diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-16 16:05:15 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:37 +0100 |
commit | db486d97c53725fe7917f1a4cb272e7e83536021 (patch) | |
tree | f8d3c168cc3d46d2d47ee5fc921349a292abf7d1 /tests | |
parent | 8e96ba96acc105dc7882626e688d2602cc934474 (diff) | |
download | gnutls-db486d97c53725fe7917f1a4cb272e7e83536021.tar.gz |
tests: enhanced OCSP tests
* Run tests under TLS1.2 and TLS1.3
* Verify whether multiple OCSP responses are received in client
side, under TLS1.3.
* Verify that OCSP status responses can be sent by
client under TLS1.3
* Verify operation of gnutls_certificate_retrieve_function3
* Verify operation when multiple OCSP responses by file are set
Resolves #307
Resolves #291
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 10 | ||||
-rwxr-xr-x | tests/gnutls-cli-save-data.sh | 11 | ||||
-rw-r--r-- | tests/ocsp-common.h | 578 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 27 | ||||
-rw-r--r-- | tests/set_x509_key_file_ocsp.c | 234 | ||||
-rw-r--r-- | tests/set_x509_key_file_ocsp_multi2.c | 16 | ||||
-rw-r--r-- | tests/set_x509_ocsp_multi_invalid.c (renamed from tests/set_x509_key_file_ocsp_multi.c) | 41 | ||||
-rw-r--r-- | tests/set_x509_ocsp_multi_pem.c | 190 | ||||
-rw-r--r-- | tests/set_x509_ocsp_multi_unknown.c | 237 | ||||
-rw-r--r-- | tests/tls13/multi-ocsp.c | 211 | ||||
-rw-r--r-- | tests/tls13/ocsp-client.c | 221 | ||||
-rw-r--r-- | tests/utils-adv.c | 2 | ||||
-rw-r--r-- | tests/utils.h | 11 | ||||
-rw-r--r-- | tests/x509-cert-callback-ocsp.c | 238 |
14 files changed, 1990 insertions, 37 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 83f0bab0ba..f42b88f372 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -32,6 +32,7 @@ SUBDIRS += suite endif EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ + ocsp-common.h \ certs/ca-cert-ecc.pem certs/cert-ecc256.pem certs/cert-ecc521.pem \ certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem hex.h \ certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ @@ -106,6 +107,10 @@ ctests += tls13/key_update ctests += tls13/key_limits +ctests += tls13/multi-ocsp + +ctests += tls13/ocsp-client + ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniqueid tls-neg-ext-key \ mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \ hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \ @@ -137,7 +142,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei tls-ext-register tls-supplemental mini-dtls0-9 duplicate-extensions \ mini-record-retvals mini-server-name tls-etm x509-cert-callback \ client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \ - tls13-cert-key-exchange \ + tls13-cert-key-exchange x509-cert-callback-ocsp \ server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify-rsa x509sign-verify-ecdsa mini-alignment oids atfork prf psk-file \ status-request status-request-ok status-request-missing sign-verify-ext \ @@ -161,7 +166,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ - rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \ + rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \ + set_x509_ocsp_multi_unknown set_x509_ocsp_multi_pem \ set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \ client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \ multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \ diff --git a/tests/gnutls-cli-save-data.sh b/tests/gnutls-cli-save-data.sh index 767453ea02..29a2c081b6 100755 --- a/tests/gnutls-cli-save-data.sh +++ b/tests/gnutls-cli-save-data.sh @@ -56,7 +56,7 @@ TMPFILE1=save-data1.$$.tmp TMPFILE2=save-data2.$$.tmp eval "${GETPORT}" -launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} --ocsp-response=${OCSP1} +launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} --ocsp-response=${OCSP1} --ignore-ocsp-response-errors -d 6 PID=$! wait_server ${PID} @@ -67,8 +67,13 @@ ${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --save-cert ${TMPFILE1} --save-ocsp kill ${PID} wait -if ! test -f ${TMPFILE1} || ! test -f ${TMPFILE2};then - echo "Could not retrieve OCSP response or certificate" +if ! test -f ${TMPFILE1};then + echo "Could not retrieve certificate" + exit 1 +fi + +if ! test -f ${TMPFILE2};then + echo "Could not retrieve OCSP response" exit 1 fi diff --git a/tests/ocsp-common.h b/tests/ocsp-common.h new file mode 100644 index 0000000000..81b3e43b16 --- /dev/null +++ b/tests/ocsp-common.h @@ -0,0 +1,578 @@ +/* + * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +#ifndef OCSP_COMMON_H +#define OCSP_COMMON_H + +/* Date for responses to be valid */ +#define OCSP_RESP_DATE 1508329639 + +/* ocsp response with unknown status for + * server_ca3_localhost6_cert. Signed with + * RSA-SHA256. + */ +static const char _ocsp_ca3_localhost6_unknown[] = { + 0x30, 0x82, 0x02, 0x3A, 0x0A, 0x01, 0x00, 0xA0, + 0x82, 0x02, 0x33, 0x30, 0x82, 0x02, 0x2F, 0x06, + 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x20, 0x30, 0x82, + 0x02, 0x1C, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30, + 0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43, + 0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31, + 0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x32, + 0x30, 0x34, 0x39, 0x5A, 0x30, 0x5C, 0x30, 0x5A, + 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, + 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2, + 0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11, + 0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD, + 0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC, + 0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11, + 0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00, + 0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x37, + 0x64, 0x58, 0xFA, 0x7B, 0x52, 0x6F, 0xD7, 0x82, + 0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, + 0x30, 0x31, 0x38, 0x31, 0x32, 0x32, 0x30, 0x34, + 0x39, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x98, 0x3C, + 0xFF, 0xD1, 0x76, 0x93, 0xB0, 0xDD, 0x42, 0xCA, + 0x8C, 0x7D, 0x4F, 0x9F, 0xE7, 0x78, 0x14, 0x1D, + 0x90, 0x25, 0x67, 0x34, 0x51, 0x3C, 0xF6, 0x10, + 0x7E, 0xB9, 0x8C, 0x19, 0xF4, 0x9A, 0x32, 0x6A, + 0xFD, 0x5B, 0x77, 0xE9, 0x0A, 0xB2, 0xCD, 0x31, + 0x5E, 0x0F, 0x5B, 0x11, 0xA7, 0x75, 0x38, 0x7B, + 0x01, 0xFA, 0x2B, 0x68, 0x2C, 0x14, 0x6F, 0xAF, + 0x90, 0xC9, 0x69, 0x67, 0x13, 0x70, 0x78, 0x51, + 0x44, 0x0B, 0xA6, 0x16, 0x84, 0x6B, 0x09, 0xC3, + 0x27, 0xFF, 0x06, 0x25, 0x90, 0x27, 0x08, 0x87, + 0x23, 0xCB, 0x1A, 0x56, 0x61, 0x9E, 0x28, 0x9C, + 0x42, 0x19, 0xEA, 0x93, 0x7C, 0x05, 0x14, 0x04, + 0x7F, 0xC7, 0x1C, 0x40, 0xDD, 0x35, 0xC6, 0x50, + 0x79, 0x46, 0xD7, 0x6A, 0xB1, 0x59, 0xAF, 0xC6, + 0xDA, 0x0C, 0xD2, 0x1B, 0xAC, 0x3B, 0x46, 0x09, + 0x0E, 0x7B, 0x02, 0xC3, 0x01, 0x55, 0x5E, 0xE9, + 0x4F, 0x10, 0x58, 0x16, 0xB8, 0x54, 0xA8, 0x54, + 0xBB, 0x31, 0xEB, 0x99, 0x64, 0x73, 0xEE, 0x3F, + 0x44, 0xCE, 0xBB, 0xF9, 0x0A, 0xDB, 0x36, 0x90, + 0x51, 0x80, 0xAA, 0xE1, 0x6F, 0xC3, 0x00, 0x13, + 0x65, 0x80, 0x36, 0x3A, 0x63, 0x48, 0x05, 0x52, + 0x7F, 0x91, 0x96, 0xB0, 0x7F, 0x53, 0xFC, 0x5D, + 0x87, 0x0C, 0x6E, 0x5C, 0xAC, 0x0A, 0x45, 0x22, + 0x83, 0x72, 0xC0, 0xAF, 0x5E, 0xDB, 0x5C, 0xE4, + 0xA9, 0x80, 0x16, 0x43, 0xAB, 0x55, 0x72, 0x9B, + 0x37, 0x41, 0xBB, 0xEF, 0x20, 0x45, 0xD5, 0xCB, + 0xF8, 0xCE, 0xA9, 0x50, 0x12, 0x79, 0xAC, 0x6E, + 0xC0, 0x79, 0xA4, 0x74, 0x1C, 0xF8, 0x48, 0xD4, + 0xFC, 0xDC, 0xBB, 0xDA, 0x36, 0x72, 0x46, 0x05, + 0x32, 0x97, 0x4C, 0x6B, 0xA4, 0x3C, 0xA0, 0x0E, + 0xB7, 0xAC, 0x49, 0xA4, 0x52, 0xF0, 0xAC, 0xD5, + 0x8D, 0x86, 0x07, 0xDB, 0xC3, 0x67, 0xE4, 0x95, + 0x62, 0x52, 0x33, 0x33, 0x2D, 0x00, 0x49, 0x23, + 0xCC, 0x12, 0x62, 0xFB, 0x89, 0x27, 0xD5, 0x27, + 0xCB, 0x75, 0xC4, 0xCB, 0x60, 0x17, 0xFD, 0x4E, + 0x7A, 0x2A, 0xD7, 0x0B, 0x09, 0x84, 0x03, 0x20, + 0x38, 0x53, 0x73, 0x71, 0x66, 0xFC, 0x64, 0x9C, + 0x6E, 0x1A, 0x1E, 0xC5, 0x5E, 0x0C, 0xAD, 0x9D, + 0xE3, 0x37, 0xF2, 0xC2, 0xFC, 0xA1, 0x31, 0x26, + 0x2C, 0xA1, 0xDF, 0x05, 0x19, 0xD6, 0x18, 0xE8, + 0x25, 0x7C, 0x23, 0x23, 0xDE, 0x89, 0x6F, 0x5E, + 0x98, 0xE8, 0xB6, 0xB2, 0x25, 0x28, 0x30, 0x12, + 0x19, 0xB1, 0x84, 0x95, 0x8F, 0x8F, 0x65, 0x75, + 0x2D, 0x90, 0xA8, 0x8D, 0xD9, 0xC3, 0x40, 0x79, + 0xC8, 0xC8, 0xA1, 0xDC, 0xD0, 0x16, 0x02, 0xFE, + 0x60, 0xBE, 0xA3, 0x58, 0xA2, 0xC4, 0xBA, 0xE5, + 0x86, 0x4F, 0xF3, 0x2F, 0x46, 0xB9, 0x62, 0x2F, + 0xCD, 0xE4, 0x1A, 0x62, 0x83, 0x76 +}; + +const char _ocsp_ca3_localhost6_unknown_pem[] = + "-----BEGIN OCSP RESPONSE-----\n" + "MIICOgoBAKCCAjMwggIvBgkrBgEFBQcwAQEEggIgMIICHDCBhaEUMBIxEDAOBgNV\n" + "BAMTB3N1YkNBLTMYDzIwMTcxMDE4MTIyMDQ5WjBcMFowRTAJBgUrDgMCGgUABBSy\n" + "5lyOboNLvRHZl/o2k1merVwVxAQUnpHsjKokWyLg6BHo6aSRtZEmAPECDFejHTI3\n" + "ZFj6e1Jv14IAGA8yMDE3MTAxODEyMjA0OVowDQYJKoZIhvcNAQELBQADggGBAJg8\n" + "/9F2k7DdQsqMfU+f53gUHZAlZzRRPPYQfrmMGfSaMmr9W3fpCrLNMV4PWxGndTh7\n" + "AforaCwUb6+QyWlnE3B4UUQLphaEawnDJ/8GJZAnCIcjyxpWYZ4onEIZ6pN8BRQE\n" + "f8ccQN01xlB5RtdqsVmvxtoM0husO0YJDnsCwwFVXulPEFgWuFSoVLsx65lkc+4/\n" + "RM67+QrbNpBRgKrhb8MAE2WANjpjSAVSf5GWsH9T/F2HDG5crApFIoNywK9e21zk\n" + "qYAWQ6tVcps3QbvvIEXVy/jOqVASeaxuwHmkdBz4SNT83LvaNnJGBTKXTGukPKAO\n" + "t6xJpFLwrNWNhgfbw2fklWJSMzMtAEkjzBJi+4kn1SfLdcTLYBf9Tnoq1wsJhAMg\n" + "OFNzcWb8ZJxuGh7FXgytneM38sL8oTEmLKHfBRnWGOglfCMj3olvXpjotrIlKDAS\n" + "GbGElY+PZXUtkKiN2cNAecjIodzQFgL+YL6jWKLEuuWGT/MvRrliL83kGmKDdg==\n" + "-----END OCSP RESPONSE-----"; + +static gnutls_datum_t ocsp_ca3_localhost6_unknown = { + (void *)_ocsp_ca3_localhost6_unknown, + sizeof(_ocsp_ca3_localhost6_unknown) +}; + +static gnutls_datum_t ocsp_ca3_localhost6_unknown_pem = { + (void *)_ocsp_ca3_localhost6_unknown_pem, + sizeof(_ocsp_ca3_localhost6_unknown_pem)-1 +}; + +/* ocsp response with unknown status for + * server_ca3_localhost_cert. Signed with + * RSA-SHA512. + */ +static const char _ocsp_ca3_localhost_unknown[] = { + 0x30, 0x82, 0x06, 0x53, 0x0A, 0x01, 0x00, 0xA0, + 0x82, 0x06, 0x4C, 0x30, 0x82, 0x06, 0x48, 0x06, + 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x06, 0x39, 0x30, 0x82, + 0x06, 0x35, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30, + 0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43, + 0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31, + 0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x30, + 0x39, 0x33, 0x30, 0x5A, 0x30, 0x5C, 0x30, 0x5A, + 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, + 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2, + 0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11, + 0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD, + 