]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
fecb3aae | 2 | # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/devnull catfile/; | |
acf3360c | 15 | use File::Basename; |
88b8a527 | 16 | use File::Copy; |
27da1343 | 17 | use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; |
3e41ac35 | 18 | use OpenSSL::Test::Utils; |
88b8a527 RL |
19 | |
20 | setup("test_ocsp"); | |
21 | ||
3e41ac35 MC |
22 | plan skip_all => "OCSP is not supported by this OpenSSL build" |
23 | if disabled("ocsp"); | |
24 | ||
42e0ccdf | 25 | my $ocspdir=srctop_dir("test", "ocsp-tests"); |
88b8a527 RL |
26 | # 17 December 2012 so we don't get certificate expiry errors. |
27 | my @check_time=("-attime", "1355875200"); | |
28 | ||
29 | sub test_ocsp { | |
30 | my $title = shift; | |
31 | my $inputfile = shift; | |
32 | my $CAfile = shift; | |
121738d1 DO |
33 | my $untrusted = shift; |
34 | if ($untrusted eq "") { | |
35 | $untrusted = $CAfile; | |
36 | } | |
88b8a527 | 37 | my $expected_exit = shift; |
6ee1f4f4 | 38 | my $nochecks = shift; |
acf3360c | 39 | my $outputfile = basename($inputfile, '.ors') . '.dat'; |
88b8a527 | 40 | |
412a963c RL |
41 | run(app(["openssl", "base64", "-d", |
42 | "-in", catfile($ocspdir,$inputfile), | |
acf3360c | 43 | "-out", $outputfile])); |
88b8a527 | 44 | with({ exit_checker => sub { return shift == $expected_exit; } }, |
acf3360c | 45 | sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, |
412a963c RL |
46 | "-partial_chain", @check_time, |
47 | "-CAfile", catfile($ocspdir, $CAfile), | |
121738d1 | 48 | "-verify_other", catfile($ocspdir, $untrusted), |
6ee1f4f4 MC |
49 | "-no-CApath", "-no-CAstore", |
50 | $nochecks ? "-no_cert_checks" : ()])), | |
412a963c | 51 | $title); }); |
88b8a527 RL |
52 | } |
53 | ||
27da1343 | 54 | plan tests => 11; |
88b8a527 RL |
55 | |
56 | subtest "=== VALID OCSP RESPONSES ===" => sub { | |
121738d1 | 57 | plan tests => 7; |
88b8a527 RL |
58 | |
59 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 60 | "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); |
88b8a527 | 61 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 62 | "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 63 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 64 | "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); |
121738d1 | 65 | test_ocsp("NON-DELEGATED; 3-level CA hierarchy", |
6ee1f4f4 | 66 | "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); |
88b8a527 | 67 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 68 | "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); |
88b8a527 | 69 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 70 | "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 71 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 72 | "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); |
88b8a527 RL |
73 | }; |
74 | ||
75 | subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { | |
76 | plan tests => 6; | |
77 | ||
78 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 79 | "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 80 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 81 | "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 82 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 83 | "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 84 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 85 | "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 86 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 87 | "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 88 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 89 | "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
90 | }; |
91 | ||
92 | subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { | |
93 | plan tests => 6; | |
94 | ||
95 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 96 | "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 97 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 98 | "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 99 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 100 | "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 101 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 102 | "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 103 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 104 | "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 105 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 106 | "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
107 | }; |
108 | ||
109 | subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { | |
110 | plan tests => 6; | |
111 | ||
112 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 113 | "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 114 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 115 | "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 116 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 117 | "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 118 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 119 | "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 120 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 121 | "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 122 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 123 | "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
124 | }; |
125 | ||
126 | subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { | |
127 | plan tests => 6; | |
128 | ||
129 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 130 | "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 131 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 132 | "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 133 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 134 | "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 135 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 136 | "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 137 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 138 | "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 139 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 140 | "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
141 | }; |
142 | ||
143 | subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
144 | plan tests => 3; | |
145 | ||
146 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 147 | "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 148 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 149 | "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 150 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 151 | "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
152 | }; |
153 | ||
154 | subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { | |
6ee1f4f4 | 155 | plan tests => 6; |
88b8a527 RL |
156 | |
157 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 MC |
158 | "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); |
159 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", | |
160 | "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); | |
161 | test_ocsp("DELEGATED; Root CA -> EE", | |
162 | "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); | |
163 | test_ocsp("DELEGATED; Intermediate CA -> EE", | |
164 | "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); | |
88b8a527 | 165 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 166 | "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); |
88b8a527 | 167 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 168 | "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); |
88b8a527 RL |
169 | }; |
170 | ||
171 | subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { | |
172 | plan tests => 6; | |
173 | ||
174 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 175 | "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 176 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 177 | "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 178 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 179 | "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 180 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 181 | "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 182 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 183 | "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 184 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 185 | "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
186 | }; |
187 | ||
188 | subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { | |
189 | plan tests => 6; | |
190 | ||
191 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 192 | "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 193 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 194 | "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 195 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 196 | "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 197 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 198 | "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); |
88b8a527 | 199 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 200 | "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); |
88b8a527 | 201 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 202 | "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); |
88b8a527 RL |
203 | }; |
204 | ||
205 | subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { | |
206 | plan tests => 6; | |
207 | ||
208 | # Expect success, because we're explicitly trusting the issuer certificate. | |
209 | test_ocsp("NON-DELEGATED; Intermediate CA -> EE", | |
6ee1f4f4 | 210 | "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); |
88b8a527 | 211 | test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 212 | "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 213 | test_ocsp("NON-DELEGATED; Root CA -> EE", |
6ee1f4f4 | 214 | "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 215 | test_ocsp("DELEGATED; Intermediate CA -> EE", |
6ee1f4f4 | 216 | "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); |
88b8a527 | 217 | test_ocsp("DELEGATED; Root CA -> Intermediate CA", |
6ee1f4f4 | 218 | "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 219 | test_ocsp("DELEGATED; Root CA -> EE", |
6ee1f4f4 | 220 | "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); |
88b8a527 | 221 | }; |
27da1343 BK |
222 | |
223 | subtest "=== OCSP API TESTS===" => sub { | |
224 | plan tests => 1; | |
225 | ||
226 | ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), | |
227 | "running ocspapitest"); | |
228 | } |