Add OCSP response issuer verification tests

2026-04-06 12:35:36 +02:00 · 2018-03-15 22:44:21 +00:00
parent 75d24d8e35
commit c502d3c9f4
12 changed files with 121 additions and 1 deletions
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -105,6 +105,20 @@ server2_server2-in-database_server2-in-database-revoked.crt: server2.crt server2
 	cat $^ > $@
 all_final += server2_server2-in-database_server2-in-database-revoked.crt

+server2-ca.csr: server2.key
+	$(OPENSSL) req -new -sha256 -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Server 2 Test CA" -out $@
+all_intermediate += server2-ca.csr
+server2-ca.crt: server2-ca.csr $(test_ca_key_file_rsa) $(test_ca_config_file)
+	$(OPENSSL) ca -config $(test_ca_config_file) -keyfile $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -cert test-ca-sha256.crt -notext -batch -extensions v3_intermediate_ca -days 3653 -md sha256 -in $< -out $@
+all_final += server2-ca.crt
+
+authorized-ocsp-responder-for-server2-ca.csr: server2.key
+	$(OPENSSL) req -new -sha256 -key $< -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=OCSP Responder for PolarSSL Server 2 Test CA" -out $@
+all_intermediate += authorized-ocsp-responder-for-server2-ca.csr
+authorized-ocsp-responder-for-server2-ca.crt: authorized-ocsp-responder-for-server2-ca.csr server2.key $(cli_crt_extensions_file)
+	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -CAkey server2.key -passin "pass:$(test_ca_pwd_rsa)" -CA server2-ca.crt -extensions ocsp -days 3653 -set_serial 20 -sha256 -in $< -out $@
+all_final += authorized-ocsp-responder-for-server2-ca.crt
+
 ################################################################
 #### Generate OCSP responses using existing certificates
 ################################################################
@@ -177,6 +191,15 @@ all_final += ocsp-resp-unknown-cert.der
 ocsp-resp-good-revoked-unknown.der: ocsp-req-for-good-revoked-unknown.der test-ca-index.txt test-ca-sha256.crt
 	$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
 all_final += ocsp-resp-good-revoked-unknown.der
+ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der: ocsp-req-for-server2-in-database.der server2-ocsp.crt server2.key test-ca-index.txt
+	$(OPENSSL) ocsp -rsigner server2-ocsp.crt -index test-ca-index.txt -rkey server2.key -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
+ocsp-resp-fail-issuer-checks.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt server2-ca.crt server2.key
+	$(OPENSSL) ocsp -rsigner server2-ca.crt -index test-ca-index.txt -rkey server2.key -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-fail-issuer-checks.der
+ocsp-resp-fail-unauthorized-issuer.der: ocsp-req-for-server2-in-database.der test-ca-index.txt server2-ca.crt server2.key
+	$(OPENSSL) ocsp -rsigner authorized-ocsp-responder-for-server2-ca.crt -index test-ca-index.txt -rkey server2.key -CA server2-ca.crt -noverify -reqin $< -respout $@
+all_final += ocsp-resp-fail-unauthorized-issuer.der

 ################################################################
 #### Meta targets
--- a/tests/data_files/authorized-ocsp-responder-for-server2-ca.crt
+++ b/tests/data_files/authorized-ocsp-responder-for-server2-ca.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBFDANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxIjAgBgNVBAMTGVBvbGFyU1NMIFNlcnZlciAyIFRl
+c3QgQ0EwHhcNMTgwMzE1MjIzNDEzWhcNMjgwMzE1MjIzNDEzWjBXMQswCQYDVQQG
+EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxNTAzBgNVBAMTLE9DU1AgUmVzcG9uZGVy
+IGZvciBQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin
+7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP6
