1#! /usr/bin/env perl
2# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Spec::Functions qw/devnull catfile/;
15use File::Basename;
16use File::Copy;
17use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
18use OpenSSL::Test::Utils;
19
20setup("test_ocsp");
21
22plan skip_all => "OCSP is not supported by this OpenSSL build"
23    if disabled("ocsp");
24
25my $ocspdir=srctop_dir("test", "ocsp-tests");
26# 17 December 2012 so we don't get certificate expiry errors.
27my @check_time=("-attime", "1355875200");
28
29sub test_ocsp {
30    my $title = shift;
31    my $inputfile = shift;
32    my $CAfile = shift;
33    my $untrusted = shift;
34    if ($untrusted eq "") {
35        $untrusted = $CAfile;
36    }
37    my $expected_exit = shift;
38    my $outputfile = basename($inputfile, '.ors') . '.dat';
39
40    run(app(["openssl", "base64", "-d",
41             "-in", catfile($ocspdir,$inputfile),
42             "-out", $outputfile]));
43    with({ exit_checker => sub { return shift == $expected_exit; } },
44         sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
45                           "-partial_chain", @check_time,
46                           "-CAfile", catfile($ocspdir, $CAfile),
47                           "-verify_other", catfile($ocspdir, $untrusted),
48                           "-no-CApath", "-no-CAstore"])),
49                  $title); });
50}
51
52plan tests => 11;
53
54subtest "=== VALID OCSP RESPONSES ===" => sub {
55    plan tests => 7;
56
57    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
58              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
59    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
60              "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
61    test_ocsp("NON-DELEGATED; Root CA -> EE",
62              "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
63    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
64              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
65    test_ocsp("DELEGATED; Intermediate CA -> EE",
66              "D1.ors", "D1_Issuer_ICA.pem", "", 0);
67    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
68              "D2.ors", "D2_Issuer_Root.pem", "", 0);
69    test_ocsp("DELEGATED; Root CA -> EE",
70              "D3.ors", "D3_Issuer_Root.pem", "", 0);
71};
72
73subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
74    plan tests => 6;
75
76    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
77              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
78    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
79              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
80    test_ocsp("NON-DELEGATED; Root CA -> EE",
81              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
82    test_ocsp("DELEGATED; Intermediate CA -> EE",
83              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
84    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
85              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
86    test_ocsp("DELEGATED; Root CA -> EE",
87              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
88};
89
90subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
91    plan tests => 6;
92
93    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
94              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
95    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
96              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
97    test_ocsp("NON-DELEGATED; Root CA -> EE",
98              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
99    test_ocsp("DELEGATED; Intermediate CA -> EE",
100              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
101    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
102              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
103    test_ocsp("DELEGATED; Root CA -> EE",
104              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
105};
106
107subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
108    plan tests => 6;
109
110    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
111              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
112    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
113              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
114    test_ocsp("NON-DELEGATED; Root CA -> EE",
115              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
116    test_ocsp("DELEGATED; Intermediate CA -> EE",
117              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
118    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
119              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
120    test_ocsp("DELEGATED; Root CA -> EE",
121              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
122};
123
124subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
125    plan tests => 6;
126
127    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
128              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
129    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
130              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
131    test_ocsp("NON-DELEGATED; Root CA -> EE",
132              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
133    test_ocsp("DELEGATED; Intermediate CA -> EE",
134              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
135    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
136              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
137    test_ocsp("DELEGATED; Root CA -> EE",
138              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
139};
140
141subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
142    plan tests => 3;
143
144    test_ocsp("DELEGATED; Intermediate CA -> EE",
145              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
146    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
147              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
148    test_ocsp("DELEGATED; Root CA -> EE",
149              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
150};
151
152subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
153    plan tests => 3;
154
155    test_ocsp("DELEGATED; Intermediate CA -> EE",
156              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
157    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
158              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
159    test_ocsp("DELEGATED; Root CA -> EE",
160              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
161};
162
163subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
164    plan tests => 6;
165
166    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
167              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
168    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
169              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
170    test_ocsp("NON-DELEGATED; Root CA -> EE",
171              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
172    test_ocsp("DELEGATED; Intermediate CA -> EE",
173              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
174    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
175              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
176    test_ocsp("DELEGATED; Root CA -> EE",
177              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
178};
179
180subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
181    plan tests => 6;
182
183    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
184              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
185    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
186              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
187    test_ocsp("NON-DELEGATED; Root CA -> EE",
188              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
189    test_ocsp("DELEGATED; Intermediate CA -> EE",
190              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
191    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
192              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
193    test_ocsp("DELEGATED; Root CA -> EE",
194              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
195};
196
197subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
198    plan tests => 6;
199
200    # Expect success, because we're explicitly trusting the issuer certificate.
201    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
202              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
203    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
204              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
205    test_ocsp("NON-DELEGATED; Root CA -> EE",
206              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
207    test_ocsp("DELEGATED; Intermediate CA -> EE",
208              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
209    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
210              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
211    test_ocsp("DELEGATED; Root CA -> EE",
212              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
213};
214
215subtest "=== OCSP API TESTS===" => sub {
216    plan tests => 1;
217
218    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
219                 "running ocspapitest");
220}
221