1#! /usr/bin/env perl 2# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Spec::Functions qw/devnull catfile/; 15use File::Basename; 16use File::Copy; 17use File::Compare qw/compare/; 18use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 19use OpenSSL::Test::Utils; 20 21setup("test_ocsp"); 22 23plan skip_all => "OCSP is not supported by this OpenSSL build" 24 if disabled("ocsp"); 25 26my $ocspdir=srctop_dir("test", "ocsp-tests"); 27# 17 December 2012 so we don't get certificate expiry errors. 28my @check_time=("-attime", "1355875200"); 29 30sub test_ocsp { 31 my $title = shift; 32 my $inputfile = shift; 33 my $CAfile = shift; 34 my $untrusted = shift; 35 if ($untrusted eq "") { 36 $untrusted = $CAfile; 37 } 38 my $expected_exit = shift; 39 my $nochecks = shift; 40 my $outputfile = basename($inputfile, '.ors') . '.dat'; 41 42 run(app(["openssl", "base64", "-d", 43 "-in", catfile($ocspdir,$inputfile), 44 "-out", $outputfile])); 45 with({ exit_checker => sub { return shift == $expected_exit; } }, 46 sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, 47 "-partial_chain", @check_time, 48 "-CAfile", catfile($ocspdir, $CAfile), 49 "-verify_other", catfile($ocspdir, $untrusted), 50 "-no-CApath", "-no-CAstore", 51 $nochecks ? "-no_cert_checks" : ()])), 52 $title); }); 53} 54 55plan tests => 12; 56 57subtest "=== VALID OCSP RESPONSES ===" => sub { 58 plan tests => 7; 59 60 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 61 "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); 62 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 63 "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); 64 test_ocsp("NON-DELEGATED; Root CA -> EE", 65 "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); 66 test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 67 "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); 68 test_ocsp("DELEGATED; Intermediate CA -> EE", 69 "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); 70 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 71 "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); 72 test_ocsp("DELEGATED; Root CA -> EE", 73 "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); 74}; 75 76subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 77 plan tests => 6; 78 79 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 80 "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 81 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 82 "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 83 test_ocsp("NON-DELEGATED; Root CA -> EE", 84 "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 85 test_ocsp("DELEGATED; Intermediate CA -> EE", 86 "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 87 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 88 "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 89 test_ocsp("DELEGATED; Root CA -> EE", 90 "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 91}; 92 93subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 94 plan tests => 6; 95 96 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 97 "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 98 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 99 "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 100 test_ocsp("NON-DELEGATED; Root CA -> EE", 101 "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 102 test_ocsp("DELEGATED; Intermediate CA -> EE", 103 "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 104 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 105 "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 106 test_ocsp("DELEGATED; Root CA -> EE", 107 "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 108}; 109 110subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 111 plan tests => 6; 112 113 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 114 "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 115 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 116 "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 117 test_ocsp("NON-DELEGATED; Root CA -> EE", 118 "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 119 test_ocsp("DELEGATED; Intermediate CA -> EE", 120 "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 121 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 122 "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 123 test_ocsp("DELEGATED; Root CA -> EE", 124 "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 125}; 126 127subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 128 plan tests => 6; 129 130 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 131 "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 132 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 133 "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 134 test_ocsp("NON-DELEGATED; Root CA -> EE", 135 "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 136 test_ocsp("DELEGATED; Intermediate CA -> EE", 137 "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 138 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 139 "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 140 test_ocsp("DELEGATED; Root CA -> EE", 141 "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 142}; 143 144subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 145 plan tests => 3; 146 147 test_ocsp("DELEGATED; Intermediate CA -> EE", 148 "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 149 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 150 "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 151 test_ocsp("DELEGATED; Root CA -> EE", 152 "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 153}; 154 155subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 156 plan tests => 6; 157 158 test_ocsp("DELEGATED; Intermediate CA -> EE", 159 "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 160 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 161 "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 162 test_ocsp("DELEGATED; Root CA -> EE", 163 "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 164 test_ocsp("DELEGATED; Intermediate CA -> EE", 165 "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); 166 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 167 "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); 168 test_ocsp("DELEGATED; Root CA -> EE", 169 "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); 170}; 171 172subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 173 plan tests => 6; 174 175 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 176 "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); 177 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 178 "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); 179 test_ocsp("NON-DELEGATED; Root CA -> EE", 180 "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); 181 test_ocsp("DELEGATED; Intermediate CA -> EE", 182 "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); 183 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 184 "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); 185 test_ocsp("DELEGATED; Root CA -> EE", 186 "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); 187}; 188 189subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 190 plan tests => 6; 191 192 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 193 "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); 194 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 195 "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); 196 test_ocsp("NON-DELEGATED; Root CA -> EE", 197 "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); 198 test_ocsp("DELEGATED; Intermediate CA -> EE", 199 "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); 200 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 201 "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); 202 test_ocsp("DELEGATED; Root CA -> EE", 203 "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); 204}; 205 206subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 207 plan tests => 6; 208 209 # Expect success, because we're explicitly trusting the issuer certificate. 210 test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 211 "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); 212 test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 213 "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); 214 test_ocsp("NON-DELEGATED; Root CA -> EE", 215 "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); 216 test_ocsp("DELEGATED; Intermediate CA -> EE", 217 "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); 218 test_ocsp("DELEGATED; Root CA -> Intermediate CA", 219 "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); 220 test_ocsp("DELEGATED; Root CA -> EE", 221 "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); 222}; 223 224my $cert = data_file("cert.pem"); 225my $key = data_file("key.pem"); 226subtest "=== OCSP API TESTS===" => sub { 227 plan tests => 1; 228 229 ok(run(test(["ocspapitest", $cert, $key])), 230 "running ocspapitest"); 231}; 232 233subtest "=== OCSP handling of identical input and output files ===" => sub { 234 plan tests => 5; 235 236 my $inout1 = "req.der"; 237 my $backup1 = "backup.der"; 238 ok(run(app(['openssl', 'ocsp', '-issuer', $cert, '-cert', $cert, 239 '-reqout', $inout1])), "produce dummy request input"); 240 copy($inout1, $backup1); 241 ok(run(app(['openssl', 'ocsp', '-reqin', $inout1, '-reqout', $inout1]))); 242 ok(!compare($inout1, $backup1), "copied request $inout1 did not change"); 243 244 my $inout2 = "ND1.dat"; 245 my $backup2 = "backup.dat"; 246 copy($inout2, $backup2); 247 ok(run(app(['openssl', 'ocsp', '-respin', $inout2, '-respout', $inout2, '-noverify']))); 248 ok(!compare($inout2, $backup2), "copied response $inout2 did not change"); 249}; 250