0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC, + 0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11, + 0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00, + 0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x36, + 0xC8, 0x0C, 0xA1, 0xCA, 0xB0, 0xBD, 0xF6, 0x82, + 0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, + 0x30, 0x31, 0x38, 0x31, 0x32, 0x30, 0x39, 0x33, + 0x30, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x56, 0x64, + 0x2B, 0x10, 0xAA, 0xE7, 0x26, 0x7F, 0xF1, 0x7F, + 0x86, 0x97, 0x0E, 0x18, 0xB4, 0x75, 0x92, 0x65, + 0x12, 0x2B, 0x46, 0x9F, 0x3E, 0x96, 0x98, 0xE4, + 0xAB, 0x10, 0xD1, 0x0E, 0xEA, 0x08, 0xE2, 0xA5, + 0x01, 0x75, 0xA4, 0x5B, 0x76, 0xAC, 0x49, 0x2B, + 0x9E, 0xF1, 0x4A, 0xF2, 0x79, 0x3A, 0x4E, 0x15, + 0x81, 0xFF, 0x4D, 0xD3, 0x65, 0x8E, 0xAE, 0x4A, + 0xBB, 0x33, 0x35, 0x8B, 0x0F, 0xB6, 0x5D, 0x32, + 0xEF, 0xF5, 0xE1, 0x25, 0xBF, 0xBD, 0x52, 0x1D, + 0x99, 0xF2, 0x34, 0xE0, 0xFB, 0x38, 0x34, 0x6C, + 0x9A, 0xEF, 0x53, 0xB2, 0x90, 0xC6, 0xFB, 0x75, + 0xA0, 0x8C, 0xBC, 0x6B, 0x8E, 0xD8, 0xDE, 0x33, + 0xE4, 0x6F, 0xF2, 0xAD, 0xF2, 0xA2, 0x4F, 0xC2, + 0x58, 0x47, 0xE2, 0x68, 0x6D, 0x3A, 0x3A, 0xB3, + 0x0A, 0x82, 0x3D, 0xA4, 0x85, 0x00, 0x58, 0x3E, + 0x00, 0x35, 0x9D, 0x6B, 0x1F, 0xFF, 0x9F, 0xAE, + 0xB0, 0x9A, 0xE2, 0xC7, 0x0E, 0x9A, 0xB3, 0x7C, + 0x52, 0xE9, 0xDA, 0x50, 0x57, 0x35, 0x72, 0x71, + 0x81, 0xA7, 0xC0, 0x40, 0x28, 0xEA, 0x2B, 0xCE, + 0x09, 0x47, 0x1D, 0xB1, 0x80, 0x41, 0x59, 0xF6, + 0x5D, 0xD3, 0x3C, 0xEA, 0x11, 0xD8, 0x13, 0xB9, + 0x0F, 0x32, 0x6A, 0x29, 0x72, 0xBE, 0xC1, 0xC3, + 0x1B, 0xB5, 0x4C, 0x4D, 0x0D, 0xA1, 0xD5, 0xF0, + 0xC4, 0xEC, 0xC5, 0x5A, 0x93, 0x41, 0x7A, 0x01, + 0x24, 0xB3, 0x7A, 0x71, 0x82, 0xA3, 0xC6, 0x08, + 0x42, 0x91, 0x0E, 0x6B, 0xE7, 0x86, 0x0B, 0xAF, + 0xBE, 0xDF, 0x07, 0x5A, 0x8C, 0x35, 0xF8, 0x5F, + 0x7F, 0x2F, 0x60, 0x04, 0xDD, 0x2A, 0xF2, 0x0D, + 0xC0, 0x1C, 0x6F, 0xA0, 0x30, 0x80, 0xA4, 0x35, + 0x83, 0xD3, 0xC3, 0xCC, 0x35, 0x46, 0x36, 0xEB, + 0xE9, 0xB1, 0x3C, 0x08, 0x8F, 0xCC, 0x5D, 0xCA, + 0xD9, 0xAF, 0x3E, 0xD4, 0x58, 0xBB, 0x90, 0x5D, + 0xEF, 0x01, 0x9C, 0xD9, 0x3E, 0x56, 0x7E, 0xCF, + 0x13, 0xAA, 0x11, 0xC4, 0x22, 0xD2, 0xA0, 0x9F, + 0x1B, 0xE9, 0xF0, 0x78, 0x70, 0x3B, 0xCC, 0x21, + 0x7D, 0x6B, 0x46, 0x97, 0x3F, 0x3B, 0x0C, 0x5B, + 0x8F, 0xA8, 0x28, 0x72, 0x4A, 0x41, 0x4D, 0xE6, + 0xDD, 0x2E, 0xBD, 0xF1, 0xA4, 0x1E, 0xA2, 0xA2, + 0x94, 0x6E, 0xAD, 0x33, 0xC2, 0x56, 0xD3, 0x29, + 0xCF, 0x75, 0x5E, 0x35, 0x59, 0xEB, 0x07, 0x78, + 0x23, 0x0B, 0x20, 0x4E, 0xEB, 0x61, 0x2B, 0x46, + 0x77, 0x0A, 0x9F, 0xA4, 0x57, 0xA8, 0x45, 0x45, + 0x6E, 0x8F, 0xB4, 0xD5, 0x9C, 0xFC, 0x84, 0x78, + 0xC3, 0x82, 0xD9, 0xB6, 0xA7, 0xD5, 0x76, 0xE0, + 0x23, 0x09, 0x2B, 0x9A, 0x7C, 0x7C, 0xB5, 0x6D, + 0x84, 0x9D, 0x1F, 0x47, 0x0C, 0x9C, 0xD6, 0x86, + 0x2B, 0xDD, 0xF4, 0xFA, 0x97, 0xE7, 0x72, 0xE7, + 0x42, 0x52, 0x74, 0xE8, 0x4D, 0x01, 0xA0, 0x82, + 0x04, 0x15, 0x30, 0x82, 0x04, 0x11, 0x30, 0x82, + 0x04, 0x0D, 0x30, 0x82, 0x02, 0x75, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x0C, 0x57, 0xA3, 0x1D, + 0x32, 0x35, 0xB3, 0x4F, 0xD0, 0xB9, 0xF5, 0xE7, + 0x3C, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, + 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, + 0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2D, + 0x33, 0x30, 0x20, 0x17, 0x0D, 0x31, 0x36, 0x30, + 0x35, 0x31, 0x30, 0x30, 0x38, 0x34, 0x38, 0x33, + 0x30, 0x5A, 0x18, 0x0F, 0x39, 0x39, 0x39, 0x39, + 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, + 0x35, 0x39, 0x5A, 0x30, 0x12, 0x31, 0x10, 0x30, + 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x07, + 0x73, 0x75, 0x62, 0x43, 0x41, 0x2D, 0x33, 0x30, + 0x82, 0x01, 0xA2, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x8F, 0x00, 0x30, + 0x82, 0x01, 0x8A, 0x02, 0x82, 0x01, 0x81, 0x00, + 0xA0, 0x39, 0xC3, 0x57, 0xCD, 0x2B, 0x4E, 0x9D, + 0x11, 0x68, 0x8B, 0x4E, 0x5A, 0x31, 0x12, 0xDE, + 0x30, 0x1E, 0x39, 0x5F, 0x86, 0xB6, 0xB2, 0xB4, + 0x81, 0xBA, 0x5D, 0xD4, 0x2F, 0x10, 0xD2, 0x1A, + 0x32, 0x0F, 0xD0, 0x41, 0x25, 0xFF, 0xF5, 0xF6, + 0x58, 0xB8, 0xA8, 0xA5, 0xEF, 0xF1, 0x34, 0xBF, + 0x1B, 0x3C, 0x24, 0x69, 0x23, 0x5B, 0x12, 0x55, + 0x79, 0x7C, 0x1D, 0xBD, 0x5C, 0x2B, 0x7A, 0x96, + 0x34, 0x66, 0xB3, 0x56, 0x60, 0xBB, 0xC5, 0x6D, + 0x3B, 0x37, 0x12, 0xF6, 0xE8, 0x8F, 0x3A, 0x7B, + 0x7F, 0xC1, 0x55, 0x19, 0xEA, 0xF2, 0x2A, 0x15, + 0xB6, 0xF3, 0xD0, 0xC0, 0x4A, 0x6F, 0xB8, 0x8F, + 0x05, 0xF7, 0xBC, 0x75, 0xBC, 0xBF, 0xE7, 0xF9, + 0xC7, 0xDC, 0x76, 0x43, 0x7B, 0xEC, 0xD4, 0x9C, + 0xAF, 0x90, 0xBD, 0x8C, 0x73, 0x15, 0x8A, 0x84, + 0x6F, 0x0B, 0xEA, 0x8A, 0xCF, 0xD6, 0xD4, 0x07, + 0x1E, 0x43, 0x4B, 0x24, 0x95, 0xEB, 0xA3, 0xD1, + 0xE7, 0xEC, 0x06, 0xB0, 0x90, 0xEF, 0x91, 0xFB, + 0x26, 0x8D, 0x53, 0xA0, 0xAA, 0x24, 0xE5, 0x49, + 0x64, 0x12, 0xE4, 0x6D, 0xE7, 0x30, 0xCA, 0xB4, + 0x46, 0x2C, 0x6C, 0x73, 0x97, 0x4F, 0xE5, 0x6C, + 0xA0, 0x91, 0xB7, 0x61, 0xF7, 0xEE, 0x39, 0x50, + 0x2B, 0x4E, 0x6D, 0xC9, 0xC7, 0x00, 0x12, 0x6B, + 0x3F, 0xE1, 0xAD, 0x2E, 0x21, 0xB4, 0x00, 0xE5, + 0x31, 0xEA, 0x83, 0xF3, 0x3E, 0xD7, 0x99, 0x2F, + 0x5D, 0xDE, 0xAD, 0x65, 0xE0, 0xEF, 0x36, 0x2E, + 0xB1, 0x36, 0xAB, 0x8F, 0xDA, 0xD3, 0x71, 0xDB, + 0x20, 0x47, 0xF2, 0x26, 0xD6, 0x62, 0x33, 0x98, + 0x3D, 0xA2, 0xEC, 0x68, 0x49, 0xA3, 0x81, 0xA3, + 0xD1, 0x29, 0x37, 0x46, 0xAF, 0x77, 0x27, 0x27, + 0x80, 0xF8, 0x0C, 0xB9, 0x50, 0xF9, 0xAA, 0x72, + 0x6F, 0x9D, 0xA9, 0x7D, 0x34, 0x6F, 0x8F, 0x4C, + 0x4D, 0x3B, 0xF8, 0x1A, 0xD3, 0xB9, 0xDE, 0x42, + 0xD0, 0x48, 0x25, 0xD8, 0x14, 0x9F, 0x7A, 0x8D, + 0xC3, 0x22, 0x5C, 0xCC, 0xC1, 0x14, 0x90, 0xF5, + 0x44, 0xEB, 0x1D, 0x93, 0x85, 0x94, 0x79, 0xDF, + 0xED, 0x24, 0xC1, 0xDF, 0x7E, 0xDB, 0x43, 0xCF, + 0xD8, 0xF7, 0x59, 0xCB, 0x97, 0xF4, 0xCD, 0xA7, + 0xCD, 0x34, 0xF6, 0xC6, 0x56, 0xAE, 0xA2, 0x48, + 0xDB, 0x10, 0x08, 0x51, 0x0D, 0x1C, 0x39, 0x7F, + 0x10, 0x85, 0x66, 0x1E, 0xD3, 0x6E, 0x66, 0x87, + 0xE2, 0xFC, 0xAC, 0x0C, 0xEF, 0x54, 0x65, 0x75, + 0x44, 0x5D, 0x22, 0xCA, 0xA2, 0x74, 0x36, 0x2E, + 0x6C, 0xAC, 0xA3, 0x8F, 0x2C, 0xFC, 0x6D, 0xF4, + 0x56, 0x69, 0x52, 0x8E, 0xD3, 0xED, 0x26, 0xA4, + 0x6C, 0xBF, 0xFA, 0x0F, 0xA4, 0x23, 0xBF, 0x73, + 0x40, 0xFA, 0x06, 0xB9, 0x07, 0x57, 0x9E, 0x41, + 0xE3, 0xCC, 0x5F, 0x9B, 0x22, 0x05, 0x8E, 0x01, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x64, 0x30, + 0x62, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, + 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xFF, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, + 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x03, + 0x07, 0x06, 0x00, 0x30, 0x1D, 0x06, 0x03, 0x55, + 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x2D, 0x33, + 0x04, 0x1B, 0x27, 0x7F, 0x94, 0x04, 0x7C, 0xC7, + 0xE3, 0x35, 0x4F, 0xE9, 0x25, 0xA4, 0x94, 0xE1, + 0xB7, 0xA1, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, + 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xF9, + 0xA8, 0x86, 0x19, 0x63, 0xB6, 0xA4, 0x14, 0x13, + 0x60, 0x76, 0x0F, 0x01, 0x9A, 0x35, 0x36, 0xEF, + 0xF1, 0xB4, 0xAF, 0x30, 0x0D, 0x06, 0x09, 0x2A, + 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x32, + 0x28, 0xB9, 0x1B, 0x1D, 0xFF, 0x77, 0xFE, 0x7C, + 0xA0, 0x34, 0x72, 0xE5, 0xAD, 0x28, 0x3E, 0xF4, + 0x21, 0x91, 0x4D, 0x1D, 0x29, 0xAE, 0xB5, 0x35, + 0xF8, 0xE3, 0x3B, 0x3F, 0x6E, 0xAB, 0x13, 0x52, + 0x8A, 0x52, 0xC9, 0x13, 0xB8, 0xC6, 0x24, 0xF6, + 0x86, 0xDA, 0xD2, 0xAD, 0x0B, 0xF5, 0xD4, 0xD5, + 0x86, 0xEA, 0x97, 0x6B, 0x6A, 0x41, 0x8E, 0xBC, + 0x92, 0x88, 0x23, 0x2A, 0xCD, 0xF5, 0x40, 0x2E, + 0x91, 0x16, 0x4A, 0x19, 0x00, 0x5A, 0x2E, 0x4C, + 0x9B, 0x75, 0xD6, 0x4C, 0xDB, 0x81, 0x55, 0x8A, + 0x7B, 0x00, 0xA4, 0xDF, 0xF3, 0xAB, 0x03, 0x4F, + 0xD9, 0x91, 0x1A, 0xC0, 0x7C, 0x4D, 0x0F, 0x99, + 0xAF, 0xCD, 0x21, 0x34, 0x70, 0x4C, 0x79, 0x93, + 0xB1, 0x03, 0x9D, 0xBF, 0xF6, 0xF3, 0x47, 0xEC, + 0x48, 0x3E, 0x18, 0xCA, 0xC4, 0xAA, 0xCA, 0xC8, + 0x91, 0x4C, 0x1B, 0x9C, 0x5B, 0xF9, 0x0D, 0x0E, + 0x29, 0x26, 0xDD, 0xF2, 0x40, 0xE9, 0x81, 0x85, + 0x8A, 0xA1, 0xBE, 0x71, 0xDA, 0x3B, 0x0D, 0x62, + 0x01, 0x03, 0xA7, 0xC9, 0xD8, 0x49, 0x14, 0xF8, + 0xE5, 0x21, 0xB0, 0xED, 0xCE, 0xC5, 0x72, 0xE9, + 0xA4, 0x5F, 0x3D, 0xA7, 0x03, 0xAA, 0xF9, 0x37, + 0x06, 0xE7, 0x84, 0x42, 0xEF, 0x34, 0x52, 0xBC, + 0x7F, 0x3B, 0x18, 0xF9, 0x02, 0x4A, 0x1D, 0xA0, + 0x25, 0x27, 0xD0, 0x9C, 0x96, 0x58, 0x8F, 0xD4, + 0xF8, 0xA2, 0x01, 0xC9, 0x76, 0x2D, 0x0A, 0x36, + 0x81, 0xAC, 0xA0, 0x58, 0xD8, 0x83, 0xFA, 0x08, + 0x27, 0xAB, 0x3C, 0xBB, 0x9E, 0xA6, 0xA6, 0xF6, + 0xB8, 0x9E, 0x38, 0xE3, 0x07, 0x96, 0xCD, 0x64, + 0x28, 0x50, 0x05, 0xAD, 0x6C, 0xB6, 0x83, 0xF7, + 0x01, 0x85, 0x37, 0xD2, 0xFB, 0xFE, 0xD2, 0x86, + 0x97, 0xB1, 0xEC, 0xD2, 0xB6, 0x18, 0x08, 0xAE, + 0x8E, 0x05, 0x15, 0xD1, 0x36, 0x47, 0x13, 0x21, + 0x19, 0xB7, 0xAB, 0xA6, 0xE2, 0x02, 0xD2, 0xF6, + 0xFC, 0x14, 0x2A, 0xCF, 0xD1, 0xE1, 0x74, 0xBD, + 0x54, 0xBF, 0xDB, 0x06, 0x57, 0xC0, 0xCB, 0x68, + 0x40, 0x55, 0x37, 0x94, 0x7A, 0x38, 0x91, 0x04, + 0x67, 0x93, 0x26, 0x4A, 0x81, 0xBB, 0xBF, 0x9C, + 0xE0, 0x57, 0x6B, 0x08, 0x1C, 0x95, 0x85, 0xA7, + 0x90, 0x01, 0x23, 0x18, 0xBB, 0xF9, 0x60, 0x6B, + 0xC7, 0x9A, 0x18, 0xBD, 0x73, 0x25, 0xB2, 0x5E, + 0xD8, 0x14, 0x16, 0x23, 0xBE, 0x78, 0x28, 0x36, + 0x03, 0x4F, 0xDA, 0x8A, 0x36, 0xA1, 0xA5, 0x83, + 0x2B, 0x2B, 0xE0, 0x05, 0x63, 0x7B, 0xBC, 0xF5, + 0x63, 0x53, 0x10, 0xEF, 0x64, 0xA7, 0x7E, 0xBC, + 0xD8, 0x49, 0x0C, 0x3A, 0x04, 0x1F, 0x39, 0x0A, + 0xEA, 0xC1, 0xEA, 0x2A, 0x2E, 0xDD, 0x0F, 0x9E, + 0x33, 0x8A, 0x38, 0x83, 0xFF, 0xB1, 0x18, 0x4B, + 0x83, 0xA3, 0x43, 0x5E, 0xFF, 0xC8, 0xAB +}; + +const char _ocsp_ca3_localhost_unknown_pem[] = + "-----BEGIN OCSP RESPONSE-----\n" + "MIICNwoBAKCCAjAwggIsBgkrBgEFBQcwAQEEggIdMIICGTCBgqERMA8xDTALBgNV\n" + "BAMTBENBLTMYDzIwMTcxMDE4MTIzODUyWjBcMFowRTAJBgUrDgMCGgUABBS3yg+r\n" + "3G+4sJZ6FayYCg8Z/qQS3gQUHoXtf55x+gidN0hDoBLv5arh44oCDFejHTI1s0/Q\n" + "ufXnPIIAGA8yMDE3MTAxODEyMzg1MlowDQYJKoZIhvcNAQELBQADggGBALMParB9\n" + "K97DlT4FmMdPScoT7oAAsar4XxKLU9+oraht7H+WTAYSpnCxh/ugR17G0jtzTzIw\n" + "nLQFAyR9MDYKp4Om4YqQ7r+43DiIqKVU25WcrVifUbtkR+LbjH+Bk1UHvFE8mCOX\n" + "ZB+cmQyjGap1RX0dnj2Wm48vUwqp71nA8AYcXL575xZ4rb9DDhaoV2h3S0Zlu4IN\n" + "btuDIVsxJ53kqkGjjVB4/R0RtqCXOI2ThMK3SfDWqwzF9tYA763VVXi+g+w3oyv4\n" + "ZtP8QUWOVUY4azpElX1wqoO8znUjxs1AzROLUeLPK8GMLVIZLP361J2kLgcj0Gdq\n" + "GIVH5N54p6bl5OgSUP3EdKbFRZyCVZ2n8Der3Cf9PtfvGV7Ze4Cv/CCN6rJkk54P\n" + "6auP6pEJg0ESGC5fop5HFCyVM+W/ot0A1cxN0+cHYlqB1NQholLqe3psDjJ2EoIK\n" + "LtN5dRLO6z5L74CwwiJ1SeLh8XyJtr/ee9RnFB56XCzO7lyhbHPx/VT6Qw==\n" + "-----END OCSP RESPONSE-----"; + +static gnutls_datum_t ocsp_ca3_localhost_unknown = { + (void *)_ocsp_ca3_localhost_unknown, sizeof(_ocsp_ca3_localhost_unknown) +}; + +static gnutls_datum_t ocsp_ca3_localhost_unknown_pem = { + (void *)_ocsp_ca3_localhost_unknown_pem, sizeof(_ocsp_ca3_localhost_unknown_pem) +}; + + +/* ocsp response with unknown status for + * server_ca3_localhost_cert. Signed with + * RSA-SHA1. + */ +static const char _ocsp_ca3_localhost_unknown_sha1[] = { + 0x30, 0x82, 0x02, 0x3A, 0x0A, 0x01, 0x00, 0xA0, + 0x82, 0x02, 0x33, 0x30, 0x82, 0x02, 0x2F, 0x06, + 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x20, 0x30, 0x82, + 0x02, 0x1C, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30, + 0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43, + 0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31, + 0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x32, + 0x32, 0x30, 0x36, 0x5A, 0x30, 0x5C, 0x30, 0x5A, + 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, + 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2, + 0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11, + 0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD, + 0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC, + 0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11, + 0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00, + 0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x36, + 0xC8, 0x0C, 0xA1, 0xCA, 0xB0, 0xBD, 0xF6, 0x82, + 0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, + 0x30, 0x31, 0x38, 0x31, 0x32, 0x32, 0x32, 0x30, + 0x36, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x29, 0x91, + 0xFA, 0x87, 0x8F, 0x4D, 0xC2, 0x25, 0x67, 0x4F, + 0x2A, 0x39, 0xF9, 0xDA, 0x05, 0x4A, 0x8E, 0xBC, + 0x72, 0xB7, 0x8B, 0xF1, 0x6C, 0x77, 0x5E, 0x2F, + 0x0F, 0xA4, 0xEC, 0x7F, 0xD6, 0x63, 0xEA, 0x39, + 0x17, 0x6F, 0xAA, 0x4B, 0x86, 0x46, 0x0E, 0xB2, + 0xE1, 0x65, 0x1C, 0xEC, 0x97, 0x05, 0x00, 0x4D, + 0xAC, 0xBA, 0xA5, 0xD4, 0x1B, 0xB8, 0x4A, 0x05, + 0x94, 0x6C, 0xC9, 0xE1, 0x41, 0x5B, 0x44, 0x4F, + 0x39, 0x9C, 0xF7, 0xAF, 0x04, 0x31, 0x1A, 0x5B, + 0xF8, 0x5E, 0x42, 0xDA, 0xEA, 0xFF, 0x25, 0x67, + 0x75, 0x3E, 0x46, 0xC4, 0x7D, 0x31, 0x74, 0xBD, + 0x19, 0xFF, 0x11, 0x7F, 0x21, 0x39, 0x4D, 0xE3, + 0x07, 0x2F, 0xF4, 0xF5, 0x6B, 0xE7, 0x10, 0xF8, + 0x6C, 0x57, 0x7B, 0x83, 0x84, 0xCD, 0x3D, 0x61, + 0xFD, 0x91, 0x87, 0x03, 0x03, 0xDD, 0x7A, 0x60, + 0xF9, 0x1D, 0x82, 0xE9, 0xD9, 0x4B, 0xC9, 0xF2, + 0x6F, 0xE5, 0x09, 0xCC, 0xEC, 0x63, 0xD7, 0xC1, + 0xED, 0x54, 0x6D, 0x03, 0xC8, 0xC5, 0x92, 0xBC, + 0x22, 0x11, 0xCD, 0x3A, 0x2E, 0x51, 0xCD, 0x5F, + 0xA5, 0xB5, 0xA3, 0x5C, 0x8D, 0x54, 0x92, 0x85, + 0x6B, 0x92, 0x2A, 0x23, 0x5E, 0xFB, 0x35, 0xFB, + 0x23, 0xDA, 0x17, 0x16, 0x6D, 0xB2, 0xFB, 0xD8, + 0x8D, 0x43, 0x9F, 0x36, 0xE9, 0x5E, 0xA2, 0xCB, + 0xA5, 0x2D, 0xAE, 0xDD, 0x63, 0xFC, 0x53, 0x90, + 0xB5, 0x54, 0x82, 0x7C, 0xBD, 0x08, 0xD7, 0x4E, + 0xEA, 0x11, 0x84, 0x3C, 0x5B, 0x63, 0x06, 0xA5, + 0x2C, 0x8B, 0x09, 0x13, 0xC7, 0x04, 0x5F, 0xAF, + 0x73, 0xB1, 0x89, 0x40, 0x12, 0xEA, 0x9C, 0x56, + 0xC6, 0x08, 0x39, 0xD4, 0xAA, 0x1F, 0xAF, 0x74, + 0x78, 0xCC, 0x84, 0xC2, 0x8A, 0xE8, 0x0B, 0xCD, + 0xD3, 0x2D, 0xCD, 0x98, 0x2E, 0x8D, 0xAB, 0x59, + 0xFC, 0xCF, 0x4C, 0x1A, 0x30, 0xED, 0x8E, 0x3F, + 0xF8, 0xC7, 0xBD, 0xE3, 0x64, 0x94, 0x0C, 0xFC, + 0x24, 0x85, 0x35, 0x0A, 0x0E, 0x65, 0xA7, 0x2C, + 0x0B, 0x80, 0xB9, 0xB0, 0x97, 0xA5, 0x70, 0xE0, + 0x12, 0x86, 0x69, 0x74, 0x22, 0xEA, 0xE3, 0x11, + 0x4B, 0x34, 0xB1, 0xFB, 0x24, 0xEE, 0x00, 0x73, + 0x71, 0x33, 0x74, 0x62, 0x64, 0x10, 0xDD, 0x5A, + 0x3A, 0x10, 0xA3, 0x8E, 0x36, 0x03, 0x0D, 0x17, + 0xE3, 0x72, 0x29, 0xAE, 0x5A, 0xBD, 0x2E, 0xE0, + 0xFD, 0xB1, 0xDF, 0x8F, 0x2C, 0x24, 0xCF, 0xB9, + 0x10, 0x99, 0x68, 0xA2, 0x55, 0x01, 0x1E, 0xFB, + 0x9B, 0x14, 0x4C, 0x1E, 0xB4, 0x59, 0x79, 0xB7, + 0x8F, 0x07, 0x28, 0x3E, 0xB4, 0x2E, 0x8F, 0x91, + 0x51, 0xFD, 0x8F, 0x12, 0x8D, 0xC6, 0x57, 0x7B, + 0x87, 0xEF, 0x9C, 0x8B, 0x90, 0xD3, 0xA5, 0xB0, + 0xBE, 0x4B, 0xFA, 0x33, 0x54, 0x87, 0x81, 0xCF, + 0x96, 0x9A, 0xD3, 0xDC, 0xA9, 0xB6 +}; + +static gnutls_datum_t ocsp_ca3_localhost_unknown_sha1 = { + (void *)_ocsp_ca3_localhost_unknown_sha1, + sizeof(_ocsp_ca3_localhost_unknown_sha1) +}; + +/* ocsp response with unknown status for + * subca3_cert_pem. Signed with + * RSA-SHA256. + */ +static const char _ocsp_subca3_unknown[] = { + 0x30, 0x82, 0x02, 0x37, 0x0A, 0x01, 0x00, 0xA0, + 0x82, 0x02, 0x30, 0x30, 0x82, 0x02, 0x2C, 0x06, + 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x1D, 0x30, 0x82, + 0x02, 0x19, 0x30, 0x81, 0x82, 0xA1, 0x11, 0x30, + 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2D, 0x33, + 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, 0x30, + 0x31, 0x38, 0x31, 0x32, 0x33, 0x38, 0x35, 0x32, + 0x5A, 0x30, 0x5C, 0x30, 0x5A, 0x30, 0x45, 0x30, + 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, + 0x05, 0x00, 0x04, 0x14, 0xB7, 0xCA, 0x0F, 0xAB, + 0xDC, 0x6F, 0xB8, 0xB0, 0x96, 0x7A, 0x15, 0xAC, + 0x98, 0x0A, 0x0F, 0x19, 0xFE, 0xA4, 0x12, 0xDE, + 0x04, 0x14, 0x1E, 0x85, 0xED, 0x7F, 0x9E, 0x71, + 0xFA, 0x08, 0x9D, 0x37, 0x48, 0x43, 0xA0, 0x12, + 0xEF, 0xE5, 0xAA, 0xE1, 0xE3, 0x8A, 0x02, 0x0C, + 0x57, 0xA3, 0x1D, 0x32, 0x35, 0xB3, 0x4F, 0xD0, + 0xB9, 0xF5, 0xE7, 0x3C, 0x82, 0x00, 0x18, 0x0F, + 0x32, 0x30, 0x31, 0x37, 0x31, 0x30, 0x31, 0x38, + 0x31, 0x32, 0x33, 0x38, 0x35, 0x32, 0x5A, 0x30, + 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x81, 0x00, 0xB3, 0x0F, 0x6A, 0xB0, 0x7D, + 0x2B, 0xDE, 0xC3, 0x95, 0x3E, 0x05, 0x98, 0xC7, + 0x4F, 0x49, 0xCA, 0x13, 0xEE, 0x80, 0x00, 0xB1, + 0xAA, 0xF8, 0x5F, 0x12, 0x8B, 0x53, 0xDF, 0xA8, + 0xAD, 0xA8, 0x6D, 0xEC, 0x7F, 0x96, 0x4C, 0x06, + 0x12, 0xA6, 0x70, 0xB1, 0x87, 0xFB, 0xA0, 0x47, + 0x5E, 0xC6, 0xD2, 0x3B, 0x73, 0x4F, 0x32, 0x30, + 0x9C, 0xB4, 0x05, 0x03, 0x24, 0x7D, 0x30, 0x36, + 0x0A, 0xA7, 0x83, 0xA6, 0xE1, 0x8A, 0x90, 0xEE, + 0xBF, 0xB8, 0xDC, 0x38, 0x88, 0xA8, 0xA5, 0x54, + 0xDB, 0x95, 0x9C, 0xAD, 0x58, 0x9F, 0x51, 0xBB, + 0x64, 0x47, 0xE2, 0xDB, 0x8C, 0x7F, 0x81, 0x93, + 0x55, 0x07, 0xBC, 0x51, 0x3C, 0x98, 0x23, 0x97, + 0x64, 0x1F, 0x9C, 0x99, 0x0C, 0xA3, 0x19, 0xAA, + 0x75, 0x45, 0x7D, 0x1D, 0x9E, 0x3D, 0x96, 0x9B, + 0x8F, 0x2F, 0x53, 0x0A, 0xA9, 0xEF, 0x59, 0xC0, + 0xF0, 0x06, 0x1C, 0x5C, 0xBE, 0x7B, 0xE7, 0x16, + 0x78, 0xAD, 0xBF, 0x43, 0x0E, 0x16, 0xA8, 0x57, + 0x68, 0x77, 0x4B, 0x46, 0x65, 0xBB, 0x82, 0x0D, + 0x6E, 0xDB, 0x83, 0x21, 0x5B, 0x31, 0x27, 0x9D, + 0xE4, 0xAA, 0x41, 0xA3, 0x8D, 0x50, 0x78, 0xFD, + 0x1D, 0x11, 0xB6, 0xA0, 0x97, 0x38, 0x8D, 0x93, + 0x84, 0xC2, 0xB7, 0x49, 0xF0, 0xD6, 0xAB, 0x0C, + 0xC5, 0xF6, 0xD6, 0x00, 0xEF, 0xAD, 0xD5, 0x55, + 0x78, 0xBE, 0x83, 0xEC, 0x37, 0xA3, 0x2B, 0xF8, + 0x66, 0xD3, 0xFC, 0x41, 0x45, 0x8E, 0x55, 0x46, + 0x38, 0x6B, 0x3A, 0x44, 0x95, 0x7D, 0x70, 0xAA, + 0x83, 0xBC, 0xCE, 0x75, 0x23, 0xC6, 0xCD, 0x40, + 0xCD, 0x13, 0x8B, 0x51, 0xE2, 0xCF, 0x2B, 0xC1, + 0x8C, 0x2D, 0x52, 0x19, 0x2C, 0xFD, 0xFA, 0xD4, + 0x9D, 0xA4, 0x2E, 0x07, 0x23, 0xD0, 0x67, 0x6A, + 0x18, 0x85, 0x47, 0xE4, 0xDE, 0x78, 0xA7, 0xA6, + 0xE5, 0xE4, 0xE8, 0x12, 0x50, 0xFD, 0xC4, 0x74, + 0xA6, 0xC5, 0x45, 0x9C, 0x82, 0x55, 0x9D, 0xA7, + 0xF0, 0x37, 0xAB, 0xDC, 0x27, 0xFD, 0x3E, 0xD7, + 0xEF, 0x19, 0x5E, 0xD9, 0x7B, 0x80, 0xAF, 0xFC, + 0x20, 0x8D, 0xEA, 0xB2, 0x64, 0x93, 0x9E, 0x0F, + 0xE9, 0xAB, 0x8F, 0xEA, 0x91, 0x09, 0x83, 0x41, + 0x12, 0x18, 0x2E, 0x5F, 0xA2, 0x9E, 0x47, 0x14, + 0x2C, 0x95, 0x33, 0xE5, 0xBF, 0xA2, 0xDD, 0x00, + 0xD5, 0xCC, 0x4D, 0xD3, 0xE7, 0x07, 0x62, 0x5A, + 0x81, 0xD4, 0xD4, 0x21, 0xA2, 0x52, 0xEA, 0x7B, + 0x7A, 0x6C, 0x0E, 0x32, 0x76, 0x12, 0x82, 0x0A, + 0x2E, 0xD3, 0x79, 0x75, 0x12, 0xCE, 0xEB, 0x3E, + 0x4B, 0xEF, 0x80, 0xB0, 0xC2, 0x22, 0x75, 0x49, + 0xE2, 0xE1, 0xF1, 0x7C, 0x89, 0xB6, 0xBF, 0xDE, + 0x7B, 0xD4, 0x67, 0x14, 0x1E, 0x7A, 0x5C, 0x2C, + 0xCE, 0xEE, 0x5C, 0xA1, 0x6C, 0x73, 0xF1, 0xFD, + 0x54, 0xFA, 0x43 +}; + +const char _ocsp_subca3_unknown_pem[] = + "-----BEGIN OCSP RESPONSE-----\n" + "MIIGUwoBAKCCBkwwggZIBgkrBgEFBQcwAQEEggY5MIIGNTCBhaEUMBIxEDAOBgNV\n" + "BAMTB3N1YkNBLTMYDzIwMTcxMDE4MTIwOTMwWjBcMFowRTAJBgUrDgMCGgUABBSy\n" + "5lyOboNLvRHZl/o2k1merVwVxAQUnpHsjKokWyLg6BHo6aSRtZEmAPECDFejHTI2\n" + "yAyhyrC99oIAGA8yMDE3MTAxODEyMDkzMFowDQYJKoZIhvcNAQENBQADggGBAFZk\n" + "KxCq5yZ/8X+Glw4YtHWSZRIrRp8+lpjkqxDRDuoI4qUBdaRbdqxJK57xSvJ5Ok4V\n" + "gf9N02WOrkq7MzWLD7ZdMu/14SW/vVIdmfI04Ps4NGya71OykMb7daCMvGuO2N4z\n" + "5G/yrfKiT8JYR+JobTo6swqCPaSFAFg+ADWdax//n66wmuLHDpqzfFLp2lBXNXJx\n" + "gafAQCjqK84JRx2xgEFZ9l3TPOoR2BO5DzJqKXK+wcMbtUxNDaHV8MTsxVqTQXoB\n" + "JLN6cYKjxghCkQ5r54YLr77fB1qMNfhffy9gBN0q8g3AHG+gMICkNYPTw8w1Rjbr\n" + "6bE8CI/MXcrZrz7UWLuQXe8BnNk+Vn7PE6oRxCLSoJ8b6fB4cDvMIX1rRpc/Owxb\n" + "j6gockpBTebdLr3xpB6iopRurTPCVtMpz3VeNVnrB3gjCyBO62ErRncKn6RXqEVF\n" + "bo+01Zz8hHjDgtm2p9V24CMJK5p8fLVthJ0fRwyc1oYr3fT6l+dy50JSdOhNAaCC\n" + "BBUwggQRMIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUA\n" + "MA8xDTALBgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5\n" + "NTlaMBIxEDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw\n" + "ggGKAoIBgQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2\n" + "WLiope/xNL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioV\n" + "tvPQwEpvuI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR\n" + "5+wGsJDvkfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJr\n" + "P+GtLiG0AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj\n" + "0Sk3Rq93JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1\n" + "ROsdk4WUed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH\n" + "4vysDO9UZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B\n" + "48xfmyIFjgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD\n" + "BwYAMB0GA1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5\n" + "qIYZY7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58\n" + "oDRy5a0oPvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68\n" + "kogjKs31QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmT\n" + "sQOdv/bzR+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT4\n" + "5SGw7c7FcumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2\n" + "gaygWNiD+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiu\n" + "jgUV0TZHEyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c\n" + "4FdrCByVhaeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1\n" + "Y1MQ72SnfrzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" + "-----END OCSP RESPONSE-----\n"; + +static gnutls_datum_t ocsp_subca3_unknown = { + (void *)_ocsp_subca3_unknown, sizeof(_ocsp_subca3_unknown) +}; + +static gnutls_datum_t ocsp_subca3_unknown_pem = { + (void *)_ocsp_subca3_unknown_pem, sizeof(_ocsp_subca3_unknown_pem)-1 +}; + +#endif diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 3caf25535b..5ec896207d 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -203,7 +203,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -238,7 +238,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -274,7 +274,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -301,7 +301,7 @@ echo "=== Test 5: Server with valid certificate - expired staple ===" rm -f "${OCSP_RESPONSE_FILE}" # Generate an OCSP response which expires in 2 days and use it after -# a month. +# a month. gnutls server doesn't send such a staple to clients. ${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}" datefudge -s ${EXP_OCSP_DATE} \ ${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2 @@ -310,12 +310,29 @@ eval "${GETPORT}" # Port for gnutls-serv TLS_SERVER_PORT=$PORT PORT=${TLS_SERVER_PORT} + +TIMEOUT=$(which timeout) +if test -n "$TIMEOUT";then +${TIMEOUT} 30 "${GNUTLS_SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${OCSP_RESPONSE_FILE}" +if test $? != 1;then + echo "Running gnutls-serv with an expired response, succeeds!" + exit ${rc} +fi +fi + +echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ===" + launch_bare_server $$ \ datefudge "${TESTDATE}" \ "${GNUTLS_SERV}" --echo --disable-client-cert \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ + --ignore-ocsp-response-errors \ --ocsp-response="${OCSP_RESPONSE_FILE}" TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID @@ -359,7 +376,7 @@ launch_bare_server $$ \ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ --x509certfile="${SERVER_CERT_FILE}" \ --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${OCSP_RESPONSE_FILE}" + --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors TLS_SERVER_PID="${!}" wait_server $TLS_SERVER_PID diff --git a/tests/set_x509_key_file_ocsp.c b/tests/set_x509_key_file_ocsp.c index 99be433b14..d668550932 100644 --- a/tests/set_x509_key_file_ocsp.c +++ b/tests/set_x509_key_file_ocsp.c @@ -47,10 +47,212 @@ static time_t mytime(time_t * t) return then; } -#define RESP1 "\x30\x82\x06\x8C\x0A\x01\x00\xA0\x82\x06\x85\x30\x82\x06\x81\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x06\x72\x30\x82\x06\x6E\x30\x82\x01\x07\xA1\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\x30\x64\x30\x62\x30\x3A\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x13\x9D\xA0\x9E\xF4\x32\xAB\x8F\xE2\x89\x56\x67\xFA\xD0\xD4\xE3\x35\x86\x71\xB9\x04\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\x02\x01\x1D\x80\x00\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\xA0\x11\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x39\x32\x38\x5A\xA1\x23\x30\x21\x30\x1F\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x02\x04\x12\x04\x10\x16\x89\x7D\x91\x3A\xB5\x25\xA4\x45\xFE\xC9\xFD\xC2\xE5\x08\xA4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\xAD\x6B\x2B\xF7\xF2\xBF\xA9\x23\x1E\x3A\x0B\x06\xDB\x55\x53\x2B\x64\x54\x11\x32\xBF\x60\xF7\x4F\xE0\x8E\x9B\xA0\xA2\x4C\x79\xC3\x2A\xE0\x43\xF7\x40\x1A\xDC\xB9\xB4\x25\xEF\x48\x01\x97\x8C\xF5\x1E\xDB\xD1\x30\x37\x73\x69\xD6\xA7\x7A\x2D\x8E\xDE\x5C\xAA\xEA\x39\xB9\x52\xAA\x25\x1E\x74\x7D\xF9\x78\x95\x8A\x92\x1F\x98\x21\xF4\x60\x7F\xD3\x28\xEE\x47\x9C\xBF\xE2\x5D\xF6\x3F\x68\x0A\xD6\xFF\x08\xC1\xDC\x95\x1E\x29\xD7\x3E\x85\xD5\x65\xA4\x4B\xC0\xAF\xC3\x78\xAB\x06\x98\x88\x19\x8A\x64\xA6\x83\x91\x87\x13\xDB\x17\xCC\x46\xBD\xAB\x4E\xC7\x16\xD1\xF8\x35\xFD\x27\xC8\xF6\x6B\xEB\x37\xB8\x08\x6F\xE2\x6F\xB4\x7E\xD5\x68\xDB\x7F\x5D\x5E\x36\x38\xF2\x77\x59\x13\xE7\x3E\x4D\x67\x5F\xDB\xA2\xF5\x5D\x7C\xBF\xBD\xB5\x37\x33\x51\x36\x63\xF8\x21\x1E\xFC\x73\x8F\x32\x69\xBB\x97\xA7\xBD\xF1\xB6\xE0\x40\x09\x68\xEA\xD5\x93\xB8\xBB\x39\x8D\xA8\x16\x1B\xBF\x04\x7A\xBC\x18\x43\x01\xE9\x3C\x19\x5C\x4D\x4B\x98\xD8\x23\x37\x39\xA4\xC4\xDD\xED\x9C\xEC\x37\xAB\x66\x44\x9B\xE7\x5B\x5D\x32\xA2\xDB\xA6\x0B\x3B\x8C\xE1\xF5\xDB\xCB\x7D\x58\xA0\x82\x04\x4B\x30\x82\x04\x47\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x39\x31\x31\x32\x34\x31\x32\x35\x31\x35\x33\x5A\x17\x0D\x31\x34\x31\x31\x32\x33\x31\x32\x35\x31\x35\x33\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x05\x3E\x4B\xBE\xC6\xB1\x33\x48\x0E\xC3\xD4\x0C\xEF\x83\x0B\xBD\xBC\x57\x5F\x14\xEF\xF5\x6D\x0B\xFF\xFA\x01\x9C\xFA\x21\x6D\x5C\xAE\x79\x29\x74\xFE\xBD\xAB\x70\x87\x98\x6B\x48\x35\x79\xE3\xE0\xC1\x14\x41\x1F\x0A\xF7\xE7\xA3\xA6\xDA\x6B\xFF\xCD\x74\xE9\x95\x00\x38\xAA\xD6\x3A\x60\xC6\x64\xA1\xE6\x02\x39\x58\x4E\xFD\xF2\x78\x08\x63\xB6\xD7\x7A\x96\x79\x62\x18\x39\xEE\x27\x8D\x3B\xA2\x3D\x48\x88\xDB\x43\xD6\x6A\x77\x20\x6A\x27\x39\x50\xE0\x02\x50\x19\xF2\x7A\xCF\x78\x23\x99\x01\xD4\xE5\xB1\xD1\x31\xE6\x6B\x84\xAF\xD0\x77\x41\x46\x85\xB0\x3B\xE6\x6A\x00\x0F\x3B\x7E\x95\x7F\x59\xA8\x22\xE8\x49\x49\x05\xC8\xCB\x6C\xEE\x47\xA7\x2D\xC9\x74\x5B\xEB\x8C\xD5\x99\xC2\xE2\x70\xDB\xEA\x87\x43\x84\x0E\x4F\x83\x1C\xA6\xEB\x1F\x22\x38\x17\x69\x9B\x72\x12\x95\x48\x71\xB2\x7B\x92\x73\x52\xAB\xE3\x1A\xA5\xD3\xF4\x44\x14\xBA\xC3\x35\xDA\x91\x6C\x7D\xB4\xC2\x00\x07\xD8\x0A\x51\xF1\x0D\x4C\xD9\x7A\xD1\x99\xE6\xA8\x8D\x0A\x80\xA8\x91\xDD\x8A\xA2\x6B\xF6\xDB\xB0\x3E\xC9\x71\xA9\xE0\x39\xC3\xA3\x58\x0D\x87\xD0\xB2\xA7\x9C\xB7\x69\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x09\x06\x03\x55\x1D\x13\x04\x02\x30\x00\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x03\xA8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x34\x91\x6E\x91\x32\xBF\x35\x25\x43\xCC\x28\x74\xEF\x82\xC2\x57\x92\x79\x13\x73\x30\x6D\x06\x03\x55\x1D\x23\x04\x66\x30\x64\x80\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x01\x00\x30\x1E\x06\x03\x55\x1D\x11\x04\x17\x30\x15\x82\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x2F\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6D\x78\xD7\x66\x90\xA6\xEB\xDD\xB5\x09\x48\xA4\xDA\x27\xFA\xAC\xB1\xBC\x8F\x8C\xBE\xCC\x8C\x09\xA2\x40\x0D\x6C\x4A\xAE\x72\x22\x1E\xC8\xAF\x6D\xF1\x12\xAF\xD7\x40\x51\x79\xD4\xDD\xB2\x0C\xDB\x97\x84\xB6\x24\xD5\xF5\xA8\xBB\xC0\x4B\xF9\x7F\x71\xF7\xB0\x65\x42\x4A\x7D\xFE\x76\x7E\x05\xD2\x46\xB8\x7D\xB3\x39\x4C\x5C\xB1\xFA\xB9\xEE\x3B\x70\x33\x39\x57\x1A\xB9\x95\x51\x33\x00\x25\x1B\x4C\xAA\xB4\xA7\x55\xAF\x63\x6D\x6F\x88\x17\x6A\x7F\xB0\x97\xDE\x49\x14\x6A\x27\x6A\xB0\x42\x80\xD6\xA6\x9B\xEF\x04\x5E\x11\x7D\xD5\x8E\x54\x20\xA2\x76\xD4\x66\x58\xAC\x9C\x12\xD3\xF5\xCA\x54\x98\xCA\x21\xEC\xC1\x55\xA1\x2F\x68\x0B\x5D\x04\x50\xD2\x5E\x70\x25\xD8\x13\xD9\x44\x51\x0E\x8A\x42\x08\x18\x84\xE6\x61\xCE\x5A\x7D\x7B\x81\x35\x90\xC3\xD4\x9D\x19\xB6\x37\xEE\x8F\x63\x5C\xDA\xD8\xF0\x64\x60\x39\xEB\x9B\x1C\x54\x66\x75\x76\xB5\x0A\x58\xB9\x3F\x91\xE1\x21\x9C\xA0\x50\x15\x97\xB6\x7E\x41\xBC\xD0\xC4\x21\x4C\xF5\xD7\xF0\x13\xF8\x77\xE9\x74\xC4\x8A\x0E\x20\x17\x32\xAE\x38\xC2\xA5\xA8\x62\x85\x17\xB1\xA2\xD3\x22\x9F\x95\xB7\xA3\x4C" +static const unsigned char _resp[] = { +0x30, 0x82, 0x06, 0x45, 0x0A, 0x01, 0x00, 0xA0, +0x82, 0x06, 0x3E, 0x30, 0x82, 0x06, 0x3A, 0x06, +0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, +0x01, 0x01, 0x04, 0x82, 0x06, 0x2B, 0x30, 0x82, +0x06, 0x27, 0x30, 0x81, 0x9E, 0xA2, 0x16, 0x04, +0x14, 0x1E, 0xA5, 0xBD, 0xCA, 0x59, 0x64, 0x55, +0x85, 0xAC, 0xDA, 0x54, 0x34, 0x23, 0x40, 0xD1, +0xF6, 0xBD, 0xC3, 0xB0, 0xF6, 0x18, 0x0F, 0x32, +0x30, 0x31, 0x37, 0x31, 0x31, 0x31, 0x39, 0x30, +0x39, 0x34, 0x33, 0x34, 0x37, 0x5A, 0x30, 0x73, +0x30, 0x71, 0x30, 0x49, 0x30, 0x09, 0x06, 0x05, +0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, +0x14, 0xD1, 0xB1, 0x64, 0x8B, 0x8C, 0x9F, 0x0D, +0xD1, 0x6B, 0xA3, 0x8A, 0xCD, 0x2B, 0x50, 0x17, +0xD5, 0xF9, 0xCF, 0xC0, 0x64, 0x04, 0x14, 0x5F, +0x60, 0xCF, 0x61, 0x90, 0x55, 0xDF, 0x84, 0x43, +0x14, 0x8A, 0x60, 0x2A, 0xB2, 0xF5, 0x7A, 0xF4, +0x43, 0x18, 0xEF, 0x02, 0x10, 0x28, 0x2E, 0x96, +0xB3, 0x6B, 0x76, 0xD6, 0xD8, 0x52, 0x46, 0xED, +0xBB, 0x31, 0xB2, 0x0C, 0x98, 0x80, 0x00, 0x18, +0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, 0x31, 0x31, +0x39, 0x30, 0x39, 0x34, 0x33, 0x34, 0x37, 0x5A, +0xA0, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, +0x31, 0x31, 0x32, 0x36, 0x30, 0x39, 0x34, 0x33, +0x34, 0x37, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, +0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, +0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54, +0x66, 0x9D, 0x96, 0x6B, 0x9D, 0x71, 0x18, 0x86, +0x90, 0x5D, 0xD9, 0x54, 0x9C, 0xC4, 0x7F, 0x18, +0x51, 0xE9, 0xFE, 0xF3, 0xE6, 0x48, 0x60, 0x89, +0x74, 0xFD, 0xF1, 0x6D, 0xDB, 0x1F, 0x5A, 0x28, +0x3D, 0x16, 0xEA, 0xA6, 0xD6, 0xE0, 0xAA, 0x42, +0xF9, 0x5B, 0x76, 0xA1, 0x59, 0xDA, 0x30, 0x8D, +0x08, 0x18, 0xDD, 0x60, 0x39, 0x0B, 0x90, 0x64, +0x11, 0x1E, 0x9D, 0xA2, 0x70, 0x18, 0xAD, 0xC6, +0x27, 0xD3, 0xF1, 0xBA, 0x11, 0x4E, 0xF6, 0x9D, +0x6C, 0xC5, 0xEB, 0xD6, 0xB7, 0x43, 0x9D, 0x32, +0x31, 0xC9, 0x24, 0x19, 0xB9, 0x47, 0x1C, 0x61, +0x09, 0x8F, 0xAA, 0x42, 0x5B, 0xAF, 0x66, 0x0F, +0x23, 0xAA, 0x80, 0xC0, 0x85, 0x7F, 0x00, 0x08, +0xCA, 0x30, 0xE4, 0xC8, 0xDA, 0x2F, 0xC4, 0xD2, +0x7E, 0x86, 0xCC, 0xDA, 0x6D, 0xD4, 0x7E, 0x40, +0x66, 0xD8, 0x5C, 0x27, 0x83, 0xDA, 0x10, 0x8F, +0x91, 0xA8, 0xE6, 0x9D, 0x44, 0x13, 0xF1, 0x04, +0x4E, 0xC9, 0xF9, 0xC8, 0xA2, 0xED, 0x9C, 0x9F, +0x05, 0xDA, 0xFA, 0x4A, 0xEA, 0xD2, 0x72, 0xF9, +0xF1, 0xF6, 0xDB, 0xFF, 0xF8, 0x55, 0x0E, 0x92, +0x75, 0xD6, 0x83, 0xBC, 0x7A, 0x95, 0xBE, 0xBF, +0x8D, 0xD5, 0xA3, 0x23, 0x02, 0x32, 0xF8, 0x60, +0xF7, 0x7C, 0x46, 0xC6, 0x69, 0x7E, 0xB7, 0x23, +0xE1, 0x36, 0xC2, 0xEE, 0xBD, 0xFF, 0x3C, 0x05, +0x5E, 0x07, 0x0C, 0xA6, 0x64, 0x65, 0x82, 0x46, +0xC9, 0x67, 0x73, 0xC9, 0x15, 0xC8, 0xFA, 0x0F, +0x73, 0xB5, 0x48, 0x0F, 0x0E, 0x6F, 0x43, 0xE8, +0x8D, 0x7A, 0x21, 0x88, 0x12, 0x08, 0x37, 0x18, +0x67, 0x66, 0x05, 0xD1, 0x2C, 0x4D, 0xE8, 0xA6, +0x1B, 0x4D, 0x29, 0xD4, 0xEF, 0x79, 0x83, 0xDB, +0xCA, 0x6E, 0xBC, 0xE4, 0xCA, 0x50, 0xB0, 0x73, +0xEF, 0xD6, 0xC7, 0x69, 0xF6, 0x16, 0x1E, 0xA0, +0x82, 0x04, 0x6E, 0x30, 0x82, 0x04, 0x6A, 0x30, +0x82, 0x04, 0x66, 0x30, 0x82, 0x03, 0x4E, 0xA0, +0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x6F, 0x93, +0x87, 0x5C, 0x4B, 0x9E, 0x94, 0x93, 0xF8, 0x5F, +0x16, 0xA7, 0x05, 0x86, 0x82, 0x8C, 0x30, 0x0D, +0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, +0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x7E, 0x31, +0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, +0x13, 0x02, 0x55, 0x53, 0x31, 0x1D, 0x30, 0x1B, +0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x14, 0x53, +0x79, 0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20, +0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, +0x69, 