TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-04-06 12:35:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add OCSP resp tests for producedAt nextUpdate thisUpdate

Browse Source 
Modify the existing tests for producedAt as in reality it was testing
also for an invalid thisUpdate value. Also add tests for each of the
components independently. That is, a different response for each case:
    * future producedAt
    * expired nextUpdate
    * future thisUpdate
    * future producedAt and thisUpdate
This commit is contained in:
Andres Amaya Garcia
2018-03-06 21:24:46 +00:00
parent b61d90202f
commit d0fa371729
6 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/data_files/Makefile
View File

@@ -119,17 +119,34 @@ ocsp-resp-status-unauthorized.der:
@printf "\x30\x03\x0A\x01\x06" > $@
all_final += ocsp-resp-status-unauthorized.der
# The ocsp-resp-invalid-signature.der, ocsp-resp-future-this-update.der and
# ocsp-resp-future-produced-at.der targets print the binary data corrensponding
# to a generated ocsp-resp-no-certs-in-resp.der with a manually modified byte
# in the signature bitstring, producedAt and thisUpdate respectively to cause
# failures in the signature verification and time checks
ocsp-resp-invalid-signature.der:
@printf "\x30\x82\x01\xB1\x0A\x01\x00\xA0\x82\x01\xAA\x30\x82\x01\xA6\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x01\x97\x30\x82\x01\x93\x30\x7D\xA2\x16\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x18\x0F\x32\x30\x31\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x52\x30\x50\x30\x3B\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x0A\x15\x68\xA6\xD1\x87\x1F\x63\xAD\x9E\xDD\xB6\xB1\xCF\x6D\x46\xF2\x02\x09\x07\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x02\x02\x10\x00\x80\x00\x18\x0F\x32\x30\x31\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xB3\x6E\xB8\xFC\x74\x98\x28\x06\x1D\x4A\x25\x8F\x0E\x92\xD3\xB2\x02\xC8\xFE\x30\xD2\x59\xAA\x6C\xB0\x52\xC5\x71\x50\xC1\x37\x33\x5D\xBD\xDC\x0F\x0F\xF1\x81\x74\x8C\x7B\xA7\x4E\xFE\xC7\xB1\x70\xF2\xE8\x42\xC7\x4D\x05\x35\x66\xAC\xD3\xF8\x18\x78\x2B\x65\xB7\x46\x3F\x71\x9D\xC4\xD3\xC6\x71\xA0\x1B\x5E\xE5\x6E\x78\xAE\xB1\xA6\x5B\x02\x45\x3A\x73\x44\xAA\xCF\xA1\x60\xB7\xD0\x8C\x84\xA0\xA4\x96\x89\x96\x5F\xD8\x1D\xFA\x0E\xBD\xE5\x5F\xD6\x87\x59\x4F\x0B\xE4\x85\x0F\x3F\xDC\x47\xEA\xF0\xC2\x11\xD3\xE4\x00\x2D\x9A\x86\xCC\x47\x47\x86\xC8\xFF\x52\x7D\x0B\xB9\xC1\x74\xD2\xA6\x96\x5F\x16\x7E\x42\xFB\xF6\x8D\xA5\xD7\x6E\x3C\xC3\xD3\x0E\x11\x47\xB9\x70\x71\xB8\x49\x98\xF5\x2F\xE7\x1B\x52\x4E\xB2\x3E\xB9\x46\xAD\x89\x9E\x7C\x7F\xF7\x51\xD9\x5C\x66\x12\x45\x5A\xE9\xD7\x80\x66\xA3\x19\xAE\x3D\x7D\xF2\x01\x60\x03\x4C\x85\x60\x51\x5C\x31\x91\xA4\xAB\x95\x21\xB5\xEB\xA8\x9D\xCF\x29\xD8\x78\x43\xF7\xA5\xD9\x8B\xC0\x88\xF6\xCE\xC5\x12\xC7\x21\x51\x44\x34\x43\xD1\x1E\x2F\xCD\x88\x8D\x47\x86\xED\x7C\x71\x55\x71\x0C\x09\xBC\x47" > $@
all_final += ocsp-resp-invalid-signature.der
ocsp-resp-future-produced-at.der:
@printf "\x30\x82\x01\xB1\x0A\x01\x00\xA0\x82\x01\xAA\x30\x82\x01\xA6\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x01\x97\x30\x82\x01\x93\x30\x7D\xA2\x16\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x18\x0F\x32\x30\x32\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x52\x30\x50\x30\x3B\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x0A\x15\x68\xA6\xD1\x87\x1F\x63\xAD\x9E\xDD\xB6\xB1\xCF\x6D\x46\xF2\x02\x09\x07\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x02\x02\x10\x00\x80\x00\x18\x0F\x32\x30\x31\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xB3\x6E\xB8\xFC\x74\x98\x28\x06\x1D\x4A\x25\x8F\x0E\x92\xD3\xB2\x02\xC8\xFE\x30\xD2\x59\xAA\x6C\xB0\x52\xC5\x71\x50\xC1\x37\x33\x5D\xBD\xDC\x0F\x0F\xF1\x81\x74\x8C\x7B\xA7\x4E\xFE\xC7\xB1\x70\xF2\xE8\x42\xC7\x4D\x05\x35\x66\xAC\xD3\xF8\x18\x78\x2B\x65\xB7\x46\x3F\x71\x9D\xC4\xD3\xC6\x71\xA0