80-test_ocsp.t revision 1.1.1.2
1#! /usr/bin/env perl 2# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the OpenSSL license (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Spec::Functions qw/devnull catfile/; 15use File::Copy; 16use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 17use OpenSSL::Test::Utils; 18 19setup("test_ocsp"); 20 21plan skip_all => "OCSP is not supported by this OpenSSL build" 22 if disabled("ocsp"); 23 24my $ocspdir=srctop_dir("test", "ocsp-tests"); 25# 17 December 2012 so we don't get certificate expiry errors. 26my @check_time=("-attime", "1355875200"); 27 28sub test_ocsp { 29 my $title = shift; 30 my $inputfile = shift; 31 my $CAfile = shift; 32 my $untrusted = shift; 33 if ($untrusted eq "") { 34 $untrusted = $CAfile; 35 } 36 my $expected_exit = shift; 37 38 run(app(["openssl", "base64", "-d", 39 "-in", catfile($ocspdir,$inputfile), 40 "-out", "ocsp-resp-fff.dat"])); 41 with({ exit_checker => sub { return shift == $expected_exit; } }, 42 sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat", 43 "-partial_chain", @check_time, 44 "-CAfile", catfile($ocspdir, $CAfile), 45 "-verify_other", catfile($ocspdir, $untrusted), 46 "-no-CApath"])), 47 $title); }); 48 unlink "ocsp-resp-fff.dat"; 49} 50 51plan tests => 11; 52 53subtest "=== VALID OCSP RESPONSES ===" => sub { 54 plan tests => 7; 55 56 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 57 "ND1.ors", "ND1_Issuer_ICA.pem", "", 0); 58 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 59 "ND2.ors", "ND2_Issuer_Root.pem", "", 0); 60 test_ocsp("NON-DELEGATED; Root CA -> EE", 61 "ND3.ors", "ND3_Issuer_Root.pem", "", 0); 62 test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 63 "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0); 64 test_ocsp("DELEGATED; Intermediate CA -> EE", 65 "D1.ors", "D1_Issuer_ICA.pem", "", 0); 66 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 67 "D2.ors", "D2_Issuer_Root.pem", "", 0); 68 test_ocsp("DELEGATED; Root CA -> EE", 69 "D3.ors", "D3_Issuer_Root.pem", "", 0); 70}; 71 72subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 73 plan tests => 6; 74 75 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 76 "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); 77 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 78 "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1); 79 test_ocsp("NON-DELEGATED; Root CA -> EE", 80 "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1); 81 test_ocsp("DELEGATED; Intermediate CA -> EE", 82 "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1); 83 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 84 "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1); 85 test_ocsp("DELEGATED; Root CA -> EE", 86 "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1); 87}; 88 89subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 90 plan tests => 6; 91 92 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 93 "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); 94 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 95 "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1); 96 test_ocsp("NON-DELEGATED; Root CA -> EE", 97 "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1); 98 test_ocsp("DELEGATED; Intermediate CA -> EE", 99 "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1); 100 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 101 "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1); 102 test_ocsp("DELEGATED; Root CA -> EE", 103 "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1); 104}; 105 106subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 107 plan tests => 6; 108 109 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 110 "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); 111 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 112 "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); 113 test_ocsp("NON-DELEGATED; Root CA -> EE", 114 "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); 115 test_ocsp("DELEGATED; Intermediate CA -> EE", 116 "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1); 117 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 118 "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1); 119 test_ocsp("DELEGATED; Root CA -> EE", 120 "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1); 121}; 122 123subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 124 plan tests => 6; 125 126 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 127 "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); 128 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 129 "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); 130 test_ocsp("NON-DELEGATED; Root CA -> EE", 131 "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); 132 test_ocsp("DELEGATED; Intermediate CA -> EE", 133 "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1); 134 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 135 "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1); 136 test_ocsp("DELEGATED; Root CA -> EE", 137 "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1); 138}; 139 140subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 141 plan tests => 3; 142 143 test_ocsp("DELEGATED; Intermediate CA -> EE", 144 "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); 145 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 146 "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); 147 test_ocsp("DELEGATED; Root CA -> EE", 148 "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); 149}; 150 151subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 152 plan tests => 3; 153 154 test_ocsp("DELEGATED; Intermediate CA -> EE", 155 "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); 156 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 157 "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); 158 test_ocsp("DELEGATED; Root CA -> EE", 159 "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); 160}; 161 162subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 163 plan tests => 6; 164 165 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 166 "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1); 167 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 168 "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1); 169 test_ocsp("NON-DELEGATED; Root CA -> EE", 170 "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1); 171 test_ocsp("DELEGATED; Intermediate CA -> EE", 172 "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1); 173 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 174 "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1); 175 test_ocsp("DELEGATED; Root CA -> EE", 176 "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1); 177}; 178 179subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 180 plan tests => 6; 181 182 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 183 "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1); 184 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 185 "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1); 186 test_ocsp("NON-DELEGATED; Root CA -> EE", 187 "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1); 188 test_ocsp("DELEGATED; Intermediate CA -> EE", 189 "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1); 190 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 191 "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1); 192 test_ocsp("DELEGATED; Root CA -> EE", 193 "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1); 194}; 195 196subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 197 plan tests => 6; 198 199 # Expect success, because we're explicitly trusting the issuer certificate. 200 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 201 "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0); 202 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 203 "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0); 204 test_ocsp("NON-DELEGATED; Root CA -> EE", 205 "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0); 206 test_ocsp("DELEGATED; Intermediate CA -> EE", 207 "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0); 208 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 209 "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0); 210 test_ocsp("DELEGATED; Root CA -> EE", 211 "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0); 212}; 213 214subtest "=== OCSP API TESTS===" => sub { 215 plan tests => 1; 216 217 ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), 218 "running ocspapitest"); 219} 220