80-test_ocsp.t 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Spec::Functions qw/devnull catfile/;
  12. use File::Basename;
  13. use File::Copy;
  14. use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
  15. use OpenSSL::Test::Utils;
  16. setup("test_ocsp");
  17. plan skip_all => "OCSP is not supported by this OpenSSL build"
  18. if disabled("ocsp");
  19. my $ocspdir=srctop_dir("test", "ocsp-tests");
  20. # 17 December 2012 so we don't get certificate expiry errors.
  21. my @check_time=("-attime", "1355875200");
  22. sub test_ocsp {
  23. my $title = shift;
  24. my $inputfile = shift;
  25. my $CAfile = shift;
  26. my $untrusted = shift;
  27. if ($untrusted eq "") {
  28. $untrusted = $CAfile;
  29. }
  30. my $expected_exit = shift;
  31. my $nochecks = shift;
  32. my $outputfile = basename($inputfile, '.ors') . '.dat';
  33. run(app(["openssl", "base64", "-d",
  34. "-in", catfile($ocspdir,$inputfile),
  35. "-out", $outputfile]));
  36. with({ exit_checker => sub { return shift == $expected_exit; } },
  37. sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
  38. "-partial_chain", @check_time,
  39. "-CAfile", catfile($ocspdir, $CAfile),
  40. "-verify_other", catfile($ocspdir, $untrusted),
  41. "-no-CApath", "-no-CAstore",
  42. $nochecks ? "-no_cert_checks" : ()])),
  43. $title); });
  44. }
  45. plan tests => 11;
  46. subtest "=== VALID OCSP RESPONSES ===" => sub {
  47. plan tests => 7;
  48. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  49. "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
  50. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  51. "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
  52. test_ocsp("NON-DELEGATED; Root CA -> EE",
  53. "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
  54. test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
  55. "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
  56. test_ocsp("DELEGATED; Intermediate CA -> EE",
  57. "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
  58. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  59. "D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
  60. test_ocsp("DELEGATED; Root CA -> EE",
  61. "D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
  62. };
  63. subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
  64. plan tests => 6;
  65. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  66. "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
  67. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  68. "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
  69. test_ocsp("NON-DELEGATED; Root CA -> EE",
  70. "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
  71. test_ocsp("DELEGATED; Intermediate CA -> EE",
  72. "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  73. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  74. "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  75. test_ocsp("DELEGATED; Root CA -> EE",
  76. "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  77. };
  78. subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
  79. plan tests => 6;
  80. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  81. "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
  82. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  83. "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
  84. test_ocsp("NON-DELEGATED; Root CA -> EE",
  85. "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
  86. test_ocsp("DELEGATED; Intermediate CA -> EE",
  87. "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  88. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  89. "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  90. test_ocsp("DELEGATED; Root CA -> EE",
  91. "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  92. };
  93. subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
  94. plan tests => 6;
  95. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  96. "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
  97. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  98. "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
  99. test_ocsp("NON-DELEGATED; Root CA -> EE",
  100. "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
  101. test_ocsp("DELEGATED; Intermediate CA -> EE",
  102. "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  103. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  104. "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  105. test_ocsp("DELEGATED; Root CA -> EE",
  106. "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  107. };
  108. subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
  109. plan tests => 6;
  110. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  111. "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
  112. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  113. "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
  114. test_ocsp("NON-DELEGATED; Root CA -> EE",
  115. "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
  116. test_ocsp("DELEGATED; Intermediate CA -> EE",
  117. "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  118. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  119. "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  120. test_ocsp("DELEGATED; Root CA -> EE",
  121. "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  122. };
  123. subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
  124. plan tests => 3;
  125. test_ocsp("DELEGATED; Intermediate CA -> EE",
  126. "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  127. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  128. "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  129. test_ocsp("DELEGATED; Root CA -> EE",
  130. "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  131. };
  132. subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
  133. plan tests => 6;
  134. test_ocsp("DELEGATED; Intermediate CA -> EE",
  135. "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
  136. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  137. "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
  138. test_ocsp("DELEGATED; Root CA -> EE",
  139. "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
  140. test_ocsp("DELEGATED; Intermediate CA -> EE",
  141. "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
  142. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  143. "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
  144. test_ocsp("DELEGATED; Root CA -> EE",
  145. "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
  146. };
  147. subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
  148. plan tests => 6;
  149. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  150. "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
  151. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  152. "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
  153. test_ocsp("NON-DELEGATED; Root CA -> EE",
  154. "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
  155. test_ocsp("DELEGATED; Intermediate CA -> EE",
  156. "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
  157. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  158. "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
  159. test_ocsp("DELEGATED; Root CA -> EE",
  160. "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
  161. };
  162. subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
  163. plan tests => 6;
  164. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  165. "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
  166. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  167. "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
  168. test_ocsp("NON-DELEGATED; Root CA -> EE",
  169. "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
  170. test_ocsp("DELEGATED; Intermediate CA -> EE",
  171. "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
  172. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  173. "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
  174. test_ocsp("DELEGATED; Root CA -> EE",
  175. "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
  176. };
  177. subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
  178. plan tests => 6;
  179. # Expect success, because we're explicitly trusting the issuer certificate.
  180. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  181. "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
  182. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  183. "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
  184. test_ocsp("NON-DELEGATED; Root CA -> EE",
  185. "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
  186. test_ocsp("DELEGATED; Intermediate CA -> EE",
  187. "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
  188. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  189. "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
  190. test_ocsp("DELEGATED; Root CA -> EE",
  191. "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
  192. };
  193. subtest "=== OCSP API TESTS===" => sub {
  194. plan tests => 1;
  195. ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
  196. "running ocspapitest");
  197. }