1#! /usr/bin/env perl
2# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Spec::Functions qw/devnull catfile/;
15use File::Basename;
16use File::Copy;
17use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
18use OpenSSL::Test::Utils;
19
20setup("test_ocsp");
21
22plan skip_all => "OCSP is not supported by this OpenSSL build"
23    if disabled("ocsp");
24
25my $ocspdir=srctop_dir("test", "ocsp-tests");
26# 17 December 2012 so we don't get certificate expiry errors.
27my @check_time=("-attime", "1355875200");
28
29sub test_ocsp {
30    my $title = shift;
31    my $inputfile = shift;
32    my $CAfile = shift;
33    my $untrusted = shift;
34    if ($untrusted eq "") {
35        $untrusted = $CAfile;
36    }
37    my $expected_exit = shift;
38    my $nochecks = shift;
39    my $outputfile = basename($inputfile, '.ors') . '.dat';
40
41    run(app(["openssl", "base64", "-d",
42             "-in", catfile($ocspdir,$inputfile),
43             "-out", $outputfile]));
44    with({ exit_checker => sub { return shift == $expected_exit; } },
45         sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile,
46                           "-partial_chain", @check_time,
47                           "-CAfile", catfile($ocspdir, $CAfile),
48                           "-verify_other", catfile($ocspdir, $untrusted),
49                           "-no-CApath", "-no-CAstore",
50                           $nochecks ? "-no_cert_checks" : ()])),
51                  $title); });
52}
53
54plan tests => 11;
55
56subtest "=== VALID OCSP RESPONSES ===" => sub {
57    plan tests => 7;
58
59    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
60              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
61    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
62              "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
63    test_ocsp("NON-DELEGATED; Root CA -> EE",
64              "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
65    test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
66              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
67    test_ocsp("DELEGATED; Intermediate CA -> EE",
68              "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
69    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
70              "D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
71    test_ocsp("DELEGATED; Root CA -> EE",
72              "D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
73};
74
75subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
76    plan tests => 6;
77
78    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
79              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
80    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
81              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
82    test_ocsp("NON-DELEGATED; Root CA -> EE",
83              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
84    test_ocsp("DELEGATED; Intermediate CA -> EE",
85              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
86    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
87              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
88    test_ocsp("DELEGATED; Root CA -> EE",
89              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
90};
91
92subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
93    plan tests => 6;
94
95    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
96              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
97    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
98              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
99    test_ocsp("NON-DELEGATED; Root CA -> EE",
100              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
101    test_ocsp("DELEGATED; Intermediate CA -> EE",
102              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
103    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
104              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
105    test_ocsp("DELEGATED; Root CA -> EE",
106              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
107};
108
109subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
110    plan tests => 6;
111
112    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
113              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
114    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
115              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
116    test_ocsp("NON-DELEGATED; Root CA -> EE",
117              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
118    test_ocsp("DELEGATED; Intermediate CA -> EE",
119              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
120    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
121              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
122    test_ocsp("DELEGATED; Root CA -> EE",
123              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
124};
125
126subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
127    plan tests => 6;
128
129    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
130              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
131    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
132              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
133    test_ocsp("NON-DELEGATED; Root CA -> EE",
134              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
135    test_ocsp("DELEGATED; Intermediate CA -> EE",
136              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
137    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
138              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
139    test_ocsp("DELEGATED; Root CA -> EE",
140              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
141};
142
143subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
144    plan tests => 3;
145
146    test_ocsp("DELEGATED; Intermediate CA -> EE",
147              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
148    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
149              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
150    test_ocsp("DELEGATED; Root CA -> EE",
151              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
152};
153
154subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
155    plan tests => 6;
156
157    test_ocsp("DELEGATED; Intermediate CA -> EE",
158              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
159    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
160              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
161    test_ocsp("DELEGATED; Root CA -> EE",
162              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
163    test_ocsp("DELEGATED; Intermediate CA -> EE",
164              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
165    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
166              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
167    test_ocsp("DELEGATED; Root CA -> EE",
168              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
169};
170
171subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
172    plan tests => 6;
173
174    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
175              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
176    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
177              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
178    test_ocsp("NON-DELEGATED; Root CA -> EE",
179              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
180    test_ocsp("DELEGATED; Intermediate CA -> EE",
181              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
182    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
183              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
184    test_ocsp("DELEGATED; Root CA -> EE",
185              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
186};
187
188subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
189    plan tests => 6;
190
191    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
192              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
193    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
194              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
195    test_ocsp("NON-DELEGATED; Root CA -> EE",
196              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
197    test_ocsp("DELEGATED; Intermediate CA -> EE",
198              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
199    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
200              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
201    test_ocsp("DELEGATED; Root CA -> EE",
202              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
203};
204
205subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
206    plan tests => 6;
207
208    # Expect success, because we're explicitly trusting the issuer certificate.
209    test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
210              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
211    test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
212              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
213    test_ocsp("NON-DELEGATED; Root CA -> EE",
214              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
215    test_ocsp("DELEGATED; Intermediate CA -> EE",
216              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
217    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
218              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
219    test_ocsp("DELEGATED; Root CA -> EE",
220              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
221};
222
223subtest "=== OCSP API TESTS===" => sub {
224    plan tests => 1;
225
226    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
227                 "running ocspapitest");
228}
229