From 1182bd17095b2ea8dce8e205ebfeed0dfaef45ff Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>
Date: Thu, 1 Mar 2018 22:11:34 +0000
Subject: [PATCH] Add OCSP Resp verify test for invalid producedAt

---
 tests/data_files/Makefile                     |  23 +++++++++++
 .../ocsp-req-for-server2-in-database.der      | Bin 0 -> 69 bytes
 .../ocsp-resp-future-produced-at.der          | Bin 0 -> 1392 bytes
 tests/data_files/server2-in-database.crt      |  25 ++++++++++++
 tests/data_files/server2-in-database.csr      |  16 ++++++++
 tests/data_files/test-ca-index.txt            |   1 +
 tests/data_files/test-ca-index.txt.attr       |   1 +
 tests/data_files/test-ca-serial.txt           |   1 +
 tests/data_files/test-ca.opensslconf          |  36 ++++++++++++++++++
 tests/suites/test_suite_x509parse_ocsp.data   |   3 ++
 10 files changed, 106 insertions(+)
 create mode 100644 tests/data_files/ocsp-req-for-server2-in-database.der
 create mode 100644 tests/data_files/ocsp-resp-future-produced-at.der
 create mode 100644 tests/data_files/server2-in-database.crt
 create mode 100644 tests/data_files/server2-in-database.csr
 create mode 100644 tests/data_files/test-ca-index.txt
 create mode 100644 tests/data_files/test-ca-index.txt.attr
 create mode 100644 tests/data_files/test-ca-serial.txt

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index a0060fad08..a94a916ead 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -12,6 +12,7 @@
 
 ## Tools
 OPENSSL ?= openssl
+FAKETIME ?= faketime
 
 ## Build the generated test data. Note that since the final outputs
 ## are committed to the repository, this target should do nothing on a
@@ -78,6 +79,21 @@ server2-ocsp-nocheck.crt: server2-ocsp-nocheck.csr $(cli_crt_extensions_file)
 	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions ocsp-nocheck -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in $< -out $@
 all_final += server2-ocsp-nocheck.crt
 
+test-ca-index.txt:
+	printf "" > $@
+all_intermediate += test-ca-index.txt test-ca-index.txt.old
+test-ca-index.txt.attr:
+	printf "unique_subject = no" > $@
+all_intermediate += test-ca-index.txt.attr test-ca-index.txt.attr.old
+test-ca-serial.txt:
+	printf "1000" > $@
+all_intermediate += test-ca-serial.txt test-ca-serial.txt.old
+server2-in-database.csr: server2.key $(test_ca_config_file) test-ca-index.txt test-ca-serial.txt test-ca-index.txt.attr
+	$(OPENSSL) req -config $(test_ca_config_file) -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert" -out $@ -new -sha256
+all_intermediate += server2-in-database.csr
+server2-in-database.crt: server2-in-database.csr $(test_ca_config_file)
+	$(OPENSSL) ca -batch -config $(test_ca_config_file) -extensions server_cert -cert test-ca-sha256.crt -keyfile $(test_ca_key_file_rsa) -days 3653 -notext -md sha256 -passin "pass:$(test_ca_pwd_rsa)" -in $< -out $@
+all_final += server2-in-database.crt
 
 ################################################################
 #### Generate OCSP responses using existing certificates
@@ -103,6 +119,13 @@ ocsp-resp-status-unauthorized.der:
 	@printf "\x30\x03\x0A\x01\x06" > $@
 all_final += ocsp-resp-status-unauthorized.der
 
+ocsp-req-for-server2-in-database.der: server2-in-database.crt test-ca-sha256.crt
+	$(OPENSSL) ocsp -issuer test-ca-sha256.crt -cert server2-in-database.crt -no_nonce -reqout $@
+all_intermediate += ocsp-req-future-produced-at.der
+ocsp-resp-future-produced-at.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
+	$(FAKETIME) -f "+9y" $(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-future-produced-at.der
+
 ################################################################
 #### Meta targets
 ################################################################
diff --git a/tests/data_files/ocsp-req-for-server2-in-database.der b/tests/data_files/ocsp-req-for-server2-in-database.der
new file mode 100644
index 0000000000000000000000000000000000000000..4c54d80e826992972c23d4a8405635b70d52f634
GIT binary patch
literal 69
zcmV-L0J{G$Loh)wKQKKoJ1_|b1uG5%0vZJX1QZGtXr|GJA7iba-L|pMZAS6}2?qoe
bv|8k)v)<BD_PN!jl@IGayvP0j0s;^K$cGv4

