diff options
author | Matt Caswell <matt@openssl.org> | 2022-04-13 16:47:35 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-05-03 10:46:49 +0100 |
commit | 6ee1f4f40b5100ef2744866a727bb4b9ef8ea39e (patch) | |
tree | 9a83e02763cf7ec97745e12b61dd36b4c9fea2ed /test/recipes/80-test_ocsp.t | |
parent | 21f89f542d745adbf1131338929ae538e200d50d (diff) | |
download | openssl-new-6ee1f4f40b5100ef2744866a727bb4b9ef8ea39e.tar.gz |
Test ocsp with invalid responses and the "-no_cert_checks" option
The "-no_cert_checks" option causes the flag OCSP_NOCHECKS to be set.
The bug fixed in the previous commit will cause the ocsp app to respond with
a success result in the case when the OCSP response signing certificate
fails to verify and -no_cert_checks is used - so we test that it fails in
this case.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'test/recipes/80-test_ocsp.t')
-rw-r--r-- | test/recipes/80-test_ocsp.t | 122 |
1 files changed, 65 insertions, 57 deletions
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t index d42030cb89..34fdfcbccc 100644 --- a/test/recipes/80-test_ocsp.t +++ b/test/recipes/80-test_ocsp.t @@ -35,6 +35,7 @@ sub test_ocsp { $untrusted = $CAfile; } my $expected_exit = shift; + my $nochecks = shift; my $outputfile = basename($inputfile, '.ors') . '.dat'; run(app(["openssl", "base64", "-d", @@ -45,7 +46,8 @@ sub test_ocsp { "-partial_chain", @check_time, "-CAfile", catfile($ocspdir, $CAfile), "-verify_other", catfile($ocspdir, $untrusted), - "-no-CApath", "-no-CAstore"])), + "-no-CApath", "-no-CAstore", + $nochecks ? "-no_cert_checks" : ()])), $title); }); } @@ -55,143 +57,149 @@ subtest "=== VALID OCSP RESPONSES ===" => sub { plan tests => 7; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "ND1.ors", "ND1_Issuer_ICA.pem", "", 0); + "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "ND2.ors", "ND2_Issuer_Root.pem", "", 0); + "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "ND3.ors", "ND3_Issuer_Root.pem", "", 0); + "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); test_ocsp("NON-DELEGATED; 3-level CA hierarchy", - "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0); + "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "D1.ors", "D1_Issuer_ICA.pem", "", 0); + "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "D2.ors", "D2_Issuer_Root.pem", "", 0); + "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); test_ocsp("DELEGATED; Root CA -> EE", - "D3.ors", "D3_Issuer_Root.pem", "", 0); + "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); }; subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1); + "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1); + "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1); + "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1); + "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1); + "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1); + "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1); + "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1); + "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { plan tests => 3; test_ocsp("DELEGATED; Intermediate CA -> EE", - "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); + "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); + "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { - plan tests => 3; + plan tests => 6; test_ocsp("DELEGATED; Intermediate CA -> EE", - "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); + "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); + test_ocsp("DELEGATED; Root CA -> EE", + "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); + "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); test_ocsp("DELEGATED; Root CA -> EE", - "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); + "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); }; subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1); + "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1); + "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1); + "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1); + "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1); + "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1); + "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { plan tests => 6; test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1); + "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1); + "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1); + "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1); + "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1); + "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); test_ocsp("DELEGATED; Root CA -> EE", - "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1); + "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); }; subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { @@ -199,17 +207,17 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { # Expect success, because we're explicitly trusting the issuer certificate. test_ocsp("NON-DELEGATED; Intermediate CA -> EE", - "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0); + "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", - "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0); + "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); test_ocsp("NON-DELEGATED; Root CA -> EE", - "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0); + "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); test_ocsp("DELEGATED; Intermediate CA -> EE", - "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0); + "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); test_ocsp("DELEGATED; Root CA -> Intermediate CA", - "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0); + "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); test_ocsp("DELEGATED; Root CA -> EE", - "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0); + "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); }; subtest "=== OCSP API TESTS===" => sub { |