+4bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh
+2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qL
+RF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/o
+NJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABo4GHMIGEMAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFKUF6GS43N9gD1ASTWCoZK9Ni0OTMB8GA1UdIwQYMBaA
+FKUF6GS43N9gD1ASTWCoZK9Ni0OTMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8E
+DDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMA0GCSqGSIb3DQEBCwUAA4IB
+AQBmRotfiFt1dDokwLqN9gl9AI0LUmncxOvQvNReBJYTlQW5DUc2kwC9QutIgyME
+IMwZIvaMSrJBzbfCjmGXo22sdkGFd+Lk9HkzYqsB09njtE7ir+EDmoHf9d8KhZ38
+cDEN7aHTgjM5SE7AI6dOlp/nteY81LX2oP0I2S/5GR8rtUq1euo+lEc4zNXS/VKL
+vNAE0jAvpKNj9xtgDwVbuor497vnjr71ESuwpCFcts85dHsDZ8ahslTlxLzOU/WO
+q7G+orUpacjsluGUJU0duB0Ysk10uNEJyZYZmvYrHs4WeEwZ6WAZOaO1PALgzZtQ
+6xsgD+QAJYM5ek92w7eskZsZ
+-----END CERTIFICATE-----
--- a/tests/data_files/authorized-ocsp-responder-for-server2-ca.csr
+++ b/tests/data_files/authorized-ocsp-responder-for-server2-ca.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMTUw
+MwYDVQQDEyxPQ1NQIFJlc3BvbmRlciBmb3IgUG9sYXJTU0wgU2VydmVyIDIgVGVz
+dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJ
+criZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSM
+nLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgf
+oNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG
+0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/Ew
+yEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf3
+6hIBMJcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAa0QS1/vmGR3Ldol8IHLj5
+EB6ZOYymdkywvDoZ4ALGnkKDin7yI6CO1S3kx4QT6lhwemaLwEiZVK9+H8WZJGXZ
+x+fskjFrkdSs5hsTGyvHlGt4pRYL/DYpoG67ePwkLIkusRWUTGVMDJEDQZtleEAv
+XaYGLg+nkbCRzoSdEfkQB+rkTSxN5DdgTywXOdGIpNGsMxevY4fxh5M69+cDt+xF
+0CU2P+LWxY+LvInIAOfxNG8T4WkkX5uq+pLahWVK2s3oGANVvAO03y6cs+o0ue8d
+yLEsI1W9ANFYTlI2hdqwY4ZW9LwERarQpYjf4yvxWVnenhKvJb6Nq3k/sswwD2kn
+-----END CERTIFICATE REQUEST-----
--- a/tests/data_files/ocsp-resp-fail-issuer-checks.der
+++ b/tests/data_files/ocsp-resp-fail-issuer-checks.der
--- a/tests/data_files/ocsp-resp-fail-unauthorized-issuer.der
+++ b/tests/data_files/ocsp-resp-fail-unauthorized-issuer.der
--- a/tests/data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
+++ b/tests/data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der
--- a/tests/data_files/server2-ca.crt
+++ b/tests/data_files/server2-ca.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYTCCAkmgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4X
+DTE4MDMxNTIyMDMzNFoXDTI4MDMxNTIyMDMzNFowRDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMSIwIAYDVQQDExlQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10ly
+uJmsDnjkOjxKzzoTFtBa5M2jAIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIyc
+sCh9odrqjObJHJa8/sEEUrM21KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g
+2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bS
+Rr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDI
+Sg7v1t7HxydrxwU9esQCPJodPg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fq
+EgEwlwIDAQABo2YwZDAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYD
+VR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAAxGjaP8S+SQate+
+4lcvRq0GuzCcDY+sfS2vGkovYZl+w9prLjnazHkSL0bSrqeG1hk82dL5mzsV5mYv
+U8dNd80cnpY/vgYGGcBU1aR04yU9O4WiVKaVWIc7dHBJc/0S00hNTpAt1u/HyIPT
+HU+VENzR7vI4oRL1v4mwVpwApaAvZiyY21g5cMLxySsShYiswR7ldpsAxkFLNj6a
+Mi9KzCEkrLdz0+t36diJ8m2aC/d3siCDcXYKfITgLoRND3zeq0v0kjFHkxbXnWie
+zVg5qTJEa55zoqyWlalld4EeCE1wHCrw5uou0tDNAeNeUy68quomZTU22FOp9haK
+2Uqobs=
+-----END CERTIFICATE-----
