1#!/bin/sh 2 3cmd='../util/shlib_wrap.sh ../apps/openssl' 4ocspdir="ocsp-tests" 5# 17 December 2012 so we don't get certificate expiry errors. 6check_time="-attime 1355875200" 7 8test_ocsp () { 9 10 $cmd base64 -d -in $ocspdir/$1 | \ 11 $cmd ocsp -respin - -partial_chain $check_time -trusted_first \ 12 -CAfile $ocspdir/$2 -verify_other $ocspdir/$2 -CApath /dev/null 13 [ $? != $3 ] && exit 1 14} 15 16 17echo "=== VALID OCSP RESPONSES ===" 18echo "NON-DELEGATED; Intermediate CA -> EE" 19test_ocsp ND1.ors ND1_Issuer_ICA.pem 0 20echo "NON-DELEGATED; Root CA -> Intermediate CA" 21test_ocsp ND2.ors ND2_Issuer_Root.pem 0 22echo "NON-DELEGATED; Root CA -> EE" 23test_ocsp ND3.ors ND3_Issuer_Root.pem 0 24echo "DELEGATED; Intermediate CA -> EE" 25test_ocsp D1.ors D1_Issuer_ICA.pem 0 26echo "DELEGATED; Root CA -> Intermediate CA" 27test_ocsp D2.ors D2_Issuer_Root.pem 0 28echo "DELEGATED; Root CA -> EE" 29test_ocsp D3.ors D3_Issuer_Root.pem 0 30 31echo "=== INVALID SIGNATURE on the OCSP RESPONSE ===" 32echo "NON-DELEGATED; Intermediate CA -> EE" 33test_ocsp ISOP_ND1.ors ND1_Issuer_ICA.pem 1 34echo "NON-DELEGATED; Root CA -> Intermediate CA" 35test_ocsp ISOP_ND2.ors ND2_Issuer_Root.pem 1 36echo "NON-DELEGATED; Root CA -> EE" 37test_ocsp ISOP_ND3.ors ND3_Issuer_Root.pem 1 38echo "DELEGATED; Intermediate CA -> EE" 39test_ocsp ISOP_D1.ors D1_Issuer_ICA.pem 1 40echo "DELEGATED; Root CA -> Intermediate CA" 41test_ocsp ISOP_D2.ors D2_Issuer_Root.pem 1 42echo "DELEGATED; Root CA -> EE" 43test_ocsp ISOP_D3.ors D3_Issuer_Root.pem 1 44 45echo "=== WRONG RESPONDERID in the OCSP RESPONSE ===" 46echo "NON-DELEGATED; Intermediate CA -> EE" 47test_ocsp WRID_ND1.ors ND1_Issuer_ICA.pem 1 48echo "NON-DELEGATED; Root CA -> Intermediate CA" 49test_ocsp WRID_ND2.ors ND2_Issuer_Root.pem 1 50echo "NON-DELEGATED; Root CA -> EE" 51test_ocsp WRID_ND3.ors ND3_Issuer_Root.pem 1 52echo "DELEGATED; Intermediate CA -> EE" 53test_ocsp WRID_D1.ors D1_Issuer_ICA.pem 1 54echo "DELEGATED; Root CA -> Intermediate CA" 55test_ocsp WRID_D2.ors D2_Issuer_Root.pem 1 56echo "DELEGATED; Root CA -> EE" 57test_ocsp WRID_D3.ors D3_Issuer_Root.pem 1 58 59echo "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" 60echo "NON-DELEGATED; Intermediate CA -> EE" 61test_ocsp WINH_ND1.ors ND1_Issuer_ICA.pem 1 62echo "NON-DELEGATED; Root CA -> Intermediate CA" 63test_ocsp WINH_ND2.ors ND2_Issuer_Root.pem 1 64echo "NON-DELEGATED; Root CA -> EE" 65test_ocsp WINH_ND3.ors ND3_Issuer_Root.pem 1 66echo "DELEGATED; Intermediate CA -> EE" 67test_ocsp WINH_D1.ors D1_Issuer_ICA.pem 1 68echo "DELEGATED; Root CA -> Intermediate CA" 69test_ocsp WINH_D2.ors D2_Issuer_Root.pem 1 70echo "DELEGATED; Root CA -> EE" 71test_ocsp WINH_D3.ors D3_Issuer_Root.pem 1 72 73echo "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" 74echo "NON-DELEGATED; Intermediate CA -> EE" 75test_ocsp WIKH_ND1.ors ND1_Issuer_ICA.pem 1 76echo "NON-DELEGATED; Root CA -> Intermediate CA" 77test_ocsp WIKH_ND2.ors ND2_Issuer_Root.pem 