80-test_ocsp.t revision 1.1.1.2 
1#! /usr/bin/env perl
2# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the OpenSSL license (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Spec::Functions qw/devnull catfile/;
15use File::Copy;
16use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
17use OpenSSL::Test::Utils;
18
19setup("test_ocsp");
20
21plan skip_all => "OCSP is not supported by this OpenSSL build"
22    if disabled("ocsp");
23
24my $ocspdir=srctop_dir("test", "ocsp-tests");
25# 17 December 2012 so we don't get certificate expiry errors.
26my @check_time=("-attime", "1355875200");
27
28sub test_ocsp {
29    my $title = shift;
30    my $inputfile = shift;
31    my $CAfile = shift;
32    my $untrusted = shift;
33    if ($untrusted eq "") {
34        $untrusted = $CAfile;
35    }
36    my $expected_exit = shift;
37
38    run(app(["openssl", "base64", "-d",
39             "-in", catfile($ocspdir,$inputfile),
40             "-out", "ocsp-resp-fff.dat"]));
41    with({ exit_checker => sub { return shift == $expected_exit; } },
42         sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
43                           "-partial_chain", @check_time,
44                           "-CAfile", catfile($ocspdir, $CAfile),
45                           "-verify_other", catfile($ocspdir, $untrusted),
46                           "-no-CApath"])),
47                  $title); });
48    unlink "ocsp-resp-fff.dat";
49}
50
51plan tests => 11;
52
53subtest "=== VALID OCSP RESPONSES ===" => sub {
54    plan tests => 7;
55
56    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
57	      "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
58    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
59	      "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
60    test_ocsp("NON-DELEGATED; Root CA -> EE",
61	      "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
62    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
63	      "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
64    test_ocsp("DELEGATED; Intermediate CA -> EE",
65	      "D1.ors", "D1_Issuer_ICA.pem", "", 0);
66    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
67	      "D2.ors", "D2_Issuer_Root.pem", "", 0);
68    test_ocsp("DELEGATED; Root CA -> EE",
69	      "D3.ors", "D3_Issuer_Root.pem", "", 0);
70};
71
72subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
73    plan tests => 6;
74
75    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
76	      "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
77    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
78	      "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
79    test_ocsp("NON-DELEGATED; Root CA -> EE",
80	      "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
81    test_ocsp("DELEGATED; Intermediate CA -> EE",
82	      "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
83    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
84	      "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
85    test_ocsp("DELEGATED; Root CA -> EE",
86	      "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
87};
88
89subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
90    plan tests => 6;
91
92    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
93	      "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
94    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
95	      "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
96    test_ocsp("NON-DELEGATED; Root CA -> EE",
97	      "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
98    test_ocsp("DELEGATED; Intermediate CA -> EE",
99	      "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
100    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
101	      "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
102    test_ocsp("DELEGATED; Root CA -> EE",
103	      "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
104};
105
106subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
107    plan tests => 6;
108
109    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
110	      "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
111    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
112	      "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
113    test_ocsp("NON-DELEGATED; Root CA -> EE",
114	      "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
115    test_ocsp("DELEGATED; Intermediate CA -> EE",
116	      "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
117    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
118	      "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
119    test_ocsp("DELEGATED; Root CA -> EE",
120	      "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
121};
122
123subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
124    plan tests => 6;
125
126    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
127	      "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
128    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
129	      "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
130    test_ocsp("NON-DELEGATED; Root CA -> EE",
131	      "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
132    test_ocsp("DELEGATED; Intermediate CA -> EE",
133	      "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
134    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
135	      "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
136    test_ocsp("DELEGATED; Root CA -> EE",
137	      "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
138};
139
140subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
141    plan tests => 3;
142
143    test_ocsp("DELEGATED; Intermediate CA -> EE",
144	      "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
145    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
146	      "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
147    test_ocsp("DELEGATED; Root CA -> EE",
148	      "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
149};
150
151subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
152    plan tests => 3;
153
154    test_ocsp("DELEGATED; Intermediate CA -> EE",
155	      "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
156    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
157	      "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
158    test_ocsp("DELEGATED; Root CA -> EE",
159	      "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
160};
161
162subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
163    plan tests => 6;
164
165    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
166	      "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
167    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
168	      "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
169    test_ocsp("NON-DELEGATED; Root CA -> EE",
170	      "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
171    test_ocsp("DELEGATED; Intermediate CA -> EE",
172	      "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
173    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
174	      "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
175    test_ocsp("DELEGATED; Root CA -> EE",
176	      "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
177};
178
179subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
180    plan tests => 6;
181
182    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
183	      "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
184    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
185	      "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
186    test_ocsp("NON-DELEGATED; Root CA -> EE",
187	      "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
188    test_ocsp("DELEGATED; Intermediate CA -> EE",
189	      "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
190    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
191	      "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
192    test_ocsp("DELEGATED; Root CA -> EE",
193	      "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
194};
195
196subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
197    plan tests => 6;
198
199    # Expect success, because we're explicitly trusting the issuer certificate.
200    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
201	      "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
202    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
203	      "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
204    test_ocsp("NON-DELEGATED; Root CA -> EE",
205	      "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
206    test_ocsp("DELEGATED; Intermediate CA -> EE",
207	      "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
208    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
209	      "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
210    test_ocsp("DELEGATED; Root CA -> EE",
211	      "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
212};
213
214subtest "=== OCSP API TESTS===" => sub {
215    plan tests => 1;
216
217    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
218                 "running ocspapitest");
219}
220