literal 0
HcmV?d00001

diff --git a/tests/data_files/ocsp-resp-future-produced-at.der b/tests/data_files/ocsp-resp-future-produced-at.der
new file mode 100644
index 0000000000000000000000000000000000000000..79132914626197d7d43ebcbfe83f53a5cb512dba
GIT binary patch
literal 1392
zcmXqLV$I=VWLVI|nrhI*n#jhf&Bn;e%5K2O$kN0b1QhZ!Xk4<;*1+13+klgeIh2J>
zn90w_P|$!M#Np!M2*}S#ED8?xF_bhA2MICr2*89CLQ;!M6r3F;_>ByV%ngi;%#Dl;
z%nU7}41x>-46K3Xv1;=%GfA;Bu!wMpW-PndE}y)1-ra2*&*!>*V&Y_H5!n*;Wa;L6
zmx8|Syt-^E|7*KF$N&CkViI6zV8Aq!myJ`a&7<u*FC)+c49rc8j10<aKI&I>E2Sva
zR5i#t{>)B%>s6qqxk#SdzIBuGf2~K0IJgTvI6nCLe@om|_(<qXU+s$cb>Y2r#y(yD
z`;6Z*y*7GsGOD3{8{=+^-Q9P#JAHiQ9`<T|7_;<U7Z>Gw7IMLQTNM&w4{hpI*{c_r
zXr<eA@oU4qqI~ulttPuSu6Vwu;TwbUtvMIZsopJ_@pp3BeutOUykCkmKlN$fey_Y{
zR<W@6wZMR^zm|7;r;GKtikUk*>&fiuyIAXFzWUwq%ATgKJr<2^-qP(Q-b*8{e(7_{
zn>VrizNht@S*#j;kCwJNbA9eEpAyz^fzjNfBVk8}_|)1xlmAV=|EbW`)lKc(k;Vm0
z%>4#U%-ulTZqUS(zkr#Ek%@_s!2l_&xLFw}id+LZab81n15*PNLo-uz1H&kBUSM3C
z8kj=4lo{T{sD$iTMsURPGZ-{6axsBo_`rShKjOO|Oq*-pc5j+dt;<re1!omM&b;#G
z)#)0E2#zUB-^@PReP2p$rp3&5x#|PGmiH}U3o6(z&$~JK#m=I@qvsYI1g-q^+@V0^
zw9BF*?n6%<e%d`<#<%(B8?WR8J2V+e=7d|XSjsY?@Z;X*oA%e1KC;p3f3Kc!_}Ki@
zyWS+!ZhzKdw9o%{gqjj_^p!1Fe}8>EO|Rg<6TQ8E^xi#k3_W0?SF2K#dD?xWh(mL2
z`j@tEhO0kTF4?qIPv~ch_=lu?bvxmRjUl{>vx?0Z8l2Ccbm!a4KWlF5X<V#h@>X6T
z`pF_Sh4U3pUZ1r1g2EG<XP;dC^6;ng?bG@jn2hGljL2Vfm5G^=fpKx;RD;Gz2C~5H
zC(FkohCSODB!i@tSz-*L8nEW8h4xD*%jQkMgvA50M3{xufSHl;KXS|glNmTm%B(*w
zx8<f$<yE8Uao4o$_BH6PihKO%NTS}3!|!@8%iR&oG22$AuzuNEq1Cx(o0HBYwZ5^I
z;{Gebbx*lEU`^<qL;XT~4PsgLO<1DUX*+x4ug7zfMP+A)Se#0G5u8<caoJyKoqM0=
zW@pA|#j6BW?LQT6`jhRT^a87`-WQ7Y&ODiZwfSYw(@I6Z&3$pN%`A2-$#2~tbSYR>
z*yZB?O*RiM1>4&1wX0^D_=T&W=HfQaO=9deg`Z};POV_5(Nxo2mG`sx8}Gs$&wJ$N
z%x-)VT|Cn@NcH76iTSy_t^uZD)>aZMe(RgFqC4$>?2=EuvqfjakzaE)6r83j9nx?4
K_5Ir!Lk|Fyj~*8Q

