Add invalid arg and issuer tests for OCSP Resp vfy

2026-04-06 12:35:36 +02:00 · 2018-03-01 22:15:28 +00:00
parent 1182bd1709
commit afc70657c2
5 changed files with 50 additions and 7 deletions
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -125,6 +125,11 @@ all_intermediate += ocsp-req-future-produced-at.der
 ocsp-resp-future-produced-at.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
 	$(FAKETIME) -f "+9y" $(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
 all_final += ocsp-resp-future-produced-at.der
+ocsp-resp-issuer-is-signer.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
+	$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-issuer-is-signed.der
+ocsp-resp-no-certs-in-resp.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
+	$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -resp_key_id -resp_no_certs -noverify -reqin $< -respout $@

 ################################################################
 #### Meta targets
--- a/tests/data_files/ocsp-resp-issuer-is-signer.der
+++ b/tests/data_files/ocsp-resp-issuer-is-signer.der
--- a/tests/data_files/ocsp-resp-no-certs-in-resp.der
+++ b/tests/data_files/ocsp-resp-no-certs-in-resp.der
--- a/tests/suites/test_suite_x509parse_ocsp.data
+++ b/tests/suites/test_suite_x509parse_ocsp.data
@@ -246,3 +246,18 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-status-unauthorized.der":"data_f

 X509 OCSP Response verification (producedAt is in the future)
 x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE
+
+X509 OCSP Response verification (response not supplied)
+x509_ocsp_response_verify:"":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_BAD_INPUT_DATA:0
+
+X509 OCSP Response verification (empty requested certificate chain)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-is-signer.der":"":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":0:0
+
+X509 OCSP Response verification (issuer not found)
+x509_ocsp_response_verify:"data_files/ocsp-resp-no-certs-in-resp.der":"data_files/server2-in-database.crt":"":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED | MBEDTLS_X509_BADOCSP_RESPONSE_NOT_TRUSTED
+
+X509 OCSP Response verification (issuer found in response chain with Name ID)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-is-signer.der":"data_files/server2-in-database.crt":"":"data_files/test-ca-sha256.crt":0:0
+
+X509 OCSP Response verification (issuer found in untrusted chain with KeyHash ID)
+x509_ocsp_response_verify:"data_files/ocsp-resp-no-certs-in-resp.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":0:0
--- a/tests/suites/test_suite_x509parse_ocsp.function
+++ b/tests/suites/test_suite_x509parse_ocsp.function
@@ -46,6 +46,10 @@ void x509_ocsp_response_verify( char *resp_file, char *req_crt_file,
    mbedtls_x509_crt req_crt;
    mbedtls_x509_crt chain;
    mbedtls_x509_crt ca;
+    mbedtls_x509_ocsp_response *resp_ptr = NULL;
+    mbedtls_x509_crt *req_crt_ptr = NULL;
+    mbedtls_x509_crt *chain_ptr = NULL;
+    mbedtls_x509_crt *ca_ptr = NULL;
    uint32_t flags = 0;
    int ret;

@@ -54,14 +58,33 @@ void x509_ocsp_response_verify( char *resp_file, char *req_crt_file,
    mbedtls_x509_crt_init( &chain );
    mbedtls_x509_crt_init( &ca );

-    TEST_ASSERT(
-            mbedtls_x509_ocsp_response_parse_file( &resp, resp_file ) == 0 );
-    TEST_ASSERT( mbedtls_x509_crt_parse_file( &req_crt, req_crt_file ) == 0 );
-    TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, crt_chain_file ) == 0 );
-    TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
+    if ( strlen( resp_file ) != 0 )
+    {
+        ret = mbedtls_x509_ocsp_response_parse_file( &resp, resp_file );
+        TEST_ASSERT( ret == 0 );
+        resp_ptr = &resp;
+    }
+    if ( strlen( req_crt_file ) != 0 )
+    {
+        ret = mbedtls_x509_crt_parse_file( &req_crt, req_crt_file );
+        TEST_ASSERT( ret == 0 );
+        req_crt_ptr = &req_crt;
+    }
+    if ( strlen( crt_chain_file ) != 0 )
+    {
+        ret = mbedtls_x509_crt_parse_file( &chain, crt_chain_file );
+        TEST_ASSERT( ret == 0 );
+        chain_ptr = &chain;
+    }
+    if ( strlen( ca_file ) != 0 )
+    {
+        ret = mbedtls_x509_crt_parse_file( &ca, ca_file );
+        TEST_ASSERT( ret == 0 );
+        ca_ptr = &ca;
+    }

-    ret = mbedtls_x509_ocsp_response_verify( &resp, &req_crt, &chain, &ca,
-                                             &flags );
+    ret = mbedtls_x509_ocsp_response_verify( resp_ptr, req_crt_ptr, chain_ptr,
+                                             ca_ptr, &flags );
    TEST_ASSERT( ret == ( result ) );
    TEST_ASSERT( flags == (uint32_t)( flags_result ) );