0x6F, 0x6E, 0x31, 0x1F, 0x30, 0x1D, 0x06, +0x03, 0x55, 0x04, 0x0B, 0x13, 0x16, 0x53, 0x79, +0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20, 0x54, +0x72, 0x75, 0x73, 0x74, 0x20, 0x4E, 0x65, 0x74, +0x77, 0x6F, 0x72, 0x6B, 0x31, 0x2F, 0x30, 0x2D, +0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x26, 0x53, +0x79, 0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20, +0x43, 0x6C, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, +0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53, +0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41, +0x20, 0x2D, 0x20, 0x47, 0x34, 0x30, 0x1E, 0x17, +0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x30, 0x30, +0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x17, 0x0D, +0x31, 0x38, 0x30, 0x31, 0x30, 0x38, 0x32, 0x33, +0x35, 0x39, 0x35, 0x39, 0x5A, 0x30, 0x40, 0x31, +0x3E, 0x30, 0x3C, 0x06, 0x03, 0x55, 0x04, 0x03, +0x13, 0x35, 0x53, 0x79, 0x6D, 0x61, 0x6E, 0x74, +0x65, 0x63, 0x20, 0x43, 0x6C, 0x61, 0x73, 0x73, +0x20, 0x33, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, +0x65, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, +0x20, 0x43, 0x41, 0x20, 0x2D, 0x20, 0x47, 0x34, +0x20, 0x4F, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, +0x73, 0x70, 0x6F, 0x6E, 0x64, 0x65, 0x72, 0x30, +0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, +0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, +0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, +0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, +0xBA, 0xB1, 0x3E, 0xBD, 0xF0, 0x1E, 0x19, 0x16, +0xEA, 0x20, 0x44, 0x73, 0x1F, 0xD8, 0x85, 0x17, +0xC4, 0xBF, 0x86, 0xF0, 0x75, 0x46, 0x02, 0xA8, +0x5B, 0x7F, 0xA8, 0xF8, 0xB2, 0x08, 0x08, 0x55, +0x01, 0xDD, 0x5B, 0xA4, 0x0B, 0xBD, 0x8A, 0x0A, +0x87, 0x90, 0x62, 0x21, 0x59, 0x67, 0x33, 0x36, +0x77, 0x49, 0xAB, 0x69, 0x4B, 0xDB, 0xB8, 0xFC, +0x27, 0xA9, 0x81, 0x4A, 0x1F, 0x5F, 0x7D, 0x5C, +0xC2, 0xE6, 0x54, 0x12, 0xFB, 0xA7, 0xEB, 0x9F, +0xB5, 0xAC, 0x05, 0xBE, 0xA9, 0x58, 0xAA, 0x49, +0x32, 0xEE, 0x73, 0xE8, 0x2F, 0xB1, 0xD3, 0x2E, +0x13, 0xBC, 0x26, 0x23, 0xA0, 0x82, 0xD4, 0x25, +0x20, 0x34, 0xAE, 0x16, 0x48, 0xFB, 0x55, 0x2B, +0x58, 0xC9, 0xC4, 0x84, 0xAC, 0xF7, 0xC4, 0x78, +0x62, 0xB7, 0xBF, 0xA2, 0x32, 0xC7, 0x34, 0x1C, +0xDF, 0x9E, 0xFE, 0xA8, 0x04, 0x85, 0xAF, 0xCB, +0x5A, 0xD6, 0xC6, 0x68, 0x9F, 0x28, 0x03, 0xB7, +0x98, 0x8E, 0xD4, 0xA5, 0xE1, 0x18, 0xD1, 0x64, +0x79, 0x67, 0x04, 0x33, 0x6C, 0x4B, 0xE0, 0xCF, +0x34, 0xFC, 0x81, 0x27, 0x98, 0x16, 0xBB, 0xA3, +0x9F, 0xE1, 0x4D, 0x2B, 0x71, 0x21, 0x41, 0x90, +0xFF, 0x20, 0xB8, 0x4A, 0xCF, 0xB2, 0x2D, 0xB1, +0xF8, 0x89, 0x40, 0xBC, 0xB3, 0x9F, 0x94, 0x1C, +0xF4, 0x68, 0xEA, 0x7B, 0x31, 0x29, 0xDA, 0x71, +0xCC, 0x37, 0x9A, 0xF9, 0x36, 0x0B, 0x58, 0x11, +0x6F, 0x28, 0x14, 0x6F, 0xAF, 0x57, 0x6B, 0xD7, +0xBD, 0x36, 0x98, 0xF4, 0x6C, 0x84, 0xF8, 0x48, +0xF1, 0xBF, 0x88, 0xEB, 0x5C, 0x06, 0x8B, 0x02, +0xF1, 0xDF, 0x6A, 0xFD, 0x61, 0xCF, 0x05, 0x5E, +0xB5, 0x99, 0x85, 0x31, 0x41, 0x1D, 0xE5, 0x67, +0x5C, 0x83, 0xA2, 0xBA, 0x9C, 0x9C, 0x37, 0x44, +0xEF, 0xBC, 0x0E, 0xDE, 0xBF, 0x91, 0x5B, 0x1F, +0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, +0x1C, 0x30, 0x82, 0x01, 0x18, 0x30, 0x0F, 0x06, +0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, +0x01, 0x05, 0x04, 0x02, 0x05, 0x00, 0x30, 0x22, +0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x1B, 0x30, +0x19, 0xA4, 0x17, 0x30, 0x15, 0x31, 0x13, 0x30, +0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, +0x54, 0x47, 0x56, 0x2D, 0x45, 0x2D, 0x33, 0x32, +0x35, 0x36, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, +0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x5F, +0x60, 0xCF, 0x61, 0x90, 0x55, 0xDF, 0x84, 0x43, +0x14, 0x8A, 0x60, 0x2A, 0xB2, 0xF5, 0x7A, 0xF4, +0x43, 0x18, 0xEF, 0x30, 0x1D, 0x06, 0x03, 0x55, +0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x1E, 0xA5, +0xBD, 0xCA, 0x59, 0x64, 0x55, 0x85, 0xAC, 0xDA, +0x54, 0x34, 0x23, 0x40, 0xD1, 0xF6, 0xBD, 0xC3, +0xB0, 0xF6, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, +0x13, 0x01, 0x01, 0xFF, 0x04, 0x02, 0x30, 0x00, +0x30, 0x6E, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x04, +0x67, 0x30, 0x65, 0x30, 0x63, 0x06, 0x0B, 0x60, +0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x07, +0x17, 0x03, 0x30, 0x54, 0x30, 0x26, 0x06, 0x08, +0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, +0x16, 0x1A, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, +0x2F, 0x77, 0x77, 0x77, 0x2E, 0x73, 0x79, 0x6D, +0x61, 0x75, 0x74, 0x68, 0x2E, 0x63, 0x6F, 0x6D, +0x2F, 0x63, 0x70, 0x73, 0x30, 0x2A, 0x06, 0x08, +0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, +0x30, 0x1E, 0x1A, 0x1C, 0x20, 0x20, 0x68, 0x74, +0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, +0x2E, 0x73, 0x79, 0x6D, 0x61, 0x75, 0x74, 0x68, +0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x72, 0x70, 0x61, +0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, +0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, +0x05, 0x05, 0x07, 0x03, 0x09, 0x30, 0x0E, 0x06, +0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, +0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x0D, 0x06, +0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, +0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, +0x00, 0x45, 0xFF, 0xCA, 0xD2, 0xAC, 0x71, 0xBE, +0xA5, 0x62, 0x86, 0x93, 0x30, 0xD0, 0xE5, 0xE5, +0x87, 0xFC, 0xAA, 0x29, 0x73, 0x36, 0xD6, 0x66, +0x33, 0xC4, 0xCB, 0xC5, 0x6E, 0xC6, 0x2C, 0x8C, +0x8E, 0xEE, 0x4D, 0xC2, 0xFA, 0xB3, 0xC0, 0xE7, +0x11, 0x02, 0x69, 0x7A, 0xC5, 0x89, 0x28, 0x86, +0x31, 0xD5, 0x14, 0x43, 0x5A, 0x20, 0xB7, 0xBD, +0x1C, 0x0B, 0x1C, 0x3C, 0x84, 0x58, 0xBA, 0x56, +0x14, 0x5B, 0xB8, 0x38, 0x97, 0x18, 0x66, 0xD6, +0x12, 0x51, 0x4B, 0x5A, 0x2D, 0x0D, 0x00, 0xA7, +0xBA, 0x5A, 0xC9, 0x0C, 0x4B, 0x10, 0xDE, 0xF5, +0xAE, 0x56, 0xA5, 0x24, 0xC6, 0x3E, 0x5E, 0xD9, +0xF1, 0x39, 0x76, 0x0C, 0xD7, 0x4A, 0xBF, 0x19, +0x1F, 0x14, 0xA4, 0x18, 0xEC, 0x0F, 0x5D, 0x47, +0x00, 0x75, 0xF0, 0x4E, 0xB3, 0xA1, 0xB4, 0x81, +0x7B, 0x97, 0xAC, 0x0A, 0xA8, 0x5E, 0x92, 0xCC, +0xB0, 0x80, 0x53, 0x66, 0xFF, 0xC6, 0x1B, 0x71, +0xAF, 0xE3, 0x46, 0x55, 0x9D, 0x26, 0x51, 0x97, +0xB0, 0x66, 0x9D, 0x06, 0x70, 0xC5, 0x04, 0x78, +0xBC, 0x99, 0x42, 0xBA, 0x77, 0x82, 0x0E, 0xE8, +0x92, 0x18, 0x4A, 0x72, 0x92, 0x13, 0x25, 0x7F, +0x40, 0x15, 0xF7, 0xA8, 0x07, 0xA2, 0xAD, 0x03, +0xBA, 0x1C, 0xF2, 0x93, 0xBE, 0x14, 0x72, 0x69, +0x2B, 0x85, 0xAC, 0x2E, 0x2C, 0xBF, 0x1C, 0xC6, +0x6C, 0x91, 0xF3, 0x2F, 0xF0, 0xB0, 0x8A, 0xC3, +0xB8, 0xAC, 0x9B, 0xD1, 0xA1, 0x4C, 0xB7, 0x34, +0xCA, 0xC6, 0x90, 0x15, 0xA7, 0x39, 0xB4, 0xF1, +0xED, 0x54, 0x53, 0x5C, 0x29, 0x6F, 0xCE, 0x97, +0x3E, 0x72, 0x79, 0x24, 0xEA, 0xC8, 0x87, 0x21, +0x5F, 0x40, 0xBF, 0x53, 0x37, 0x8E, 0xCA, 0x0B, +0x44, 0xD0, 0x4B, 0x6E, 0xAD, 0x94, 0xFB, 0x0F, +0x33, 0xFE, 0x86, 0xDF, 0x4C, 0xE9, 0x94, 0xBB, +0x3F }; static gnutls_datum_t ocsp_resp1 = - { (unsigned char *) RESP1, sizeof(RESP1) - 1 }; + { (unsigned char *) _resp, sizeof(_resp) }; static void check_response(gnutls_session_t session, void *priv) { @@ -82,6 +284,7 @@ void doit(void) const char *certfile; const char *ocspfile1; char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; + time_t t; FILE *fp; global_init(); @@ -112,18 +315,33 @@ void doit(void) assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + /* set OCSP response */ ocspfile1 = get_tmpname(ocspname1); - ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0); - if (ret < 0) - fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); - fp = fopen(ocspfile1, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0); fclose(fp); + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0); + if (t != 1511689427) + fail("error in OCSP validity time: %ld\n", (long int)t); + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0); + if (t != -1) + fail("error in OCSP validity time: %ld\n", (long int)t); + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0); + if (t != 1511689427) + fail("error in OCSP validity time: %ld\n", (long int)t); + + /* make sure that our invalid OCSP responses are not considered in verification */ gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); @@ -135,7 +353,9 @@ void doit(void) fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); } - test_cli_serv(xcred, clicred, "NORMAL", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ + test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ + + test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/set_x509_key_file_ocsp_multi2.c b/tests/set_x509_key_file_ocsp_multi2.c index 10c1b81a6f..b8dd927009 100644 --- a/tests/set_x509_key_file_ocsp_multi2.c +++ b/tests/set_x509_key_file_ocsp_multi2.c @@ -219,9 +219,19 @@ void doit(void) fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); } - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost", &ocsp_resp1, check_response, NULL); - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost6", &ocsp_resp2, check_response, NULL); - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA", NULL, &ocsp_resp3, check_response, NULL); + success("TLS1.2 + resp1\n"); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); + success("TLS1.2 + resp2\n"); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_resp2, check_response, NULL); + success("TLS1.2 + resp3\n"); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.2", NULL, &ocsp_resp3, check_response, NULL); + + success("TLS1.3 + resp1\n"); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); + success("TLS1.3 + resp2\n"); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_resp2, check_response, NULL); + success("TLS1.3 + resp3\n"); + test_cli_serv(xcred, clicred, "NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.3", NULL, &ocsp_resp3, check_response, NULL); gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/set_x509_key_file_ocsp_multi.c b/tests/set_x509_ocsp_multi_invalid.c index b2847055e0..8afa910833 100644 --- a/tests/set_x509_key_file_ocsp_multi.c +++ b/tests/set_x509_ocsp_multi_invalid.c @@ -15,9 +15,8 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> */ #ifdef HAVE_CONFIG_H @@ -181,40 +180,46 @@ void doit(void) /* set OCSP response1 */ ocspfile1 = get_tmpname(ocspname1); - ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1); - if (ret < 0) - fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); - fp = fopen(ocspfile1, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0); fclose(fp); - /* set OCSP response2 */ - ocspfile2 = get_tmpname(ocspname2); - ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2); + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1); + if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS) + fail("unexpected error in setting invalid ocsp file: %s\n", gnutls_strerror(ret)); + + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2|GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1); if (ret < 0) fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + /* set OCSP response2 */ + ocspfile2 = get_tmpname(ocspname2); fp = fopen(ocspfile2, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp2.data, 1, ocsp_resp2.size, fp)>0); fclose(fp); - /* set OCSP response3 */ - ocspfile3 = get_tmpname(ocspname3); - ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index3); + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2); if (ret < 0) fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + /* set OCSP response3 */ + ocspfile3 = get_tmpname(ocspname3); fp = fopen(ocspfile3, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp3.data, 1, ocsp_resp3.size, fp)>0); fclose(fp); + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index3); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + /* set an OCSP response outside the bounds */ assert(gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, 34) == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); @@ -229,9 +234,13 @@ void doit(void) fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); } - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost", &ocsp_resp1, check_response, NULL); - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost6", &ocsp_resp2, check_response, NULL); - test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA", NULL, &ocsp_resp3, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_resp2, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.2", NULL, &ocsp_resp3, check_response, NULL); + + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_resp2, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:-ECDHE-RSA:-DHE-RSA:-RSA:-VERS-TLS-ALL:+VERS-TLS1.3", NULL, &ocsp_resp3, check_response, NULL); gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/set_x509_ocsp_multi_pem.c b/tests/set_x509_ocsp_multi_pem.c new file mode 100644 index 0000000000..5b72a28a6c --- /dev/null +++ b/tests/set_x509_ocsp_multi_pem.c @@ -0,0 +1,190 @@ +/* + * Copyright (C) 2016-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#ifdef ENABLE_OCSP + +#include "cert-common.h" +#include "ocsp-common.h" +#include "utils.h" + +/* Tests whether setting an OCSP response to a server with multiple + * certificate sets, is working as expected */ + +static time_t mytime(time_t * t) +{ + time_t then = OCSP_RESP_DATE; + if (t) + *t = then; + + return then; +} + +static void check_response(gnutls_session_t session, void *priv) +{ + int ret; + gnutls_datum_t resp; + gnutls_datum_t *exp_resp = priv; + + ret = gnutls_ocsp_status_request_get(session, &resp); + if (ret < 0) { + if (priv == NULL) + return; + fail("no response was received\n"); + } + + if (priv == NULL) { + fail("not expected response, but received one\n"); + } + + if (resp.size != exp_resp->size || memcmp(resp.data, exp_resp->data, resp.size) != 0) { + fail("did not receive the expected response\n"); + } + + /* Check intermediate response */ + if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_3) { + ret = gnutls_ocsp_status_request_get2(session, 1, &resp); + if (ret < 0) { + fail("no intermediate response was received\n"); + } + + if (resp.size != ocsp_subca3_unknown.size || memcmp(resp.data, ocsp_subca3_unknown.data, resp.size) != 0) { + fail("did not receive the expected intermediate response\n"); + } + } +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; + const char *certfile1; + const char *ocspfile1; + char certname1[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; + FILE *fp; + unsigned index1; + time_t t; + + global_init(); + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + + certfile1 = get_tmpname(certname1); + + /* set cert with localhost name */ + fp = fopen(certfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index1 = ret; + + /* set OCSP response1, include an unrelated OCSP response */ + ocspfile1 = get_tmpname(ocspname1); + fp = fopen(ocspfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_subca3_unknown_pem.data, 1, ocsp_subca3_unknown_pem.size, fp)>0); + assert(fwrite(ocsp_ca3_localhost_unknown_pem.data, 1, ocsp_ca3_localhost_unknown_pem.size, fp)>0); + assert(fwrite(ocsp_ca3_localhost6_unknown_pem.data, 1, ocsp_ca3_localhost6_unknown_pem.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file2(xcred, ocspfile1, index1, + GNUTLS_X509_FMT_PEM); + if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* set OCSP response1, include correct responses */ + remove(ocspfile1); + fp = fopen(ocspfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_subca3_unknown_pem.data, 1, ocsp_subca3_unknown_pem.size, fp)>0); + assert(fwrite(ocsp_ca3_localhost_unknown_pem.data, 1, ocsp_ca3_localhost_unknown_pem.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file2(xcred, ocspfile1, index1, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0); + if (t != 1509625639) + fail("error in OCSP validity time: %ld\n", (long int)t); + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0); + if (t != 1509625639) + fail("error in OCSP validity time: %ld\n", (long int)t); + + t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0); + if (t != 1509625639) + fail("error in OCSP validity time: %ld\n", (long int)t); + + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL); + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + remove(ocspfile1); + remove(certfile1); +} + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/set_x509_ocsp_multi_unknown.c b/tests/set_x509_ocsp_multi_unknown.c new file mode 100644 index 0000000000..b0f62ac668 --- /dev/null +++ b/tests/set_x509_ocsp_multi_unknown.c @@ -0,0 +1,237 @@ +/* + * Copyright (C) 2016-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#ifdef ENABLE_OCSP + +#include "cert-common.h" +#include "ocsp-common.h" +#include "utils.h" + +/* Tests whether setting an OCSP response to a server with multiple + * certificate sets, is working as expected */ + +static time_t mytime(time_t * t) +{ + time_t then = OCSP_RESP_DATE; + if (t) + *t = then; + + return then; +} + +static void check_response(gnutls_session_t session, void *priv) +{ + int ret; + gnutls_datum_t resp; + gnutls_datum_t *exp_resp = priv; + + ret = gnutls_ocsp_status_request_get(session, &resp); + if (ret < 0) { + if (priv == NULL) + return; + fail("no response was received\n"); + } + + if (priv == NULL) { + fail("not expected response, but received one\n"); + } + + if (resp.size != exp_resp->size || memcmp(resp.data, exp_resp->data, resp.size) != 0) { + fail("did not receive the expected response\n"); + } + + /* Check intermediate response */ + if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_3) { + ret = gnutls_ocsp_status_request_get2(session, 1, &resp); + if (ret < 0) { + fail("no intermediate response was received\n"); + } + + if (resp.size != ocsp_subca3_unknown.size || memcmp(resp.data, ocsp_subca3_unknown.data, resp.size) != 0) { + fail("did not receive the expected intermediate response\n"); + } + } +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; + const char *certfile1; + const char *certfile2; + const char *ocspfile1; + const char *ocspfile2; + const char *ocspfile3; + char certname1[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; + char certname2[TMPNAME_SIZE], ocspname2[TMPNAME_SIZE]; + char ocspname3[TMPNAME_SIZE]; + FILE *fp; + unsigned index1, index2; /* indexes of certs */ + + global_init(); + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + + certfile1 = get_tmpname(certname1); + + /* set cert with localhost name */ + fp = fopen(certfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index1 = ret; + + /* set cert with localhost6 name */ + certfile2 = get_tmpname(certname2); + + fp = fopen(certfile2, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile2, certfile2, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index2 = ret; + + + /* set OCSP response1 */ + ocspfile1 = get_tmpname(ocspname1); + fp = fopen(ocspfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_ca3_localhost_unknown.data, 1, ocsp_ca3_localhost_unknown.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* set OCSP response2 */ + ocspfile2 = get_tmpname(ocspname2); + fp = fopen(ocspfile2, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_ca3_localhost6_unknown.data, 1, ocsp_ca3_localhost6_unknown.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* try to set a duplicate OCSP response */ + ocspfile3 = get_tmpname(ocspname3); + fp = fopen(ocspfile3, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_ca3_localhost_unknown_sha1.data, 1, ocsp_ca3_localhost_unknown_sha1.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index1); + if (ret != 0) + fail("setting duplicate didn't succeed as expected: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index2); + if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS) + fail("setting invalid didn't fail as expected: %s\n", gnutls_strerror(ret)); + + /* re-set the previous duplicate set for index1 to the expected*/ + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* set an intermediate CA OCSP response */ + fp = fopen(ocspfile3, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_subca3_unknown.data, 1, ocsp_subca3_unknown.size, fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index1); + if (ret < 0) + fail("setting subCA failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index2); + if (ret < 0) + fail("setting subCA failed: %s\n", gnutls_strerror(ret)); + + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_ca3_localhost6_unknown, check_response, NULL); + + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_ca3_localhost6_unknown, check_response, NULL); + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + remove(ocspfile1); + remove(ocspfile2); + remove(ocspfile3); + remove(certfile1); + remove(certfile2); +} + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/tls13/multi-ocsp.c b/tests/tls13/multi-ocsp.c new file mode 100644 index 0000000000..77a1af7465 --- /dev/null +++ b/tests/tls13/multi-ocsp.