\x1B\x5E\xE5\x6E\x78\xAE\xB1\xA6\x5B\x02\x45\x3A\x73\x44\xAA\xCF\xA1\x60\xB7\xD0\x8C\x84\xA0\xA4\x96\x89\x96\x5F\xD8\x1D\xFA\x0E\xBD\xE5\x5F\xD6\x87\x59\x4F\x0B\xE4\x85\x0F\x3F\xDC\x47\xEA\xF0\xC2\x11\xD3\xE4\x00\x2D\x9A\x86\xCC\x47\x47\x86\xC8\xFF\x52\x7D\x0B\xB9\xC1\x74\xD2\xA6\x96\x5F\x16\x7E\x42\xFB\xF6\x8D\xA5\xD7\x6E\x3C\xC3\xD3\x0E\x11\x47\xB9\x70\x71\xB8\x49\x98\xF5\x2F\xE7\x1B\x52\x4E\xB2\x3E\xB9\x46\xAD\x89\x9E\x7C\x7F\xF7\x51\xD9\x5C\x66\x12\x45\x5A\xE9\xD7\x80\x66\xA3\x19\xAE\x3D\x7D\xF2\x01\x60\x03\x4C\x85\x60\x51\x5C\x31\x91\xA4\xAB\x95\x21\xB5\xEB\xA8\x9D\xCF\x29\xD8\x78\x43\xF7\xA5\xD9\x8B\xC0\x88\xF6\xCE\xC5\x12\xC7\x21\x51\x44\x34\x43\xD1\x1E\x2F\xCD\x88\x8D\x47\x86\xED\x7C\x71\x55\x71\x0C\x09\xBC\x46" > $@
all_final += ocsp-resp-future-produced-at.der
ocsp-resp-future-this-update.der:
@printf "\x30\x82\x01\xB1\x0A\x01\x00\xA0\x82\x01\xAA\x30\x82\x01\xA6\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x01\x97\x30\x82\x01\x93\x30\x7D\xA2\x16\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x18\x0F\x32\x30\x31\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x52\x30\x50\x30\x3B\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x0A\x15\x68\xA6\xD1\x87\x1F\x63\xAD\x9E\xDD\xB6\xB1\xCF\x6D\x46\xF2\x02\x09\x07\x04\x14\xB4\x5A\xE4\xA5\xB3\xDE\xD2\x52\xF6\xB9\xD5\xA6\x95\x0F\xEB\x3E\xBC\xC7\xFD\xFF\x02\x02\x10\x00\x80\x00\x18\x0F\x32\x30\x32\x38\x30\x33\x30\x31\x32\x32\x30\x36\x30\x39\x5A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xB3\x6E\xB8\xFC\x74\x98\x28\x06\x1D\x4A\x25\x8F\x0E\x92\xD3\xB2\x02\xC8\xFE\x30\xD2\x59\xAA\x6C\xB0\x52\xC5\x71\x50\xC1\x37\x33\x5D\xBD\xDC\x0F\x0F\xF1\x81\x74\x8C\x7B\xA7\x4E\xFE\xC7\xB1\x70\xF2\xE8\x42\xC7\x4D\x05\x35\x66\xAC\xD3\xF8\x18\x78\x2B\x65\xB7\x46\x3F\x71\x9D\xC4\xD3\xC6\x71\xA0\x1B\x5E\xE5\x6E\x78\xAE\xB1\xA6\x5B\x02\x45\x3A\x73\x44\xAA\xCF\xA1\x60\xB7\xD0\x8C\x84\xA0\xA4\x96\x89\x96\x5F\xD8\x1D\xFA\x0E\xBD\xE5\x5F\xD6\x87\x59\x4F\x0B\xE4\x85\x0F\x3F\xDC\x47\xEA\xF0\xC2\x11\xD3\xE4\x00\x2D\x9A\x86\xCC\x47\x47\x86\xC8\xFF\x52\x7D\x0B\xB9\xC1\x74\xD2\xA6\x96\x5F\x16\x7E\x42\xFB\xF6\x8D\xA5\xD7\x6E\x3C\xC3\xD3\x0E\x11\x47\xB9\x70\x71\xB8\x49\x98\xF5\x2F\xE7\x1B\x52\x4E\xB2\x3E\xB9\x46\xAD\x89\x9E\x7C\x7F\xF7\x51\xD9\x5C\x66\x12\x45\x5A\xE9\xD7\x80\x66\xA3\x19\xAE\x3D\x7D\xF2\x01\x60\x03\x4C\x85\x60\x51\x5C\x31\x91\xA4\xAB\x95\x21\xB5\xEB\xA8\x9D\xCF\x29\xD8\x78\x43\xF7\xA5\xD9\x8B\xC0\x88\xF6\xCE\xC5\x12\xC7\x21\x51\x44\x34\x43\xD1\x1E\x2F\xCD\x88\x8D\x47\x86\xED\x7C\x71\x55\x71\x0C\x09\xBC\x46" > $@
all_final += ocsp-resp-future-this-update.der
ocsp-req-for-server2-in-database.der: server2-in-database.crt test-ca-sha256.crt
$(OPENSSL) ocsp -issuer test-ca-sha256.crt -cert server2-in-database.crt -no_nonce -reqout $@
all_intermediate += ocsp-req-future-produced-at.der
ocsp-resp-future-produced-at.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
ocsp-resp-future-produced-at-this-update.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
$(FAKETIME) -f "+9y" $(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
all_final += ocsp-resp-future-produced-at.der
all_final += ocsp-resp-future-produced-at-this-update.der
ocsp-resp-issuer-is-signer.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -reqin $< -respout $@
all_final += ocsp-resp-issuer-is-signed.der
ocsp-resp-no-certs-in-resp.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -resp_key_id -resp_no_certs -noverify -reqin $< -respout $@
ocsp-resp-expired-next-update.der: ocsp-req-for-server2-in-database.der test-ca-index.txt test-ca-sha256.crt
$(OPENSSL) ocsp -rsigner test-ca-sha256.crt -index test-ca-index.txt -rkey $(test_ca_key_file_rsa) -CA test-ca-sha256.crt -noverify -nmin 0 -reqin $< -respout $@
all_final += ocsp-resp-expired-next-update.der
################################################################
#### Meta targets

BIN
tests/data_files/ocsp-resp-expired-next-update.der Normal file
View File

Binary file not shown.

BIN
tests/data_files/ocsp-resp-future-produced-at-this-update.der Normal file
View File

Binary file not shown.

BIN
tests/data_files/ocsp-resp-future-produced-at.der
View File

Binary file not shown.

BIN
tests/data_files/ocsp-resp-future-this-update.der Normal file
View File

Binary file not shown.

13
tests/suites/test_suite_x509parse_ocsp.data
View File

@@ -244,8 +244,11 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-status-sig-required.der":"data_f
X509 OCSP Response verification (unauthorized response status)
x509_ocsp_response_verify:"data_files/ocsp-resp-status-unauthorized.der":"data_files/server2.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_BAD_RESPONSE_STATUS
X509 OCSP Response verification (producedAt is in the future)
x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE
X509 OCSP Response verification (future producedAt and thisUpdate)
x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at-this-update.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE
X509 OCSP Response verification (future producedAt only)
x509_ocsp_response_verify:"data_files/ocsp-resp-future-produced-at.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE | MBEDTLS_X509_BADOCSP_RESPONSE_NOT_TRUSTED
X509 OCSP Response verification (response not supplied)
x509_ocsp_response_verify:"":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_BAD_INPUT_DATA:0
@@ -267,3 +270,9 @@ x509_ocsp_response_verify:"data_files/ocsp-resp-invalid-signature.der":"data_fil
X509 OCSP Response verification (no SingleResponse for certificate)
x509_ocsp_response_verify:"data_files/ocsp-resp-issuer-is-signer.der":"data_files/server2.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_INCOMPLETE
X509 OCSP Response verification (SingleResponse future thisUpdate)
x509_ocsp_response_verify:"data_files/ocsp-resp-future-this-update.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE | MBEDTLS_X509_BADOCSP_RESPONSE_NOT_TRUSTED
X509 OCSP Response verification (SingleResponse expired nextUpdate)
x509_ocsp_response_verify:"data_files/ocsp-resp-expired-next-update.der":"data_files/server2-in-database.crt":"data_files/test-ca-sha256.crt":"data_files/test-ca-sha256.crt":MBEDTLS_ERR_X509_OCSP_RESPONSE_VERIFY_FAILED:MBEDTLS_X509_BADOCSP_RESPONSE_EXPIRED