1 78echo "NON-DELEGATED; Root CA -> EE" 79test_ocsp WIKH_ND3.ors ND3_Issuer_Root.pem 1 80echo "DELEGATED; Intermediate CA -> EE" 81test_ocsp WIKH_D1.ors D1_Issuer_ICA.pem 1 82echo "DELEGATED; Root CA -> Intermediate CA" 83test_ocsp WIKH_D2.ors D2_Issuer_Root.pem 1 84echo "DELEGATED; Root CA -> EE" 85test_ocsp WIKH_D3.ors D3_Issuer_Root.pem 1 86 87echo "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" 88echo "DELEGATED; Intermediate CA -> EE" 89test_ocsp WKDOSC_D1.ors D1_Issuer_ICA.pem 1 90echo "DELEGATED; Root CA -> Intermediate CA" 91test_ocsp WKDOSC_D2.ors D2_Issuer_Root.pem 1 92echo "DELEGATED; Root CA -> EE" 93test_ocsp WKDOSC_D3.ors D3_Issuer_Root.pem 1 94 95echo "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" 96echo "DELEGATED; Intermediate CA -> EE" 97test_ocsp ISDOSC_D1.ors D1_Issuer_ICA.pem 1 98echo "DELEGATED; Root CA -> Intermediate CA" 99test_ocsp ISDOSC_D2.ors D2_Issuer_Root.pem 1 100echo "DELEGATED; Root CA -> EE" 101test_ocsp ISDOSC_D3.ors D3_Issuer_Root.pem 1 102 103echo "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" 104echo "NON-DELEGATED; Intermediate CA -> EE" 105test_ocsp ND1.ors WSNIC_ND1_Issuer_ICA.pem 1 106echo "NON-DELEGATED; Root CA -> Intermediate CA" 107test_ocsp ND2.ors WSNIC_ND2_Issuer_Root.pem 1 108echo "NON-DELEGATED; Root CA -> EE" 109test_ocsp ND3.ors WSNIC_ND3_Issuer_Root.pem 1 110echo "DELEGATED; Intermediate CA -> EE" 111test_ocsp D1.ors WSNIC_D1_Issuer_ICA.pem 1 112echo "DELEGATED; Root CA -> Intermediate CA" 113test_ocsp D2.ors WSNIC_D2_Issuer_Root.pem 1 114echo "DELEGATED; Root CA -> EE" 115test_ocsp D3.ors WSNIC_D3_Issuer_Root.pem 1 116 117echo "=== WRONG KEY in the ISSUER CERTIFICATE ===" 118echo "NON-DELEGATED; Intermediate CA -> EE" 119test_ocsp ND1.ors WKIC_ND1_Issuer_ICA.pem 1 120echo "NON-DELEGATED; Root CA -> Intermediate CA" 121test_ocsp ND2.ors WKIC_ND2_Issuer_Root.pem 1 122echo "NON-DELEGATED; Root CA -> EE" 123test_ocsp ND3.ors WKIC_ND3_Issuer_Root.pem 1 124echo "DELEGATED; Intermediate CA -> EE" 125test_ocsp D1.ors WKIC_D1_Issuer_ICA.pem 1 126echo "DELEGATED; Root CA -> Intermediate CA" 127test_ocsp D2.ors WKIC_D2_Issuer_Root.pem 1 128echo "DELEGATED; Root CA -> EE" 129test_ocsp D3.ors WKIC_D3_Issuer_Root.pem 1 130 131echo "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" 132# Expect success, because we're explicitly trusting the issuer certificate. 133echo "NON-DELEGATED; Intermediate CA -> EE" 134test_ocsp ND1.ors ISIC_ND1_Issuer_ICA.pem 0 135echo "NON-DELEGATED; Root CA -> Intermediate CA" 136test_ocsp ND2.ors ISIC_ND2_Issuer_Root.pem 0 137echo "NON-DELEGATED; Root CA -> EE" 138test_ocsp ND3.ors ISIC_ND3_Issuer_Root.pem 0 139echo "DELEGATED; Intermediate CA -> EE" 140test_ocsp D1.ors ISIC_D1_Issuer_ICA.pem 0 141echo "DELEGATED; Root CA -> Intermediate CA" 142test_ocsp D2.ors ISIC_D2_Issuer_Root.pem 0 143echo "DELEGATED; Root CA -> EE" 144test_ocsp D3.ors ISIC_D3_Issuer_Root.pem 0 145 146echo "ALL OCSP TESTS SUCCESSFUL" 147exit 0 148