--- a/tests/data_files/server2-ca.csr
+++ b/tests/data_files/server2-ca.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICiTCCAXECAQAwRDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMSIw
+IAYDVQQDExlQb2xhclNTTCBTZXJ2ZXIgMiBUZXN0IENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2j
+AIin7h5rlqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM2
+1KP64bF22JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1
+AJDh2oIQZn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+F
+i9qLRF7iGMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJod
+Pg/oNJhby3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBACvv/JLX4bK7C9XI24LkImA4My+KXQg4uGzhoN/pBYeKRsv5
+dxZ+bvVT7DBlHeoJhzr2a1XGJiLB/kpllzlHy2oEiA/6qs7LC9VhAa/9wjjntraA
+gwF9oxQXxuQ1IYfWaFmvHx9A0kOAhO36zDzEJXsM0L7LHTxpfjIJNCumRsH8oBpr
+xkvFw34DBxyB6DATNStbM4UlGGzumOz0+rWkoJ2adjLT1jDRyJJIBgCaVB8+i1JH
+Ckn/XDKLl8XQv0O4twFD0bjfKQvRLah086M3s2YeGQwrHuyPAk3+1LzQxra0HkEG
+ecM4D68G+ZImdm1DPaHKq3AXd7M1es9xfYnMrIs=
+-----END CERTIFICATE REQUEST-----
--- a/tests/data_files/test-ca-index.txt
+++ b/tests/data_files/test-ca-index.txt
@@ -1,2 +1,3 @@
 V	280301220605Z		1000	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP test cert
 R	280306220741Z	180306220741Z	1001	unknown	/C=NL/O=PolarSSL/CN=Mbed TLS OCSP revoked test cert
+V	280315220334Z		1002	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Server 2 Test CA
--- a/tests/data_files/test-ca-serial.txt
+++ b/tests/data_files/test-ca-serial.txt
@@ -1 +1 @@
-1002
+1003
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -47,3 +47,9 @@ commonName = PolarSSL Test CA
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = CA:true
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
--- a/tests/suites/test_suite_x509parse_ocsp.data
+++ b/tests/suites/test_suite_x509parse_ocsp.data
@@ -285,3 +285,18 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-unknown-cert.der":"data_files/se

 X509 OCSP Response verification (SingleResponse cert status good, revoked and unknown)
 x509_ocsp_response_verify:"data_files/ocsp-resp-good-revoked-unknown.der":"data_files/server2_server2-in-database_server2-in-database-revoked.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_UNKNOWN_CERT | MBEDTLS_X509_BADOCSP_RESPONSE_REVOKED_CERT
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning and common parent in trusted CA chain)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"":"data_files/test-ca-sha256.crt":0:0
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning and common parent in untrusted chain)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"":0:0
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning, but no common parent)
+x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-server2-ocsp-for-server2-in-database.der":"data_files/server2-in-database.crt":"":"":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED
+
+X509 OCSP Response verification (Issuer has common parent, but does not have id-kp-OCSPSigning)
+x509_ocsp_response_verify:"data_files/ocsp-resp-fail-issuer-checks.der":"data_files/server2-in-database.crt":"data_files/server2-ca.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_BAD_INPUT_DATA:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED
+
+X509 OCSP Response verification (Issuer has id-pk-OCSPSigning, but no common parent with queried certificate)
+x509_ocsp_response_verify:"data_files/ocsp-resp-fail-unauthorized-issuer.der":"data_files/server2-in-database.crt":"data_files/server2-ca.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED | MBEDTLS_X509_BADOCSP_RESPONSE_UNKNOWN_CERT