1e1051a39Sopenharmony_ci#! /usr/bin/env perl 2e1051a39Sopenharmony_ci# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci# 4e1051a39Sopenharmony_ci# Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci# this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci# in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci# https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ciuse strict; 11e1051a39Sopenharmony_ciuse warnings; 12e1051a39Sopenharmony_ci 13e1051a39Sopenharmony_ciuse POSIX; 14e1051a39Sopenharmony_ciuse File::Spec::Functions qw/devnull catfile/; 15e1051a39Sopenharmony_ciuse File::Basename; 16e1051a39Sopenharmony_ciuse File::Copy; 17e1051a39Sopenharmony_ciuse OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; 18e1051a39Sopenharmony_ciuse OpenSSL::Test::Utils; 19e1051a39Sopenharmony_ci 20e1051a39Sopenharmony_cisetup("test_ocsp"); 21e1051a39Sopenharmony_ci 22e1051a39Sopenharmony_ciplan skip_all => "OCSP is not supported by this OpenSSL build" 23e1051a39Sopenharmony_ci if disabled("ocsp"); 24e1051a39Sopenharmony_ci 25e1051a39Sopenharmony_cimy $ocspdir=srctop_dir("test", "ocsp-tests"); 26e1051a39Sopenharmony_ci# 17 December 2012 so we don't get certificate expiry errors. 27e1051a39Sopenharmony_cimy @check_time=("-attime", "1355875200"); 28e1051a39Sopenharmony_ci 29e1051a39Sopenharmony_cisub test_ocsp { 30e1051a39Sopenharmony_ci my $title = shift; 31e1051a39Sopenharmony_ci my $inputfile = shift; 32e1051a39Sopenharmony_ci my $CAfile = shift; 33e1051a39Sopenharmony_ci my $untrusted = shift; 34e1051a39Sopenharmony_ci if ($untrusted eq "") { 35e1051a39Sopenharmony_ci $untrusted = $CAfile; 36e1051a39Sopenharmony_ci } 37e1051a39Sopenharmony_ci my $expected_exit = shift; 38e1051a39Sopenharmony_ci my $nochecks = shift; 39e1051a39Sopenharmony_ci my $outputfile = basename($inputfile, '.ors') . '.dat'; 40e1051a39Sopenharmony_ci 41e1051a39Sopenharmony_ci run(app(["openssl", "base64", "-d", 42e1051a39Sopenharmony_ci "-in", catfile($ocspdir,$inputfile), 43e1051a39Sopenharmony_ci "-out", $outputfile])); 44e1051a39Sopenharmony_ci with({ exit_checker => sub { return shift == $expected_exit; } }, 45e1051a39Sopenharmony_ci sub { ok(run(app(["openssl", "ocsp", "-respin", $outputfile, 46e1051a39Sopenharmony_ci "-partial_chain", @check_time, 47e1051a39Sopenharmony_ci "-CAfile", catfile($ocspdir, $CAfile), 48e1051a39Sopenharmony_ci "-verify_other", catfile($ocspdir, $untrusted), 49e1051a39Sopenharmony_ci "-no-CApath", "-no-CAstore", 50e1051a39Sopenharmony_ci $nochecks ? "-no_cert_checks" : ()])), 51e1051a39Sopenharmony_ci $title); }); 52e1051a39Sopenharmony_ci} 53e1051a39Sopenharmony_ci 54e1051a39Sopenharmony_ciplan tests => 11; 55e1051a39Sopenharmony_ci 56e1051a39Sopenharmony_cisubtest "=== VALID OCSP RESPONSES ===" => sub { 57e1051a39Sopenharmony_ci plan tests => 7; 58e1051a39Sopenharmony_ci 59e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 60e1051a39Sopenharmony_ci "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); 61e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 62e1051a39Sopenharmony_ci "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); 63e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 64e1051a39Sopenharmony_ci "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); 65e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; 3-level CA hierarchy", 66e1051a39Sopenharmony_ci "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); 67e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 68e1051a39Sopenharmony_ci "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); 69e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 70e1051a39Sopenharmony_ci "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); 71e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 72e1051a39Sopenharmony_ci "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); 73e1051a39Sopenharmony_ci}; 74e1051a39Sopenharmony_ci 75e1051a39Sopenharmony_cisubtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { 76e1051a39Sopenharmony_ci plan tests => 6; 77e1051a39Sopenharmony_ci 78e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 79e1051a39Sopenharmony_ci "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 80e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 81e1051a39Sopenharmony_ci "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 82e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 83e1051a39Sopenharmony_ci "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 84e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 85e1051a39Sopenharmony_ci "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 86e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 87e1051a39Sopenharmony_ci "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 88e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 89e1051a39Sopenharmony_ci "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 90e1051a39Sopenharmony_ci}; 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_cisubtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { 93e1051a39Sopenharmony_ci plan tests => 6; 94e1051a39Sopenharmony_ci 95e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 96e1051a39Sopenharmony_ci "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 97e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 98e1051a39Sopenharmony_ci "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 99e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 100e1051a39Sopenharmony_ci "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 101e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 102e1051a39Sopenharmony_ci "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 103e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 104e1051a39Sopenharmony_ci "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 105e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 106e1051a39Sopenharmony_ci "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 107e1051a39Sopenharmony_ci}; 108e1051a39Sopenharmony_ci 109e1051a39Sopenharmony_cisubtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { 110e1051a39Sopenharmony_ci plan tests => 6; 111e1051a39Sopenharmony_ci 112e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 113e1051a39Sopenharmony_ci "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 114e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 115e1051a39Sopenharmony_ci "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 116e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 117e1051a39Sopenharmony_ci "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 118e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 119e1051a39Sopenharmony_ci "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 120e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 