1$! TOCSP.COM
2$
3$	cmd = "mcr ''exe_dir'openssl"
4$	ocspdir = "ocsp-tests"
5$	! 17 December 2012 so we don't get certificate expiry errors.
6$	check_time = "-attime 1355875200"
7$
8$ test_ocsp: subroutine
9$	set noon
10$	'cmd' base64 -d -in [.'ocspdir']'p1' -out f.d
11$	'cmd' ocsp -respin f.d -partial_chain 'check_time' -
12	      "-CAfile" [.'ocspdir']'p2' -verify_other [.'ocspdir']'p2' -
13	      "-CApath" nul:
14$	! when ocsp exits with 0, VMS severity becomes 1
15$	! when ocsp exits with 1, VMS severity becomes 2
16$	! See the definition of EXIT(n) in the VMS sextion in e_os.h
17$	if $severity .ne. 'p3'+1 then exit 2 ! severity error
18$	exit 1
19$	endsubroutine
20$
21$	on error then exit 2
22$	write sys$output "=== VALID OCSP RESPONSES ==="
23$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
24$	call test_ocsp ND1.ors ND1_Issuer_ICA.pem 0
25$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
26$	call test_ocsp ND2.ors ND2_Issuer_Root.pem 0
27$	write sys$output "NON-DELEGATED; Root CA -> EE"
28$	call test_ocsp ND3.ors ND3_Issuer_Root.pem 0
29$	write sys$output "DELEGATED; Intermediate CA -> EE"
30$	call test_ocsp D1.ors D1_Issuer_ICA.pem 0
31$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
32$	call test_ocsp D2.ors D2_Issuer_Root.pem 0
33$	write sys$output "DELEGATED; Root CA -> EE"
34$	call test_ocsp D3.ors D3_Issuer_Root.pem 0
35$
36$	write sys$output "=== INVALID SIGNATURE on the OCSP RESPONSE ==="
37$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
38$	call test_ocsp ISOP_ND1.ors ND1_Issuer_ICA.pem 1
39$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
40$	call test_ocsp ISOP_ND2.ors ND2_Issuer_Root.pem 1
41$	write sys$output "NON-DELEGATED; Root CA -> EE"
42$	call test_ocsp ISOP_ND3.ors ND3_Issuer_Root.pem 1
43$	write sys$output "DELEGATED; Intermediate CA -> EE"
44$	call test_ocsp ISOP_D1.ors D1_Issuer_ICA.pem 1
45$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
46$	call test_ocsp ISOP_D2.ors D2_Issuer_Root.pem 1
47$	write sys$output "DELEGATED; Root CA -> EE"
48$	call test_ocsp ISOP_D3.ors D3_Issuer_Root.pem 1
49$
50$	write sys$output "=== WRONG RESPONDERID in the OCSP RESPONSE ==="
51$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
52$	call test_ocsp WRID_ND1.ors ND1_Issuer_ICA.pem 1
53$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
54$	call test_ocsp WRID_ND2.ors ND2_Issuer_Root.pem 1
55$	write sys$output "NON-DELEGATED; Root CA -> EE"
56$	call test_ocsp WRID_ND3.ors ND3_Issuer_Root.pem 1
57$	write sys$output "DELEGATED; Intermediate CA -> EE"
58$	call test_ocsp WRID_D1.ors D1_Issuer_ICA.pem 1
59$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
60$	call test_ocsp WRID_D2.ors D2_Issuer_Root.pem 1
61$	write sys$output "DELEGATED; Root CA -> EE"
62$	call test_ocsp WRID_D3.ors D3_Issuer_Root.pem 1
63$
64$	write sys$output "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ==="
65$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
66$	call test_ocsp WINH_ND1.ors ND1_Issuer_ICA.pem 1
67$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
68$	call test_ocsp WINH_ND2.ors ND2_Issuer_Root.pem 1
69$	write sys$output "NON-DELEGATED; Root CA -> EE"
70$	call test_ocsp WINH_ND3.ors ND3_Issuer_Root.pem 1
71$	write sys$output "DELEGATED; Intermediate CA -> EE"
72$	call test_ocsp WINH_D1.ors D1_Issuer_ICA.pem 1
73$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
74$	call test_ocsp WINH_D2.ors D2_Issuer_Root.pem 1
75$	write sys$output "DELEGATED; Root CA -> EE"
76$	call test_ocsp WINH_D3.ors D3_Issuer_Root.pem 1
77$
78$	write sys$output "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ==="
79$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
80$	call test_ocsp WIKH_ND1.ors ND1_Issuer_ICA.pem 1