literal 0
HcmV?d00001

diff --git a/tests/data_files/server2-in-database.crt b/tests/data_files/server2-in-database.crt
new file mode 100644
index 0000000000..cc72af945d
--- /dev/null
+++ b/tests/data_files/server2-in-database.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4X
+DTE4MDMwMTIyMDYwNVoXDTI4MDMwMTIyMDYwNVowQjELMAkGA1UEBhMCTkwxETAP
+BgNVBAoMCFBvbGFyU1NMMSAwHgYDVQQDDBdNYmVkIFRMUyBPQ1NQIHRlc3QgY2Vy
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZ
+rA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAo
+faHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkN
+HC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/
+0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO
+79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIB
+MJcCAwEAAaOCATQwggEwMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQG
+CWCGSAGG+EIBDQQnFiVNYmVkIFRMUyBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmlj
+YXRlMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSMEXDBagBS0
+WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoM
+CFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMA4GA1UdDwEB
+/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAxBggrBgEFBQcBAQQlMCMwIQYI
+KwYBBQUHMAGGFWh0dHA6Ly9sb2NhbGhvc3Q6NDQ1NTANBgkqhkiG9w0BAQsFAAOC
+AQEAjAC04LUv828n4PKfEsdfls6gCY/3wNDWECLBu/94EHSasqh83W05uWvLoTMq
+98kPU/ZBc85EiAKABKc27Aw0x5/hvxupcdrOREfb01yxpq6gIPbpredR5rfKXzFx
+4zmEujQzxrk8W3evTxD4M69yR1MbPmbyvxgr5yJPOEKuNbGkk9lXgg8RClBeRlZh
+TTTyuYvL77RHqzJs6xLg9q712Sc2e4XSWqmE+bwCALjMUGnU7TQZS3sgxJYZP4/K
+0MzXmBhUS+28Ih5c2Epl8LQid1n1ohL8RTEqxtPQGCIsTVx+wRKph1W0rrkEIMiw
+2zyVqis29m+s4bI4oZLGvmV5Pg==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server2-in-database.csr b/tests/data_files/server2-in-database.csr
new file mode 100644
index 0000000000..242f72419a
--- /dev/null
+++ b/tests/data_files/server2-in-database.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChzCCAW8CAQAwQjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMSAw
+HgYDVQQDDBdNYmVkIFRMUyBPQ1NQIHRlc3QgY2VydDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCI
+p+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj
++uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ
+4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYva
+i0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P
+6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaAAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBeS/1c6B4xwf2aRgemANuebLe0ydEuW2sdrWcagCaB6X6otexo
+r2Nn8/MdbBWsFuuGdKbv40nLVABQ3aJfkkDMJIy8oAWxlqYLHWZdQwGxaMXBFY3b
+voqF9kcIcXcArfIGtjN5g0r1ktcxksbKxImOFaZAdwnWB/S+2FKgJodu1ECv9r5C
+vZoqnuDJ4ShzCdRxSmcg2ixhBW7apy6lW1M6WKbQlcBKdh6/nToH+mdg80onGpca
+NIfqv+y5BKW/u6ILuD7Znbe7NRVXpVgXjTueT9eHpUAMi8ZcXh9faKmOPQkW16X2
+u3iXGWzWj8bBmW6sze57j1X6Cn4BgmPXXAdS
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca-index.txt b/tests/data_files/test-ca-index.txt
new file mode 100644
index 0000000000..fa94b343b8
--- /dev/null
+++ b/tests/data_files/test-ca-index.txt
@@ -0,0 +1 @@
+V	280301220605Z		1000	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert
diff --git a/tests/data_files/test-ca-index.txt.attr b/tests/data_files/test-ca-index.txt.attr
new file mode 100644
index 0000000000..3a7e39e6ee
--- /dev/null
+++ b/tests/data_files/test-ca-index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/tests/data_files/test-ca-serial.txt b/tests/data_files/test-ca-serial.txt
new file mode 100644
index 0000000000..dd11724042
--- /dev/null
+++ b/tests/data_files/test-ca-serial.txt
@@ -0,0 +1 @@
+1001
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index 12835dfa54..ec6d9856a0 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -1,3 +1,39 @@
+[ca]
+default_ca = CA_default
+
+[CA_default]
+dir = .
+certs = $dir
+new_certs_dir = $dir
+database = ./test-ca-index.txt
+serial = ./test-ca-serial.txt
+
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 3653
+policy = policy_loose
+
+[policy_loose]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[server_cert]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "Mbed TLS Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+authorityInfoAccess = OCSP;URI:http://localhost:4455
+
 [req]
 x509_extensions = v3_ca
 distinguished_name = req_dn
diff --git a/tests/suites/test_suite_x509parse_ocsp.data b/tests/suites/test_suite_x509parse_ocsp.data
index e588fd9d01..489036cfa6 100644
--- a/tests/suites/test_suite_x509parse_ocsp.data
+++ b/tests/suites/test_suite_x509parse_ocsp.data
@@ -243,3 +243,6 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-status-sig-required.der":"data_f
 
 X509 OCSP Response verification (unauthorized response status)
 x509_ocsp_response_verify:"data_files/ocsp-resp-status-unauthorized.der":"data_files/server2.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_BAD_RESPONSE_STATUS
+
+X509 OCSP Response verification (producedAt is in the future)
+x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE