1*e0c4386eSCy Schubert#! /usr/bin/env perl 2*e0c4386eSCy Schubert# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubertuse strict; 11*e0c4386eSCy Schubertuse warnings; 12*e0c4386eSCy Schubert 13*e0c4386eSCy Schubertuse POSIX; 14*e0c4386eSCy Schubertuse File::Spec::Functions qw/devnull catfile/; 15*e0c4386eSCy Schubertuse File::Basename; 16*e0c4386eSCy Schubertuse File::Copy; 17*e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 18*e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 19*e0c4386eSCy Schubert 20*e0c4386eSCy Schubertsetup("test_ocsp"); 21*e0c4386eSCy Schubert 22*e0c4386eSCy Schubertplan skip_all => "OCSP is not supported by this OpenSSL build" 23*e0c4386eSCy Schubert if disabled("ocsp"); 24*e0c4386eSCy Schubert 25*e0c4386eSCy Schubertmy $ocspdir=srctop_dir("test", "ocsp-tests"); 26*e0c4386eSCy Schubert# 17 December 2012 so we don't get certificate expiry errors. 27*e0c4386eSCy Schubertmy @check_time=("-attime", "1355875200"); 28*e0c4386eSCy Schubert 29*e0c4386eSCy Schubertsub test_ocsp { 30*e0c4386eSCy Schubert my $title = shift; 31*e0c4386eSCy Schubert my $inputfile = shift; 32*e0c4386eSCy Schubert my $CAfile = shift; 33*e0c4386eSCy Schubert my $untrusted = shift; 34*e0c4386eSCy Schubert if ($untrusted eq "") { 35*e0c4386eSCy Schubert $untrusted = $CAfile; 36*e0c4386eSCy Schubert } 37*e0c4386eSCy Schubert my $expected_exit = shift; 38*e0c4386eSCy Schubert my $nochecks = shift; 39*e0c4386eSCy Schubert my $outputfile = basename($inputfile, '.ors') . '.dat'; 40*e0c4386eSCy Schubert 41*e0c4386eSCy Schubert run(app(["openssl", "base64", "-d", 42*e0c4386eSCy Schubert "-in", catfile($ocspdir,$inputfile), 43*e0c4386eSCy Schubert "-out", $outputfile])); 44*e0c4386eSCy Schubert with({ exit_checker => sub { return shift == $expected_exit; } }, 45*e0c4386eSCy Schubert sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, 46*e0c4386eSCy Schubert "-partial_chain", @check_time, 47*e0c4386eSCy Schubert "-CAfile", catfile($ocspdir, $CAfile), 48*e0c4386eSCy Schubert "-verify_other", catfile($ocspdir, $untrusted), 49*e0c4386eSCy Schubert "-no-CApath", "-no-CAstore", 50*e0c4386eSCy Schubert $nochecks ? "-no_cert_checks" : ()])), 51*e0c4386eSCy Schubert $title); }); 52*e0c4386eSCy Schubert} 53*e0c4386eSCy Schubert 54*e0c4386eSCy Schubertplan tests => 11; 55*e0c4386eSCy Schubert 56*e0c4386eSCy Schubertsubtest "=== VALID OCSP RESPONSES ===" => sub { 57*e0c4386eSCy Schubert plan tests => 7; 58*e0c4386eSCy Schubert 59*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 60*e0c4386eSCy Schubert "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); 61*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 62*e0c4386eSCy Schubert "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); 63*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 64*e0c4386eSCy Schubert "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); 65*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 66*e0c4386eSCy Schubert "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); 67*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 68*e0c4386eSCy Schubert "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); 69*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 70*e0c4386eSCy Schubert "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); 71*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 72*e0c4386eSCy Schubert "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); 73*e0c4386eSCy Schubert}; 74*e0c4386eSCy Schubert 75*e0c4386eSCy Schubertsubtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 76*e0c4386eSCy Schubert plan tests => 6; 77*e0c4386eSCy Schubert 78*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 79*e0c4386eSCy Schubert "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 80*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 81*e0c4386eSCy Schubert "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 82*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 83*e0c4386eSCy Schubert "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 84*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 85*e0c4386eSCy Schubert "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 86*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 87*e0c4386eSCy Schubert "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 88*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 89*e0c4386eSCy Schubert "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 90*e0c4386eSCy Schubert}; 91*e0c4386eSCy Schubert 92*e0c4386eSCy Schubertsubtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 93*e0c4386eSCy Schubert plan tests => 6; 94*e0c4386eSCy Schubert 95*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 96*e0c4386eSCy Schubert "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 97*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 98*e0c4386eSCy Schubert "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 99*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 100*e0c4386eSCy Schubert "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 101*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 102*e0c4386eSCy Schubert "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 103*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 104*e0c4386eSCy Schubert "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 105*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 106*e0c4386eSCy Schubert "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 107*e0c4386eSCy Schubert}; 108*e0c4386eSCy Schubert 109*e0c4386eSCy Schubertsubtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 110*e0c4386eSCy Schubert plan tests => 6; 111*e0c4386eSCy Schubert 112*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 113*e0c4386eSCy Schubert "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 114*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 115*e0c4386eSCy Schubert "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 116*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 117*e0c4386eSCy Schubert "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 118*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 119*e0c4386eSCy Schubert "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 120*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 121*e0c4386eSCy Schubert "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 122*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 123*e0c4386eSCy Schubert "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 124*e0c4386eSCy Schubert}; 125*e0c4386eSCy Schubert 126*e0c4386eSCy Schubertsubtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 127*e0c4386eSCy Schubert plan tests => 6; 128*e0c4386eSCy Schubert 129*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 130*e0c4386eSCy Schubert "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 131*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 132*e0c4386eSCy Schubert "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 133*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 134*e0c4386eSCy Schubert "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 135*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 136*e0c4386eSCy Schubert "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 137*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 138*e0c4386eSCy Schubert "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 139*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 140*e0c4386eSCy Schubert "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 141*e0c4386eSCy Schubert}; 142*e0c4386eSCy Schubert 143*e0c4386eSCy Schubertsubtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 144*e0c4386eSCy Schubert plan tests => 3; 145*e0c4386eSCy Schubert 146*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 147*e0c4386eSCy Schubert "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 148*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 149*e0c4386eSCy Schubert "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 150*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 151*e0c4386eSCy Schubert "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 152*e0c4386eSCy Schubert}; 153*e0c4386eSCy Schubert 154*e0c4386eSCy Schubertsubtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 155*e0c4386eSCy Schubert plan tests => 6; 156*e0c4386eSCy Schubert 157*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 158*e0c4386eSCy Schubert "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 159*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 160*e0c4386eSCy Schubert "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 161*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 162*e0c4386eSCy Schubert "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 163*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 164*e0c4386eSCy Schubert "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); 165*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 166*e0c4386eSCy Schubert "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); 167*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 168*e0c4386eSCy Schubert "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); 169*e0c4386eSCy Schubert}; 170*e0c4386eSCy Schubert 171*e0c4386eSCy Schubertsubtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 172*e0c4386eSCy Schubert plan tests => 6; 173*e0c4386eSCy Schubert 174*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 175*e0c4386eSCy Schubert "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); 176*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 177*e0c4386eSCy Schubert "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); 178*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 179*e0c4386eSCy Schubert "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); 180*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 181*e0c4386eSCy Schubert "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); 182*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 183*e0c4386eSCy Schubert "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); 184*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 185*e0c4386eSCy Schubert "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); 186*e0c4386eSCy Schubert}; 187*e0c4386eSCy Schubert 188*e0c4386eSCy Schubertsubtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 189*e0c4386eSCy Schubert plan tests => 6; 190*e0c4386eSCy Schubert 191*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 192*e0c4386eSCy Schubert "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); 193*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 194*e0c4386eSCy Schubert "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); 195*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 196*e0c4386eSCy Schubert "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); 197*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 198*e0c4386eSCy Schubert "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); 199*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 200*e0c4386eSCy Schubert "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); 201*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 202*e0c4386eSCy Schubert "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); 203*e0c4386eSCy Schubert}; 204*e0c4386eSCy Schubert 205*e0c4386eSCy Schubertsubtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 206*e0c4386eSCy Schubert plan tests => 6; 207*e0c4386eSCy Schubert 208*e0c4386eSCy Schubert # Expect success, because we're explicitly trusting the issuer certificate. 209*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 210*e0c4386eSCy Schubert "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); 211*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 212*e0c4386eSCy Schubert "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); 213*e0c4386eSCy Schubert test_ocsp("NON-DELEGATED; Root CA -> EE", 214*e0c4386eSCy Schubert "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); 215*e0c4386eSCy Schubert test_ocsp("DELEGATED; Intermediate CA -> EE", 216*e0c4386eSCy Schubert "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); 217*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> Intermediate CA", 218*e0c4386eSCy Schubert "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); 219*e0c4386eSCy Schubert test_ocsp("DELEGATED; Root CA -> EE", 220*e0c4386eSCy Schubert "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); 221*e0c4386eSCy Schubert}; 222*e0c4386eSCy Schubert 223*e0c4386eSCy Schubertsubtest "=== OCSP API TESTS===" => sub { 224*e0c4386eSCy Schubert plan tests => 1; 225*e0c4386eSCy Schubert 226*e0c4386eSCy Schubert ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), 227*e0c4386eSCy Schubert "running ocspapitest"); 228*e0c4386eSCy Schubert} 229