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2016-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <assert.h> + +#ifdef ENABLE_OCSP + +#include "ocsp-common.h" +#include "cert-common.h" +#include "utils.h" + +/* Tests whether we can send and receive multiple OCSP responses + * one for each certificate in a chain under TLS 1.3. + */ + +static time_t mytime(time_t * t) +{ + time_t then = 1469186559; + if (t) + *t = then; + + return then; +} + +static const gnutls_datum_t ocsp_resp_localhost[] = { + { (void*)_ocsp_ca3_localhost_unknown, sizeof(_ocsp_ca3_localhost_unknown) }, + { NULL, 0}}; + +static const gnutls_datum_t ocsp_resp_localhost6[] = { + { (void*)_ocsp_ca3_localhost6_unknown, sizeof(_ocsp_ca3_localhost6_unknown) }, + { (void*)_ocsp_subca3_unknown, sizeof(_ocsp_subca3_unknown) }}; + +typedef struct ctx_st { + const char *name; + const gnutls_datum_t *ocsp; + unsigned nocsp; +} ctx_st; + +static ctx_st test_localhost = {"single response", ocsp_resp_localhost, 1}; +static ctx_st test_localhost6 = {"two responses", ocsp_resp_localhost6, 2}; + +#define myfail(fmt, ...) \ + fail("%s: "fmt, test->name, ##__VA_ARGS__) + +static void check_response(gnutls_session_t session, void *priv) +{ + int ret; + gnutls_datum_t resp; + ctx_st *test = priv; + unsigned i; + + assert(test != NULL); + + for (i=0;;i++) { + ret = gnutls_ocsp_status_request_get2(session, i, &resp); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (ret < 0) { + if (test->ocsp[i].size == 0) + return; + myfail("no response was received\n"); + } + + if (test->ocsp[i].size == 0) { + myfail("not expected response, but received one\n"); + } + + if (resp.size != test->ocsp[i].size) { + myfail("did not receive the expected response size for %d\n", i); + } + + if (memcmp(resp.data, test->ocsp[i].data, resp.size) != 0) { + myfail("did not receive the expected response for %d\n", i); + } + } + + if (i != test->nocsp) { + myfail("The number of OCSP responses received (%d) does not match the expected (%d)\n", i, test->nocsp); + } + +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; + const char *certfile1; + const char *certfile2; + char certname1[TMPNAME_SIZE]; + char certname2[TMPNAME_SIZE]; + FILE *fp; + unsigned index1, index2; /* indexes of certs */ + + global_init(); + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2); + + certfile1 = get_tmpname(certname1); + + /* set cert with localhost name */ + fp = fopen(certfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index1 = ret; + + certfile2 = get_tmpname(certname2); + + fp = fopen(certfile2, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile2, certfile2, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index2 = ret; + + + /* set OCSP response1 */ + ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost.ocsp[0], index1, GNUTLS_X509_FMT_DER); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* set OCSP response2 */ + ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost6.ocsp[0], index2, GNUTLS_X509_FMT_DER); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost6.ocsp[1], index2, GNUTLS_X509_FMT_DER); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* make sure that our invalid OCSP responses are not considered in verification + */ + gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); + if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS) + fail("error in gnutls_certificate_set_verify_flags\n"); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &test_localhost, check_response, NULL); + test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &test_localhost6, check_response, NULL); + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + remove(certfile1); + remove(certfile2); +} + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/tls13/ocsp-client.c b/tests/tls13/ocsp-client.c new file mode 100644 index 0000000000..57ad803292 --- /dev/null +++ b/tests/tls13/ocsp-client.c @@ -0,0 +1,221 @@ +/* + * Copyright (C) 2016-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <assert.h> + +#ifdef ENABLE_OCSP + +#include "cert-common.h" +#include "utils.h" + +/* Tests whether we can send and receive multiple OCSP responses + * one for each certificate in a chain under TLS 1.3. + */ + +static time_t mytime(time_t * t) +{ + time_t then = 1469186559; + if (t) + *t = then; + + return then; +} + +#define RESP1 "\x30\x82\x06\x8C\x0A\x01\x00\xA0\x82\x06\x85\x30\x82\x06\x81\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x06\x72\x30\x82\x06\x6E\x30\x82\x01\x07\xA1\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\x30\x64\x30\x62\x30\x3A\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x13\x9D\xA0\x9E\xF4\x32\xAB\x8F\xE2\x89\x56\x67\xFA\xD0\xD4\xE3\x35\x86\x71\xB9\x04\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\x02\x01\x1D\x80\x00\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\xA0\x11\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x39\x32\x38\x5A\xA1\x23\x30\x21\x30\x1F\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x02\x04\x12\x04\x10\x16\x89\x7D\x91\x3A\xB5\x25\xA4\x45\xFE\xC9\xFD\xC2\xE5\x08\xA4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\xAD\x6B\x2B\xF7\xF2\xBF\xA9\x23\x1E\x3A\x0B\x06\xDB\x55\x53\x2B\x64\x54\x11\x32\xBF\x60\xF7\x4F\xE0\x8E\x9B\xA0\xA2\x4C\x79\xC3\x2A\xE0\x43\xF7\x40\x1A\xDC\xB9\xB4\x25\xEF\x48\x01\x97\x8C\xF5\x1E\xDB\xD1\x30\x37\x73\x69\xD6\xA7\x7A\x2D\x8E\xDE\x5C\xAA\xEA\x39\xB9\x52\xAA\x25\x1E\x74\x7D\xF9\x78\x95\x8A\x92\x1F\x98\x21\xF4\x60\x7F\xD3\x28\xEE\x47\x9C\xBF\xE2\x5D\xF6\x3F\x68\x0A\xD6\xFF\x08\xC1\xDC\x95\x1E\x29\xD7\x3E\x85\xD5\x65\xA4\x4B\xC0\xAF\xC3\x78\xAB\x06\x98\x88\x19\x8A\x64\xA6\x83\x91\x87\x13\xDB\x17\xCC\x46\xBD\xAB\x4E\xC7\x16\xD1\xF8\x35\xFD\x27\xC8\xF6\x6B\xEB\x37\xB8\x08\x6F\xE2\x6F\xB4\x7E\xD5\x68\xDB\x7F\x5D\x5E\x36\x38\xF2\x77\x59\x13\xE7\x3E\x4D\x67\x5F\xDB\xA2\xF5\x5D\x7C\xBF\xBD\xB5\x37\x33\x51\x36\x63\xF8\x21\x1E\xFC\x73\x8F\x32\x69\xBB\x97\xA7\xBD\xF1\xB6\xE0\x40\x09\x68\xEA\xD5\x93\xB8\xBB\x39\x8D\xA8\x16\x1B\xBF\x04\x7A\xBC\x18\x43\x01\xE9\x3C\x19\x5C\x4D\x4B\x98\xD8\x23\x37\x39\xA4\xC4\xDD\xED\x9C\xEC\x37\xAB\x66\x44\x9B\xE7\x5B\x5D\x32\xA2\xDB\xA6\x0B\x3B\x8C\xE1\xF5\xDB\xCB\x7D\x58\xA0\x82\x04\x4B\x30\x82\x04\x47\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x39\x31\x31\x32\x34\x31\x32\x35\x31\x35\x33\x5A\x17\x0D\x31\x34\x31\x31\x32\x33\x31\x32\x35\x31\x35\x33\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x05\x3E\x4B\xBE\xC6\xB1\x33\x48\x0E\xC3\xD4\x0C\xEF\x83\x0B\xBD\xBC\x57\x5F\x14\xEF\xF5\x6D\x0B\xFF\xFA\x01\x9C\xFA\x21\x6D\x5C\xAE\x79\x29\x74\xFE\xBD\xAB\x70\x87\x98\x6B\x48\x35\x79\xE3\xE0\xC1\x14\x41\x1F\x0A\xF7\xE7\xA3\xA6\xDA\x6B\xFF\xCD\x74\xE9\x95\x00\x38\xAA\xD6\x3A\x60\xC6\x64\xA1\xE6\x02\x39\x58\x4E\xFD\xF2\x78\x08\x63\xB6\xD7\x7A\x96\x79\x62\x18\x39\xEE\x27\x8D\x3B\xA2\x3D\x48\x88\xDB\x43\xD6\x6A\x77\x20\x6A\x27\x39\x50\xE0\x02\x50\x19\xF2\x7A\xCF\x78\x23\x99\x01\xD4\xE5\xB1\xD1\x31\xE6\x6B\x84\xAF\xD0\x77\x41\x46\x85\xB0\x3B\xE6\x6A\x00\x0F\x3B\x7E\x95\x7F\x59\xA8\x22\xE8\x49\x49\x05\xC8\xCB\x6C\xEE\x47\xA7\x2D\xC9\x74\x5B\xEB\x8C\xD5\x99\xC2\xE2\x70\xDB\xEA\x87\x43\x84\x0E\x4F\x83\x1C\xA6\xEB\x1F\x22\x38\x17\x69\x9B\x72\x12\x95\x48\x71\xB2\x7B\x92\x73\x52\xAB\xE3\x1A\xA5\xD3\xF4\x44\x14\xBA\xC3\x35\xDA\x91\x6C\x7D\xB4\xC2\x00\x07\xD8\x0A\x51\xF1\x0D\x4C\xD9\x7A\xD1\x99\xE6\xA8\x8D\x0A\x80\xA8\x91\xDD\x8A\xA2\x6B\xF6\xDB\xB0\x3E\xC9\x71\xA9\xE0\x39\xC3\xA3\x58\x0D\x87\xD0\xB2\xA7\x9C\xB7\x69\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x09\x06\x03\x55\x1D\x13\x04\x02\x30\x00\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x03\xA8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x34\x91\x6E\x91\x32\xBF\x35\x25\x43\xCC\x28\x74\xEF\x82\xC2\x57\x92\x79\x13\x73\x30\x6D\x06\x03\x55\x1D\x23\x04\x66\x30\x64\x80\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x01\x00\x30\x1E\x06\x03\x55\x1D\x11\x04\x17\x30\x15\x82\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x2F\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6D\x78\xD7\x66\x90\xA6\xEB\xDD\xB5\x09\x48\xA4\xDA\x27\xFA\xAC\xB1\xBC\x8F\x8C\xBE\xCC\x8C\x09\xA2\x40\x0D\x6C\x4A\xAE\x72\x22\x1E\xC8\xAF\x6D\xF1\x12\xAF\xD7\x40\x51\x79\xD4\xDD\xB2\x0C\xDB\x97\x84\xB6\x24\xD5\xF5\xA8\xBB\xC0\x4B\xF9\x7F\x71\xF7\xB0\x65\x42\x4A\x7D\xFE\x76\x7E\x05\xD2\x46\xB8\x7D\xB3\x39\x4C\x5C\xB1\xFA\xB9\xEE\x3B\x70\x33\x39\x57\x1A\xB9\x95\x51\x33\x00\x25\x1B\x4C\xAA\xB4\xA7\x55\xAF\x63\x6D\x6F\x88\x17\x6A\x7F\xB0\x97\xDE\x49\x14\x6A\x27\x6A\xB0\x42\x80\xD6\xA6\x9B\xEF\x04\x5E\x11\x7D\xD5\x8E\x54\x20\xA2\x76\xD4\x66\x58\xAC\x9C\x12\xD3\xF5\xCA\x54\x98\xCA\x21\xEC\xC1\x55\xA1\x2F\x68\x0B\x5D\x04\x50\xD2\x5E\x70\x25\xD8\x13\xD9\x44\x51\x0E\x8A\x42\x08\x18\x84\xE6\x61\xCE\x5A\x7D\x7B\x81\x35\x90\xC3\xD4\x9D\x19\xB6\x37\xEE\x8F\x63\x5C\xDA\xD8\xF0\x64\x60\x39\xEB\x9B\x1C\x54\x66\x75\x76\xB5\x0A\x58\xB9\x3F\x91\xE1\x21\x9C\xA0\x50\x15\x97\xB6\x7E\x41\xBC\xD0\xC4\x21\x4C\xF5\xD7\xF0\x13\xF8\x77\xE9\x74\xC4\x8A\x0E\x20\x17\x32\xAE\x38\xC2\xA5\xA8\x62\x85\x17\xB1\xA2\xD3\x22\x9F\x95\xB7\xA3\x4C" + +static gnutls_datum_t ocsp_resp1 = + { (unsigned char *) RESP1, sizeof(RESP1) - 1 }; + +#define RESP3 "\x30\x82\x01\xd3\x0a\x01\x00\xa0\x82\x01\xcc\x30\x82\x01\xc8\x06\x09\x2b\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x01\xb9\x30\x82\x01\xb5\x30\x81\x9e\xa2\x16\x04\x14\x50\xea\x73\x89\xdb\x29\xfb\x10\x8f\x9e\xe5\x01\x20\xd4\xde\x79\x99\x48\x83\xf7\x18\x0f\x32\x30\x31\x34\x30\x39\x30\x34\x30\x35\x34\x39\x30\x30\x5a\x30\x73\x30\x71\x30\x49\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14\xed\x48\xad\xdd\xcb\x7b\x00\xe2\x0e\x84\x2a\xa9\xb4\x09\xf1\xac\x30\x34\xcf\x96\x04\x14\x50\xea\x73\x89\xdb\x29\xfb\x10\x8f\x9e\xe5\x01\x20\xd4\xde\x79\x99\x48\x83\xf7\x02\x10\x02\x01\x48\x91\x5d\xfd\x5e\xb6\xe0\x02\x90\xa9\x67\xb0\xe4\x64\x80\x00\x18\x0f\x32\x30\x31\x34\x30\x39\x30\x34\x30\x35\x34\x39\x30\x30\x5a\xa0\x11\x18\x0f\x32\x30\x31\x34\x30\x39\x31\x31\x30\x36\x30\x34\x30\x30\x5a\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x6e\x5e\x5e\x81\xff\x3f\x4d\xc7\x53\xc7\x1b\xf3\xd3\x1d\xdc\x9a\xc7\xce\x77\x2c\x67\x56\x13\x98\x91\x02\x01\x76\xdc\x48\xb2\x1f\x9b\x17\xea\xbf\x2c\x0a\xf5\x1d\x98\x90\x3c\x5f\x55\xc2\xff\x4b\x9a\xbc\xa6\x83\x9e\xab\x2b\xeb\x9d\x01\xea\x3b\x5f\xbe\x03\x29\x70\x63\x2a\xa4\x1d\xa8\xab\x69\xb2\x64\xba\x5d\x73\x91\x5c\x92\xf3\x69\xd4\xc9\x39\x9c\x7c\x7d\xa2\x47\x92\xc2\x56\xfe\xa1\x0d\x4a\x69\xff\xda\x48\xc5\x5e\xd8\xab\x39\x88\x6a\x06\xfa\x07\x57\xd6\x48\xb5\xce\xc9\x5f\xa5\x96\xfe\x37\x18\x5e\x7f\x35\x51\xc1\x9e\x79\x5a\x26\xba\x67\x67\x38\x2a\x80\x75\x42\x99\x68\x3e\xec\x2f\x7e\x2d\xa1\xa6\xbe\x9f\x01\x51\x22\x88\x3a\xc9\x9c\xed\x51\xef\x21\x66\x7e\xa9\xd0\x3f\x13\x9c\xbb\xd2\x94\x14\x6f\x4b\xd9\xc4\xf5\x2c\xf5\x7d\x07\x68\xf3\x51\xac\xda\xc2\x09\x66\xa9\x3d\xed\xad\x02\x4d\x9c\x11\x29\x1a\x54\xfb\x1e\x7e\x36\xf4\xbb\x0d\x08\x8c\x6a\x42\x08\x10\x29\x08\x7c\x56\x0b\x18\x47\xff\x87\x11\xfd\xb2\xfb\xc9\x22\x7f\xe3\x1f\x7b\xf9\x98\xaa\x3a\x32\xb6\x2f\x02\xba\xb6\xc1\xdc\xc3\x5d\xb5\x4b\xae\x5d\x29\x6a\x31\xde\xcd" +static