80-test_ocsp.t 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Spec::Functions qw/devnull catfile/;
  12. use File::Copy;
  13. use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
  14. use OpenSSL::Test::Utils;
  15. setup("test_ocsp");
  16. plan skip_all => "OCSP is not supported by this OpenSSL build"
  17. if disabled("ocsp");
  18. my $ocspdir=srctop_dir("test", "ocsp-tests");
  19. # 17 December 2012 so we don't get certificate expiry errors.
  20. my @check_time=("-attime", "1355875200");
  21. sub test_ocsp {
  22. my $title = shift;
  23. my $inputfile = shift;
  24. my $CAfile = shift;
  25. my $untrusted = shift;
  26. if ($untrusted eq "") {
  27. $untrusted = $CAfile;
  28. }
  29. my $expected_exit = shift;
  30. run(app(["openssl", "base64", "-d",
  31. "-in", catfile($ocspdir,$inputfile),
  32. "-out", "ocsp-resp-fff.dat"]));
  33. with({ exit_checker => sub { return shift == $expected_exit; } },
  34. sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
  35. "-partial_chain", @check_time,
  36. "-CAfile", catfile($ocspdir, $CAfile),
  37. "-verify_other", catfile($ocspdir, $untrusted),
  38. "-no-CApath"])),
  39. $title); });
  40. unlink "ocsp-resp-fff.dat";
  41. }
  42. plan tests => 11;
  43. subtest "=== VALID OCSP RESPONSES ===" => sub {
  44. plan tests => 7;
  45. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  46. "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
  47. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  48. "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
  49. test_ocsp("NON-DELEGATED; Root CA -> EE",
  50. "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
  51. test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
  52. "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
  53. test_ocsp("DELEGATED; Intermediate CA -> EE",
  54. "D1.ors", "D1_Issuer_ICA.pem", "", 0);
  55. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  56. "D2.ors", "D2_Issuer_Root.pem", "", 0);
  57. test_ocsp("DELEGATED; Root CA -> EE",
  58. "D3.ors", "D3_Issuer_Root.pem", "", 0);
  59. };
  60. subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
  61. plan tests => 6;
  62. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  63. "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
  64. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  65. "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
  66. test_ocsp("NON-DELEGATED; Root CA -> EE",
  67. "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
  68. test_ocsp("DELEGATED; Intermediate CA -> EE",
  69. "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  70. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  71. "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
  72. test_ocsp("DELEGATED; Root CA -> EE",
  73. "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
  74. };
  75. subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
  76. plan tests => 6;
  77. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  78. "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
  79. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  80. "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
  81. test_ocsp("NON-DELEGATED; Root CA -> EE",
  82. "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
  83. test_ocsp("DELEGATED; Intermediate CA -> EE",
  84. "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  85. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  86. "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
  87. test_ocsp("DELEGATED; Root CA -> EE",
  88. "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
  89. };
  90. subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
  91. plan tests => 6;
  92. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  93. "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
  94. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  95. "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
  96. test_ocsp("NON-DELEGATED; Root CA -> EE",
  97. "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
  98. test_ocsp("DELEGATED; Intermediate CA -> EE",
  99. "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  100. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  101. "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
  102. test_ocsp("DELEGATED; Root CA -> EE",
  103. "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
  104. };
  105. subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
  106. plan tests => 6;
  107. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  108. "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
  109. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  110. "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
  111. test_ocsp("NON-DELEGATED; Root CA -> EE",
  112. "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
  113. test_ocsp("DELEGATED; Intermediate CA -> EE",
  114. "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  115. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  116. "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
  117. test_ocsp("DELEGATED; Root CA -> EE",
  118. "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
  119. };
  120. subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
  121. plan tests => 3;
  122. test_ocsp("DELEGATED; Intermediate CA -> EE",
  123. "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  124. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  125. "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
  126. test_ocsp("DELEGATED; Root CA -> EE",
  127. "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
  128. };
  129. subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
  130. plan tests => 3;
  131. test_ocsp("DELEGATED; Intermediate CA -> EE",
  132. "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
  133. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  134. "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
  135. test_ocsp("DELEGATED; Root CA -> EE",
  136. "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
  137. };
  138. subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
  139. plan tests => 6;
  140. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  141. "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
  142. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  143. "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
  144. test_ocsp("NON-DELEGATED; Root CA -> EE",
  145. "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
  146. test_ocsp("DELEGATED; Intermediate CA -> EE",
  147. "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
  148. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  149. "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
  150. test_ocsp("DELEGATED; Root CA -> EE",
  151. "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
  152. };
  153. subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
  154. plan tests => 6;
  155. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  156. "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
  157. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  158. "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
  159. test_ocsp("NON-DELEGATED; Root CA -> EE",
  160. "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
  161. test_ocsp("DELEGATED; Intermediate CA -> EE",
  162. "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
  163. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  164. "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
  165. test_ocsp("DELEGATED; Root CA -> EE",
  166. "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
  167. };
  168. subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
  169. plan tests => 6;
  170. # Expect success, because we're explicitly trusting the issuer certificate.
  171. test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
  172. "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
  173. test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
  174. "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
  175. test_ocsp("NON-DELEGATED; Root CA -> EE",
  176. "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
  177. test_ocsp("DELEGATED; Intermediate CA -> EE",
  178. "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
  179. test_ocsp("DELEGATED; Root CA -> Intermediate CA",
  180. "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
  181. test_ocsp("DELEGATED; Root CA -> EE",
  182. "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
  183. };
  184. subtest "=== OCSP API TESTS===" => sub {
  185. plan tests => 1;
  186. ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
  187. "running ocspapitest");
  188. }