[thirdparty/openssl.git] / test / recipes / 80-test_ocsp.t

#! /usr/bin/env perl
# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Basename;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
use OpenSSL::Test::Utils;

setup("test_ocsp");

plan skip_all => "OCSP is not supported by this OpenSSL build"
    if disabled("ocsp");

my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");

sub test_ocsp {
    my $title = shift;
    my $inputfile = shift;
    my $CAfile = shift;
    my $untrusted = shift;
    if ($untrusted eq "") {
        $untrusted = $CAfile;
    }
    my $expected_exit = shift;
    my $nochecks = shift;
    my $outputfile = basename($inputfile, '.ors') . '.dat';

    run(app(["openssl", "base64", "-d",
             "-in", catfile($ocspdir,$inputfile),
             "-out", $outputfile]));
    with({ exit_checker => sub { return shift == $expected_exit; } },
         sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
                           "-partial_chain", @check_time,
                           "-CAfile", catfile($ocspdir, $CAfile),
                           "-verify_other", catfile($ocspdir, $untrusted),
                           "-no-CApath", "-no-CAstore",
                           $nochecks ? "-no_cert_checks" : ()])),
                  $title); });
}

plan tests => 11;

subtest "=== VALID OCSP RESPONSES ===" => sub {
    plan tests => 7;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
};

subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 3;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
    test_ocsp("DELEGATED; Root CA -> EE",
              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
};

subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
};

subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
    plan tests => 6;

    # Expect success, because we're explicitly trusting the issuer certificate.
    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
    test_ocsp("NON-DELEGATED; Root CA -> EE",
              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
    test_ocsp("DELEGATED; Intermediate CA -> EE",
              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
    test_ocsp("DELEGATED; Root CA -> EE",
              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
};

subtest "=== OCSP API TESTS===" => sub {
    plan tests => 1;

    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
                 "running ocspapitest");
}
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
fecb3aae	2	# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
596d6b7e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
	14	use File::Spec::Functions qw/devnull catfile/;
acf3360c	15	use File::Basename;
88b8a527	16	use File::Copy;
27da1343	17	use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
3e41ac35	18	use OpenSSL::Test::Utils;
88b8a527 RL	19
	20	setup("test_ocsp");
	21
3e41ac35 MC	22	plan skip_all => "OCSP is not supported by this OpenSSL build"
	23	if disabled("ocsp");
	24
42e0ccdf	25	my $ocspdir=srctop_dir("test", "ocsp-tests");
88b8a527 RL	26	# 17 December 2012 so we don't get certificate expiry errors.
	27	my @check_time=("-attime", "1355875200");
	28
	29	sub test_ocsp {
	30	my $title = shift;
	31	my $inputfile = shift;
	32	my $CAfile = shift;
121738d1 DO	33	my $untrusted = shift;
	34	if ($untrusted eq "") {
	35	$untrusted = $CAfile;
	36	}
88b8a527	37	my $expected_exit = shift;
6ee1f4f4	38	my $nochecks = shift;
acf3360c	39	my $outputfile = basename($inputfile, '.ors') . '.dat';
88b8a527	40
412a963c RL	41	run(app(["openssl", "base64", "-d",
412a963c RL	42	"-in", catfile($ocspdir,$inputfile),
acf3360c	43	"-out", $outputfile]));
88b8a527	44	with({ exit_checker => sub { return shift == $expected_exit; } },
acf3360c	45	sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
412a963c RL	46	"-partial_chain", @check_time,
412a963c RL	47	"-CAfile", catfile($ocspdir, $CAfile),
121738d1	48	"-verify_other", catfile($ocspdir, $untrusted),
6ee1f4f4 MC	49	"-no-CApath", "-no-CAstore",
6ee1f4f4 MC	50	$nochecks ? "-no_cert_checks" : ()])),
412a963c	51	$title); });
88b8a527 RL	52	}
88b8a527 RL	53
27da1343	54	plan tests => 11;
88b8a527 RL	55
88b8a527 RL	56	subtest "=== VALID OCSP RESPONSES ===" => sub {
121738d1	57	plan tests => 7;
88b8a527 RL	58
88b8a527 RL	59	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	60	"ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
88b8a527	61	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	62	"ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
88b8a527	63	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	64	"ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
121738d1	65	test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
6ee1f4f4	66	"ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
88b8a527	67	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	68	"D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
88b8a527	69	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	70	"D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
88b8a527	71	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	72	"D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
88b8a527 RL	73	};
	74
	75	subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
	76	plan tests => 6;
	77
	78	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	79	"ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	80	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	81	"ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	82	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	83	"ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	84	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	85	"ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	86	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	87	"ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88b8a527	88	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	89	"ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	90	};
	91
	92	subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
	93	plan tests => 6;
	94
	95	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	96	"WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	97	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	98	"WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	99	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	100	"WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	101	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	102	"WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	103	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	104	"WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88b8a527	105	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	106	"WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	107	};
	108
	109	subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
	110	plan tests => 6;
	111
	112	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	113	"WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	114	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	115	"WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	116	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	117	"WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	118	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	119	"WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	120	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	121	"WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88b8a527	122	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	123	"WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	124	};
	125
	126	subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
	127	plan tests => 6;
	128
	129	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	130	"WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	131	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	132	"WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	133	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	134	"WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	135	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	136	"WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	137	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	138	"WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88b8a527	139	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	140	"WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	141	};
	142
	143	subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
	144	plan tests => 3;
	145
	146	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	147	"WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	148	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	149	"WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88b8a527	150	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	151	"WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	152	};
	153
	154	subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
6ee1f4f4	155	plan tests => 6;
88b8a527 RL	156
88b8a527 RL	157	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4 MC	158	"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
	159	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
	160	"ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
	161	test_ocsp("DELEGATED; Root CA -> EE",
	162	"ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
	163	test_ocsp("DELEGATED; Intermediate CA -> EE",
	164	"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
88b8a527	165	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	166	"ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
88b8a527	167	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	168	"ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
88b8a527 RL	169	};
	170
	171	subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
	172	plan tests => 6;
	173
	174	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	175	"ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	176	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	177	"ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	178	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	179	"ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	180	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	181	"D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	182	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	183	"D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
88b8a527	184	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	185	"D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	186	};
	187
	188	subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
	189	plan tests => 6;
	190
	191	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	192	"ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
88b8a527	193	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	194	"ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
88b8a527	195	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	196	"ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
88b8a527	197	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	198	"D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
88b8a527	199	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	200	"D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
88b8a527	201	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	202	"D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
88b8a527 RL	203	};
	204
	205	subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
	206	plan tests => 6;
	207
	208	# Expect success, because we're explicitly trusting the issuer certificate.
	209	test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
6ee1f4f4	210	"ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
88b8a527	211	test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	212	"ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
88b8a527	213	test_ocsp("NON-DELEGATED; Root CA -> EE",
6ee1f4f4	214	"ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
88b8a527	215	test_ocsp("DELEGATED; Intermediate CA -> EE",
6ee1f4f4	216	"D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
88b8a527	217	test_ocsp("DELEGATED; Root CA -> Intermediate CA",
6ee1f4f4	218	"D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
88b8a527	219	test_ocsp("DELEGATED; Root CA -> EE",
6ee1f4f4	220	"D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
88b8a527	221	};
27da1343 BK	222
	223	subtest "=== OCSP API TESTS===" => sub {
	224	plan tests => 1;
	225
	226	ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
	227	"running ocspapitest");
	228	}