gnutls_datum_t ocsp_resp2 = + { (unsigned char *) RESP3, sizeof(RESP3) - 1 }; + + +static void check_response(gnutls_session_t session, void *priv) +{ + int ret; + gnutls_datum_t resp; + gnutls_datum_t *ocsp = priv; + unsigned i; + + assert(ocsp != NULL); + + for (i=0;;i++) { + ret = gnutls_ocsp_status_request_get2(session, i, &resp); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (ret < 0) { + if (ocsp->size == 0) + return; + fail("no response was received: %s\n", gnutls_strerror(ret)); + } + + if (ocsp->size == 0) { + fail("not expected response, but received one\n"); + } + + if (resp.size != ocsp->size) { + fail("did not receive the expected response size for %d\n", i); + } + + if (memcmp(resp.data, ocsp->data, resp.size) != 0) { + fail("did not receive the expected response for %d\n", i); + } + } + + if (i != 1) { + fail("The number of OCSP responses received (%d) does not match the expected (%d)\n", i, 1); + } +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; + const char *certfile1; + const char *certfile2; + const char *certfile3; + char certname1[TMPNAME_SIZE]; + char certname2[TMPNAME_SIZE]; + char certname3[TMPNAME_SIZE]; + FILE *fp; + unsigned index1, index2; /* indexes of certs */ + + global_init(); + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + gnutls_certificate_set_flags(clicred, GNUTLS_CERTIFICATE_API_V2); + + certfile1 = get_tmpname(certname1); + + /* set cert with localhost name */ + fp = fopen(certfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + + /* load client certificates */ + certfile2 = get_tmpname(certname2); + + fp = fopen(certfile2, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(cli_ca3_cert_pem, 1, strlen(cli_ca3_cert_pem), fp)>0); + assert(fwrite(cli_ca3_key_pem, 1, strlen(cli_ca3_key_pem), fp)>0); + fclose(fp); + ret = gnutls_certificate_set_x509_key_file2(clicred, certfile2, certfile2, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index1 = ret; + + + certfile3 = get_tmpname(certname3); + fp = fopen(certfile3, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(cert_pem, 1, strlen((char*)cert_pem), fp)>0); + assert(fwrite(key_pem, 1, strlen((char*)key_pem), fp)>0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2(clicred, certfile3, certfile3, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + index2 = ret; + + + gnutls_certificate_set_flags(clicred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + /* set OCSP response1 */ + ret = gnutls_certificate_set_ocsp_status_request_mem(clicred, &ocsp_resp2, index2, GNUTLS_X509_FMT_DER); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* set OCSP response2 */ + ret = gnutls_certificate_set_ocsp_status_request_mem(clicred, &ocsp_resp1, index1, GNUTLS_X509_FMT_DER); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + /* make sure that our invalid OCSP responses are not considered in verification + */ + gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); + if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS) + fail("error in gnutls_certificate_set_verify_flags\n"); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_certificate_set_x509_trust_mem(xcred, &subca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + _test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", + "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", + "localhost", + &ocsp_resp1, NULL, check_response, + 0, 1, 0, 0); + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + remove(certfile1); + remove(certfile2); + remove(certfile3); +} + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/utils-adv.c b/tests/utils-adv.c index 1986e50bd1..a084136646 100644 --- a/tests/utils-adv.c +++ b/tests/utils-adv.c @@ -42,7 +42,7 @@ int _gnutls_server_name_set_raw(gnutls_session_t session, const char *side = NULL; /* if @host is NULL certificate check is skipped */ -static int +int _test_cli_serv(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, const char *serv_prio, const char *cli_prio, diff --git a/tests/utils.h b/tests/utils.h index a6ef3e4600..1247402e9f 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -98,6 +98,17 @@ void test_cli_serv(gnutls_certificate_credentials_t server_cred, void *priv, callback_func * client_cb, callback_func * server_cb); +int +_test_cli_serv(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *serv_prio, const char *cli_prio, + const char *host, + void *priv, callback_func *client_cb, callback_func *server_cb, + unsigned expect_verification_failure, + unsigned require_cert, + int serv_err, + int cli_err); + void print_dh_params_info(gnutls_session_t); void diff --git a/tests/x509-cert-callback-ocsp.c b/tests/x509-cert-callback-ocsp.c new file mode 100644 index 0000000000..b6ea04d381 --- /dev/null +++ b/tests/x509-cert-callback-ocsp.c @@ -0,0 +1,238 @@ +/* + * Copyright (C) 2015-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/abstract.h> +#include <gnutls/x509.h> +#include "utils.h" +#include "eagain-common.h" +#include "cert-common.h" + +/* This tests gnutls_certificate_set_x509_key() */ + +const char *side; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s|<%d>| %s", side, level, str); +} + +static gnutls_privkey_t server_pkey = NULL; +static gnutls_pcert_st *server_pcert = NULL; +static gnutls_ocsp_data_st ocspdata[2]; + +#define OCSP_SIZE 16 +#define OCSP_DATA "\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0" + +static int +server_cert_callback(gnutls_session_t session, + const struct gnutls_cert_retr_st *info, + gnutls_pcert_st **pcert, + unsigned int *pcert_length, + gnutls_ocsp_data_st **ocsp, + unsigned int *ocsp_length, + gnutls_privkey_t *pkey, + unsigned int *flags) +{ + int ret; + gnutls_pcert_st *p; + gnutls_privkey_t lkey; + gnutls_x509_crt_t *certs; + unsigned certs_size, i; + + if (server_pkey == NULL) { + p = gnutls_malloc(2 * sizeof(*p)); + if (p == NULL) + return -1; + + ocspdata[0].response.data = (void*)OCSP_DATA; + ocspdata[0].response.size = OCSP_SIZE; + ocspdata[0].exptime = 0; + + ocspdata[1].response.data = (void*)OCSP_DATA; + ocspdata[1].response.size = OCSP_SIZE; + ocspdata[1].exptime = 0; + + ret = gnutls_x509_crt_list_import2(&certs, &certs_size, + &server_ca3_localhost_cert_chain, + GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) + return -1; + ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0); + if (ret < 0) + return -1; + for (i = 0; i < certs_size; i++) + gnutls_x509_crt_deinit(certs[i]); + gnutls_free(certs); + + ret = gnutls_privkey_init(&lkey); + if (ret < 0) + return -1; + + ret = + gnutls_privkey_import_x509_raw(lkey, &server_ca3_key, + GNUTLS_X509_FMT_PEM, NULL, + 0); + if (ret < 0) + return -1; + + server_pcert = p; + server_pkey = lkey; + + *pcert = p; + *pcert_length = 2; + *pkey = lkey; + *ocsp = ocspdata; + *ocsp_length = 2; + } else { + *pcert = server_pcert; + *pcert_length = 2; + *pkey = server_pkey; + *ocsp = ocspdata; + *ocsp_length = 2; + } + + return 0; +} + +static void start(const char *prio) +{ + int exit_code = EXIT_SUCCESS; + int ret; + /* Server stuff. */ + gnutls_certificate_credentials_t scred; + gnutls_session_t server; + gnutls_datum_t response; + int sret = GNUTLS_E_AGAIN; + /* Client stuff. */ + gnutls_certificate_credentials_t ccred; + gnutls_session_t client; + int cret = GNUTLS_E_AGAIN; + + success("testing %s\n", prio); + + /* General init. */ + global_init(); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4); + + /* Init server */ + gnutls_certificate_allocate_credentials(&scred); + + gnutls_certificate_set_retrieve_function3(scred, + server_cert_callback); + + gnutls_init(&server, GNUTLS_SERVER); + gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); + assert(gnutls_priority_set_direct(server, + prio, NULL) >= 0); + gnutls_transport_set_push_function(server, server_push); + gnutls_transport_set_pull_function(server, server_pull); + gnutls_transport_set_ptr(server, server); + gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); + + /* Init client */ + ret = gnutls_certificate_allocate_credentials(&ccred); + if (ret < 0) + exit(1); + + gnutls_certificate_set_verify_flags(ccred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); + + ret = + gnutls_certificate_set_x509_trust_mem(ccred, &ca3_cert, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + exit(1); + + ret = gnutls_init(&client, GNUTLS_CLIENT); + if (ret < 0) + exit(1); + + ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, + ccred); + if (ret < 0) + exit(1); + + assert(gnutls_priority_set_direct(client, prio, NULL)>=0); + gnutls_transport_set_push_function(client, client_push); + gnutls_transport_set_pull_function(client, client_pull); + gnutls_transport_set_ptr(client, client); + + HANDSHAKE(client, server); + + ret = gnutls_ocsp_status_request_get(client, &response); + if (ret != 0) + fail("no response was found: %s\n", gnutls_strerror(ret)); + + assert(response.size == OCSP_SIZE); + assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0); + + if (gnutls_protocol_get_version(client) == GNUTLS_TLS1_3) { + ret = gnutls_ocsp_status_request_get2(client, 1, &response); + if (ret != 0) + fail("no response was found for 1: %s\n", gnutls_strerror(ret)); + + assert(response.size == OCSP_SIZE); + assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0); + } + + ret = gnutls_ocsp_status_request_get2(client, 2, &response); + if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fail("found response in index 1: %s\n", gnutls_strerror(ret)); + } + + gnutls_bye(client, GNUTLS_SHUT_WR); + gnutls_bye(server, GNUTLS_SHUT_WR); + + gnutls_deinit(client); + gnutls_deinit(server); + + gnutls_certificate_free_credentials(scred); + gnutls_certificate_free_credentials(ccred); + + gnutls_global_deinit(); + + if (debug > 0) { + if (exit_code == 0) + puts("Self-test successful"); + else + puts("Self-test failed"); + } + + reset_buffers(); +} + +void doit(void) +{ + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3"); + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"); + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1"); +} |