ($untrusted eq "") { | |
35 | $untrusted = $CAfile; | |
36 | } | |
88b8a527 | 37 | my $expected_exit = shift; |
acf3360c | 38 | my $outputfile = basename($inputfile, '.ors') . '.dat'; |
88b8a527 | 39 | |
412a963c RL |
40 | run(app(["openssl", "base64", "-d", |
41 | "-in", catfile($ocspdir,$inputfile), | |
acf3360c | 42 | "-out", $outputfile])); |
88b8a527 | 43 | with({ exit_checker => sub { return shift == $expected_exit; } }, |
acf3360c | 44 | sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, |
412a963c RL |
45 | "-partial_chain", @check_time, |
46 | "-CAfile", catfile($ocspdir, $CAfile), | |
121738d1 | 47 | "-verify_other", catfile($ocspdir, $untrusted), |
412a963c RL |
48 | "-no-CApath"])), |
49 | $title); }); | |
88b8a527 RL |
50 | } |
51 | ||
27da1343 | 52 | plan tests => 11; |
88b8a527 RL |
53 | |
54 | subtest "=== VALID OCSP RESPONSES ===" => sub { | |
121738d1 | 55 | plan tests => 7; |
88b8a527 RL |
56 | |
57 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 58 | "ND1.ors", "ND1_Issuer_ICA.pem", "", 0); |
88b8a527 | 59 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 60 | "ND2.ors", "ND2_Issuer_Root.pem", "", 0); |
88b8a527 | 61 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 DO |
62 | "ND3.ors", "ND3_Issuer_Root.pem", "", 0); |
63 | test_ocsp("NON-DELEGATED; 3-level CA hierarchy", | |
64 | "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0); | |
88b8a527 | 65 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 66 | "D1.ors", "D1_Issuer_ICA.pem", "", 0); |
88b8a527 | 67 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 68 | "D2.ors", "D2_Issuer_Root.pem", "", 0); |
88b8a527 | 69 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 70 | "D3.ors", "D3_Issuer_Root.pem", "", 0); |
88b8a527 RL |
71 | }; |
72 | ||
73 | subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { | |
74 | plan tests => 6; | |
75 | ||
76 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 77 | "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 78 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 79 | "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 80 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 81 | "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 82 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 83 | "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 84 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 85 | "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 86 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 87 | "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
88 | }; |
89 | ||
90 | subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { | |
91 | plan tests => 6; | |
92 | ||
93 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 94 | "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 95 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 96 | "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 97 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 98 | "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 99 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 100 | "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 101 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 102 | "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 103 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 104 | "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
105 | }; |
106 | ||
107 | subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { | |
108 | plan tests => 6; | |
109 | ||
110 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 111 | "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 112 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 113 | "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 114 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 115 | "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 116 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 117 | "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 118 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 119 | "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 120 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 121 | "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
122 | }; |
123 | ||
124 | subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { | |
125 | plan tests => 6; | |
126 | ||
127 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 128 | "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 129 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 130 | "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 131 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 132 | "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 133 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 134 | "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 135 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 136 | "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 137 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 138 | "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
139 | }; |
140 | ||
141 | subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
142 | plan tests => 3; | |
143 | ||
144 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
121738d1 | 145 | "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 146 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 147 | "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 148 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 149 | "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
150 | }; |
151 | ||
152 | subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
153 | plan tests => 3; | |
154 | ||
155 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
121738d1 | 156 | "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 157 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 158 | "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); |
88b8a527 | 159 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 160 | "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
161 | }; |
162 | ||
163 | subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { | |
164 | plan tests => 6; | |
165 | ||
166 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 167 | "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 168 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 169 | "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 170 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 171 | "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 172 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 173 | "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 174 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 175 | "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1); |
88b8a527 | 176 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 177 | "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
178 | }; |
179 | ||
180 | subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { | |
181 | plan tests => 6; | |
182 | ||
183 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 184 | "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1); |
88b8a527 | 185 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 186 | "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1); |
88b8a527 | 187 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 188 | "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1); |
88b8a527 | 189 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 190 | "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1); |
88b8a527 | 191 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 192 | "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1); |
88b8a527 | 193 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 194 | "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1); |
88b8a527 RL |
195 | }; |
196 | ||
197 | subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { | |
198 | plan tests => 6; | |
199 | ||
200 | # Expect success, because we're explicitly trusting the issuer certificate. | |
201 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
121738d1 | 202 | "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0); |
88b8a527 | 203 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 204 | "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0); |
88b8a527 | 205 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
121738d1 | 206 | "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0); |
88b8a527 | 207 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
121738d1 | 208 | "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0); |
88b8a527 | 209 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
121738d1 | 210 | "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0); |
88b8a527 | 211 | test_ocsp("DELEGATED; Root CA -> EE", |
121738d1 | 212 | "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0); |
88b8a527 | 213 | }; |
27da1343 BK |
214 | |
215 | subtest "=== OCSP API TESTS===" => sub { | |
216 | plan tests => 1; | |
217 | ||
218 | ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), | |
219 | "running ocspapitest"); | |
220 | } |