Add OCSP Resp verify test for invalid producedAt

2026-04-06 20:46:32 +02:00 · 2018-03-01 22:11:34 +00:00
parent 244579388e
commit 1182bd1709
10 changed files with 106 additions and 0 deletions
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -12,6 +12,7 @@

 ## Tools
 OPENSSL ?= openssl
+FAKETIME ?= faketime

 ## Build the generated test data. Note that since the final outputs
 ## are committed to the repository, this target should do nothing on a
@@ -78,6 +79,21 @@ server2-ocsp-nocheck.crt: server2-ocsp-nocheck.csr $(cli_crt_extensions_file)
 	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions ocsp-nocheck -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in $< -out $@
 all_final += server2-ocsp-nocheck.crt

+test-ca-index.txt:
+	printf "" > $@
+all_intermediate += test-ca-index.txt test-ca-index.txt.old
+test-ca-index.txt.attr:
+	printf "unique_subject = no" > $@
+all_intermediate += test-ca-index.txt.attr test-ca-index.txt.attr.old
+test-ca-serial.txt:
+	printf "1000" > $@
+all_intermediate += test-ca-serial.txt test-ca-serial.txt.old
+server2-in-database.csr: server2.key $(test_ca_config_file) test-ca-index.txt test-ca-serial.txt test-ca-index.txt.attr
+	$(OPENSSL) req -config $(test_ca_config_file) -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert" -out $@ -new -sha256
+all_intermediate += server2-in-database.csr
+server2-in-database.crt: server2-in-database.csr $(test_ca_config_file)
+	$(OPENSSL) ca -batch -config $(test_ca_config_file) -extensions server_cert -cert test-ca-sha256.crt -keyfile $(test_ca_key_file_rsa) -days 3653 -notext -md sha256 -passin "pass:$(test_ca_pwd_rsa)" -in $< -out $@
+all_final += server2-in-database.crt

 ################################################################
 #### Generate OCSP responses using existing certificates
@@ -103,6 +119,13 @@ ocsp-resp-status-unauthorized.der:
 	@printf "\x30\x03\x0A\x01\x06" > $@
 all_final += ocsp-resp-status-unauthorized.der

+ocsp-req-for-server2-in-database.der: server2-in-database.crt test-ca-sha256.crt
+	$(OPENSSL) ocsp -issuer test-ca-sha256.crt -cert server2-in-database.crt -no_nonce -reqout $@
+all_intermediate += ocsp-req-future-produced-at.der
+ocsp-resp-future-produced-at.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
+	$(FAKETIME) -f "+9y" $(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-future-produced-at.der
+
 ################################################################
 #### Meta targets
 ################################################################
--- a/tests/data_files/ocsp-req-for-server2-in-database.der
+++ b/tests/data_files/ocsp-req-for-server2-in-database.der
--- a/tests/data_files/ocsp-resp-future-produced-at.der
+++ b/tests/data_files/ocsp-resp-future-produced-at.der
--- a/tests/data_files/server2-in-database.crt
+++ b/tests/data_files/server2-in-database.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4X
+DTE4MDMwMTIyMDYwNVoXDTI4MDMwMTIyMDYwNVowQjELMAkGA1UEBhMCTkwxETAP
+BgNVBAoMCFBvbGFyU1NMMSAwHgYDVQQDDBdNYmVkIFRMUyBPQ1NQIHRlc3QgY2Vy
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZ
+rA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAo
+faHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkN
+HC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/
+0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO
+79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIB
+MJcCAwEAAaOCATQwggEwMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQG
+CWCGSAGG+EIBDQQnFiVNYmVkIFRMUyBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmlj
+YXRlMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSMEXDBagBS0
+WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoM
+CFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMA4GA1UdDwEB
+/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAxBggrBgEFBQcBAQQlMCMwIQYI
+KwYBBQUHMAGGFWh0dHA6Ly9sb2NhbGhvc3Q6NDQ1NTANBgkqhkiG9w0BAQsFAAOC
+AQEAjAC04LUv828n4PKfEsdfls6gCY/3wNDWECLBu/94EHSasqh83W05uWvLoTMq
+98kPU/ZBc85EiAKABKc27Aw0x5/hvxupcdrOREfb01yxpq6gIPbpredR5rfKXzFx
+4zmEujQzxrk8W3evTxD4M69yR1MbPmbyvxgr5yJPOEKuNbGkk9lXgg8RClBeRlZh
+TTTyuYvL77RHqzJs6xLg9q712Sc2e4XSWqmE+bwCALjMUGnU7TQZS3sgxJYZP4/K
+0MzXmBhUS+28Ih5c2Epl8LQid1n1ohL8RTEqxtPQGCIsTVx+wRKph1W0rrkEIMiw
+2zyVqis29m+s4bI4oZLGvmV5Pg==
+-----END CERTIFICATE-----
--- a/tests/data_files/server2-in-database.csr
+++ b/tests/data_files/server2-in-database.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChzCCAW8CAQAwQjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMSAw
+HgYDVQQDDBdNYmVkIFRMUyBPQ1NQIHRlc3QgY2VydDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCI
+p+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj
+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ
+4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYva
+i0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P
+6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaAAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBeS/1c6B4xwf2aRgemANuebLe0ydEuW2sdrWcagCaB6X6otexo
+r2Nn8/MdbBWsFuuGdKbv40nLVABQ3aJfkkDMJIy8oAWxlqYLHWZdQwGxaMXBFY3b
+voqF9kcIcXcArfIGtjN5g0r1ktcxksbKxImOFaZAdwnWB/S+2FKgJodu1ECv9r5C
+vZoqnuDJ4ShzCdRxSmcg2ixhBW7apy6lW1M6WKbQlcBKdh6/nToH+mdg80onGpca
+NIfqv+y5BKW/u6ILuD7Znbe7NRVXpVgXjTueT9eHpUAMi8ZcXh9faKmOPQkW16X2
+u3iXGWzWj8bBmW6sze57j1X6Cn4BgmPXXAdS
+-----END CERTIFICATE REQUEST-----
--- a/tests/data_files/test-ca-index.txt
+++ b/tests/data_files/test-ca-index.txt
@@ -0,0 +1 @@
+V	280301220605Z		1000	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert
--- a/tests/data_files/test-ca-index.txt.attr
+++ b/tests/data_files/test-ca-index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
--- a/tests/data_files/test-ca-serial.txt
+++ b/tests/data_files/test-ca-serial.txt
@@ -0,0 +1 @@
+1001
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -1,3 +1,39 @@
+[ca]
+default_ca = CA_default
+
+[CA_default]
+dir = .
+certs = $dir
+new_certs_dir = $dir
+database = ./test-ca-index.txt
+serial = ./test-ca-serial.txt
+
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 3653
+policy = policy_loose
+
+[policy_loose]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[server_cert]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "Mbed TLS Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+authorityInfoAccess = OCSP;URI:http://localhost:4455
+
 [req]
 x509_extensions = v3_ca
 distinguished_name = req_dn
--- a/tests/suites/test_suite_x509parse_ocsp.data
+++ b/tests/suites/test_suite_x509parse_ocsp.data
@@ -243,3 +243,6 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-status-sig-required.der":"data_f

 X509 OCSP Response verification (unauthorized response status)
 x509_ocsp_response_verify:"data_files/ocsp-resp-status-unauthorized.der":"data_files/server2.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_BAD_RESPONSE_STATUS
+
+X509 OCSP Response verification (producedAt is in the future)
+x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE
				`@@ -0,0 +1 @@`
				`V 280301220605Z 1000 unknown /C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert`