1$! TOCSP.COM 2$ 3$ cmd = "mcr ''exe_dir'openssl" 4$ ocspdir = "ocsp-tests" 5$ ! 17 December 2012 so we don't get certificate expiry errors. 6$ check_time = "-attime 1355875200" 7$ 8$ test_ocsp: subroutine 9$ set noon 10$ 'cmd' base64 -d -in [.'ocspdir']'p1' -out f.d 11$ 'cmd' ocsp -respin f.d -partial_chain 'check_time' - 12 "-CAfile" [.'ocspdir']'p2' -verify_other [.'ocspdir']'p2' - 13 "-CApath" nul: 14$ ! when ocsp exits with 0, VMS severity becomes 1 15$ ! when ocsp exits with 1, VMS severity becomes 2 16$ ! See the definition of EXIT(n) in the VMS sextion in e_os.h 17$ if $severity .ne. 'p3'+1 then exit 2 ! severity error 18$ exit 1 19$ endsubroutine 20$ 21$ on error then exit 2 22$ write sys$output "=== VALID OCSP RESPONSES ===" 23$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 24$ call test_ocsp ND1.ors ND1_Issuer_ICA.pem 0 25$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 26$ call test_ocsp ND2.ors ND2_Issuer_Root.pem 0 27$ write sys$output "NON-DELEGATED; Root CA -> EE" 28$ call test_ocsp ND3.ors ND3_Issuer_Root.pem 0 29$ write sys$output "DELEGATED; Intermediate CA -> EE" 30$ call test_ocsp D1.ors D1_Issuer_ICA.pem 0 31$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 32$ call test_ocsp D2.ors D2_Issuer_Root.pem 0 33$ write sys$output "DELEGATED; Root CA -> EE" 34$ call test_ocsp D3.ors D3_Issuer_Root.pem 0 35$ 36$ write sys$output "=== INVALID SIGNATURE on the OCSP RESPONSE ===" 37$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 38$ call test_ocsp ISOP_ND1.ors ND1_Issuer_ICA.pem 1 39$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 40$ call test_ocsp ISOP_ND2.ors ND2_Issuer_Root.pem 1 41$ write sys$output "NON-DELEGATED; Root CA -> EE" 42$ call test_ocsp ISOP_ND3.ors ND3_Issuer_Root.pem 1 43$ write sys$output "DELEGATED; Intermediate CA -> EE" 44$ call test_ocsp ISOP_D1.ors D1_Issuer_ICA.pem 1 45$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 46$ call test_ocsp ISOP_D2.ors D2_Issuer_Root.pem 1 47$ write sys$output "DELEGATED; Root CA -> EE" 48$ call test_ocsp ISOP_D3.ors D3_Issuer_Root.pem 1 49$ 50$ write sys$output "=== WRONG RESPONDERID in the OCSP RESPONSE ===" 51$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 52$ call test_ocsp WRID_ND1.ors ND1_Issuer_ICA.pem 1 53$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 54$ call test_ocsp WRID_ND2.ors ND2_Issuer_Root.pem 1 55$ write sys$output "NON-DELEGATED; Root CA -> EE" 56$ call test_ocsp WRID_ND3.ors ND3_Issuer_Root.pem 1 57$ write sys$output "DELEGATED; Intermediate CA -> EE" 58$ call test_ocsp WRID_D1.ors D1_Issuer_ICA.pem 1 59$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 60$ call test_ocsp WRID_D2.ors D2_Issuer_Root.pem 1 61$ write sys$output "DELEGATED; Root CA -> EE" 62$ call test_ocsp WRID_D3.ors D3_Issuer_Root.pem 1 63$ 64$ write sys$output "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" 65$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 66$ call test_ocsp WINH_ND1.ors ND1_Issuer_ICA.pem 1 67$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 68$ call test_ocsp WINH_ND2.ors ND2_Issuer_Root.pem 1 69$ write sys$output "NON-DELEGATED; Root CA -> EE" 70$ call test_ocsp WINH_ND3.ors ND3_Issuer_Root.pem 1 71$ write sys$output "DELEGATED; Intermediate CA -> EE" 72$ call test_ocsp WINH_D1.ors D1_Issuer_ICA.pem 1 73$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 74$ call test_ocsp WINH_D2.ors D2_Issuer_Root.pem 1 75$ write sys$output "DELEGATED; Root CA -> EE" 76$ call test_ocsp WINH_D3.ors D3_Issuer_Root.pem 1 77$ 78$ write sys$output "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" 79$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 80$ call test_ocsp WIKH_ND1.ors ND1_Issuer_ICA.pem 1 