121e1051a39Sopenharmony_ci "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 122e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 123e1051a39Sopenharmony_ci "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 124e1051a39Sopenharmony_ci}; 125e1051a39Sopenharmony_ci 126e1051a39Sopenharmony_cisubtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { 127e1051a39Sopenharmony_ci plan tests => 6; 128e1051a39Sopenharmony_ci 129e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 130e1051a39Sopenharmony_ci "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); 131e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 132e1051a39Sopenharmony_ci "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); 133e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 134e1051a39Sopenharmony_ci "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); 135e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 136e1051a39Sopenharmony_ci "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 137e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 138e1051a39Sopenharmony_ci "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 139e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 140e1051a39Sopenharmony_ci "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 141e1051a39Sopenharmony_ci}; 142e1051a39Sopenharmony_ci 143e1051a39Sopenharmony_cisubtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 144e1051a39Sopenharmony_ci plan tests => 3; 145e1051a39Sopenharmony_ci 146e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 147e1051a39Sopenharmony_ci "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 148e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 149e1051a39Sopenharmony_ci "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 150e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 151e1051a39Sopenharmony_ci "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 152e1051a39Sopenharmony_ci}; 153e1051a39Sopenharmony_ci 154e1051a39Sopenharmony_cisubtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { 155e1051a39Sopenharmony_ci plan tests => 6; 156e1051a39Sopenharmony_ci 157e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 158e1051a39Sopenharmony_ci "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); 159e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 160e1051a39Sopenharmony_ci "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); 161e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 162e1051a39Sopenharmony_ci "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); 163e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 164e1051a39Sopenharmony_ci "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); 165e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 166e1051a39Sopenharmony_ci "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); 167e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 168e1051a39Sopenharmony_ci "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); 169e1051a39Sopenharmony_ci}; 170e1051a39Sopenharmony_ci 171e1051a39Sopenharmony_cisubtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { 172e1051a39Sopenharmony_ci plan tests => 6; 173e1051a39Sopenharmony_ci 174e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 175e1051a39Sopenharmony_ci "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); 176e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 177e1051a39Sopenharmony_ci "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); 178e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 179e1051a39Sopenharmony_ci "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); 180e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 181e1051a39Sopenharmony_ci "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); 182e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 183e1051a39Sopenharmony_ci "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); 184e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 185e1051a39Sopenharmony_ci "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); 186e1051a39Sopenharmony_ci}; 187e1051a39Sopenharmony_ci 188e1051a39Sopenharmony_cisubtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { 189e1051a39Sopenharmony_ci plan tests => 6; 190e1051a39Sopenharmony_ci 191e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 192e1051a39Sopenharmony_ci "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); 193e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 194e1051a39Sopenharmony_ci "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); 195e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 196e1051a39Sopenharmony_ci "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); 197e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 198e1051a39Sopenharmony_ci "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); 199e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 200e1051a39Sopenharmony_ci "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); 201e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 202e1051a39Sopenharmony_ci "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); 203e1051a39Sopenharmony_ci}; 204e1051a39Sopenharmony_ci 205e1051a39Sopenharmony_cisubtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { 206e1051a39Sopenharmony_ci plan tests => 6; 207e1051a39Sopenharmony_ci 208e1051a39Sopenharmony_ci # Expect success, because we're explicitly trusting the issuer certificate. 209e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Intermediate CA -> EE", 210e1051a39Sopenharmony_ci "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); 211e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", 212e1051a39Sopenharmony_ci "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); 213e1051a39Sopenharmony_ci test_ocsp("NON-DELEGATED; Root CA -> EE", 214e1051a39Sopenharmony_ci "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); 215e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Intermediate CA -> EE", 216e1051a39Sopenharmony_ci "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); 217e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> Intermediate CA", 218e1051a39Sopenharmony_ci "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); 219e1051a39Sopenharmony_ci test_ocsp("DELEGATED; Root CA -> EE", 220e1051a39Sopenharmony_ci "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); 221e1051a39Sopenharmony_ci}; 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_cisubtest "=== OCSP API TESTS===" => sub { 224e1051a39Sopenharmony_ci plan tests => 1; 225e1051a39Sopenharmony_ci 226e1051a39Sopenharmony_ci ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), 227e1051a39Sopenharmony_ci "running ocspapitest"); 228e1051a39Sopenharmony_ci} 229