81$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
82$	call test_ocsp WIKH_ND2.ors ND2_Issuer_Root.pem 1
83$	write sys$output "NON-DELEGATED; Root CA -> EE"
84$	call test_ocsp WIKH_ND3.ors ND3_Issuer_Root.pem 1
85$	write sys$output "DELEGATED; Intermediate CA -> EE"
86$	call test_ocsp WIKH_D1.ors D1_Issuer_ICA.pem 1
87$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
88$	call test_ocsp WIKH_D2.ors D2_Issuer_Root.pem 1
89$	write sys$output "DELEGATED; Root CA -> EE"
90$	call test_ocsp WIKH_D3.ors D3_Issuer_Root.pem 1
91$
92$	write sys$output "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ==="
93$	write sys$output "DELEGATED; Intermediate CA -> EE"
94$	call test_ocsp WKDOSC_D1.ors D1_Issuer_ICA.pem 1
95$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
96$	call test_ocsp WKDOSC_D2.ors D2_Issuer_Root.pem 1
97$	write sys$output "DELEGATED; Root CA -> EE"
98$	call test_ocsp WKDOSC_D3.ors D3_Issuer_Root.pem 1
99$
100$	write sys$output "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ==="
101$	write sys$output "DELEGATED; Intermediate CA -> EE"
102$	call test_ocsp ISDOSC_D1.ors D1_Issuer_ICA.pem 1
103$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
104$	call test_ocsp ISDOSC_D2.ors D2_Issuer_Root.pem 1
105$	write sys$output "DELEGATED; Root CA -> EE"
106$	call test_ocsp ISDOSC_D3.ors D3_Issuer_Root.pem 1
107$
108$	write sys$output "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ==="
109$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
110$	call test_ocsp ND1.ors WSNIC_ND1_Issuer_ICA.pem 1
111$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
112$	call test_ocsp ND2.ors WSNIC_ND2_Issuer_Root.pem 1
113$	write sys$output "NON-DELEGATED; Root CA -> EE"
114$	call test_ocsp ND3.ors WSNIC_ND3_Issuer_Root.pem 1
115$	write sys$output "DELEGATED; Intermediate CA -> EE"
116$	call test_ocsp D1.ors WSNIC_D1_Issuer_ICA.pem 1
117$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
118$	call test_ocsp D2.ors WSNIC_D2_Issuer_Root.pem 1
119$	write sys$output "DELEGATED; Root CA -> EE"
120$	call test_ocsp D3.ors WSNIC_D3_Issuer_Root.pem 1
121$
122$	write sys$output "=== WRONG KEY in the ISSUER CERTIFICATE ==="
123$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
124$	call test_ocsp ND1.ors WKIC_ND1_Issuer_ICA.pem 1
125$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
126$	call test_ocsp ND2.ors WKIC_ND2_Issuer_Root.pem 1
127$	write sys$output "NON-DELEGATED; Root CA -> EE"
128$	call test_ocsp ND3.ors WKIC_ND3_Issuer_Root.pem 1
129$	write sys$output "DELEGATED; Intermediate CA -> EE"
130$	call test_ocsp D1.ors WKIC_D1_Issuer_ICA.pem 1
131$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
132$	call test_ocsp D2.ors WKIC_D2_Issuer_Root.pem 1
133$	write sys$output "DELEGATED; Root CA -> EE"
134$	call test_ocsp D3.ors WKIC_D3_Issuer_Root.pem 1
135$
136$	write sys$output "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ==="
137$	!# Expect success, because we're explicitly trusting the issuer certificate.
138$	write sys$output "NON-DELEGATED; Intermediate CA -> EE"
139$	call test_ocsp ND1.ors ISIC_ND1_Issuer_ICA.pem 0
140$	write sys$output "NON-DELEGATED; Root CA -> Intermediate CA"
141$	call test_ocsp ND2.ors ISIC_ND2_Issuer_Root.pem 0
142$	write sys$output "NON-DELEGATED; Root CA -> EE"
143$	call test_ocsp ND3.ors ISIC_ND3_Issuer_Root.pem 0
144$	write sys$output "DELEGATED; Intermediate CA -> EE"
145$	call test_ocsp D1.ors ISIC_D1_Issuer_ICA.pem 0
146$	write sys$output "DELEGATED; Root CA -> Intermediate CA"
147$	call test_ocsp D2.ors ISIC_D2_Issuer_Root.pem 0
148$	write sys$output "DELEGATED; Root CA -> EE"
149$	call test_ocsp D3.ors ISIC_D3_Issuer_Root.pem 0
150$
151$	write sys$output "ALL OCSP TESTS SUCCESSFUL"
152$	exit 1
153