81$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 82$ call test_ocsp WIKH_ND2.ors ND2_Issuer_Root.pem 1 83$ write sys$output "NON-DELEGATED; Root CA -> EE" 84$ call test_ocsp WIKH_ND3.ors ND3_Issuer_Root.pem 1 85$ write sys$output "DELEGATED; Intermediate CA -> EE" 86$ call test_ocsp WIKH_D1.ors D1_Issuer_ICA.pem 1 87$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 88$ call test_ocsp WIKH_D2.ors D2_Issuer_Root.pem 1 89$ write sys$output "DELEGATED; Root CA -> EE" 90$ call test_ocsp WIKH_D3.ors D3_Issuer_Root.pem 1 91$ 92$ write sys$output "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" 93$ write sys$output "DELEGATED; Intermediate CA -> EE" 94$ call test_ocsp WKDOSC_D1.ors D1_Issuer_ICA.pem 1 95$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 96$ call test_ocsp WKDOSC_D2.ors D2_Issuer_Root.pem 1 97$ write sys$output "DELEGATED; Root CA -> EE" 98$ call test_ocsp WKDOSC_D3.ors D3_Issuer_Root.pem 1 99$ 100$ write sys$output "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" 101$ write sys$output "DELEGATED; Intermediate CA -> EE" 102$ call test_ocsp ISDOSC_D1.ors D1_Issuer_ICA.pem 1 103$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 104$ call test_ocsp ISDOSC_D2.ors D2_Issuer_Root.pem 1 105$ write sys$output "DELEGATED; Root CA -> EE" 106$ call test_ocsp ISDOSC_D3.ors D3_Issuer_Root.pem 1 107$ 108$ write sys$output "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" 109$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 110$ call test_ocsp ND1.ors WSNIC_ND1_Issuer_ICA.pem 1 111$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 112$ call test_ocsp ND2.ors WSNIC_ND2_Issuer_Root.pem 1 113$ write sys$output "NON-DELEGATED; Root CA -> EE" 114$ call test_ocsp ND3.ors WSNIC_ND3_Issuer_Root.pem 1 115$ write sys$output "DELEGATED; Intermediate CA -> EE" 116$ call test_ocsp D1.ors WSNIC_D1_Issuer_ICA.pem 1 117$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 118$ call test_ocsp D2.ors WSNIC_D2_Issuer_Root.pem 1 119$ write sys$output "DELEGATED; Root CA -> EE" 120$ call test_ocsp D3.ors WSNIC_D3_Issuer_Root.pem 1 121$ 122$ write sys$output "=== WRONG KEY in the ISSUER CERTIFICATE ===" 123$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 124$ call test_ocsp ND1.ors WKIC_ND1_Issuer_ICA.pem 1 125$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 126$ call test_ocsp ND2.ors WKIC_ND2_Issuer_Root.pem 1 127$ write sys$output "NON-DELEGATED; Root CA -> EE" 128$ call test_ocsp ND3.ors WKIC_ND3_Issuer_Root.pem 1 129$ write sys$output "DELEGATED; Intermediate CA -> EE" 130$ call test_ocsp D1.ors WKIC_D1_Issuer_ICA.pem 1 131$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 132$ call test_ocsp D2.ors WKIC_D2_Issuer_Root.pem 1 133$ write sys$output "DELEGATED; Root CA -> EE" 134$ call test_ocsp D3.ors WKIC_D3_Issuer_Root.pem 1 135$ 136$ write sys$output "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" 137$ !# Expect success, because we're explicitly trusting the issuer certificate. 138$ write sys$output "NON-DELEGATED; Intermediate CA -> EE" 139$ call test_ocsp ND1.ors ISIC_ND1_Issuer_ICA.pem 0 140$ write sys$output "NON-DELEGATED; Root CA -> Intermediate CA" 141$ call test_ocsp ND2.ors ISIC_ND2_Issuer_Root.pem 0 142$ write sys$output "NON-DELEGATED; Root CA -> EE" 143$ call test_ocsp ND3.ors ISIC_ND3_Issuer_Root.pem 0 144$ write sys$output "DELEGATED; Intermediate CA -> EE" 145$ call test_ocsp D1.ors ISIC_D1_Issuer_ICA.pem 0 146$ write sys$output "DELEGATED; Root CA -> Intermediate CA" 147$ call test_ocsp D2.ors ISIC_D2_Issuer_Root.pem 0 148$ write sys$output "DELEGATED; Root CA -> EE" 149$ call test_ocsp D3.ors ISIC_D3_Issuer_Root.pem 0 150$ 151$ write sys$output "ALL OCSP TESTS SUCCESSFUL" 152$ exit 1 153