updates ocsp tests; adds check for OCSP response signed by issuer.

2017-02-03 14:12:47 -03:00
parent 42a2f5858e
commit a9d5dcae58
16 changed files with 53 additions and 39 deletions
--- a/certs/ocsp/index-ca-and-intermediate-cas.txt
+++ b/certs/ocsp/index-ca-and-intermediate-cas.txt
--- a/certs/ocsp/index-intermediate1-ca-issued-certs.txt
+++ b/certs/ocsp/index-intermediate1-ca-issued-certs.txt
--- a/certs/ocsp/index-intermediate2-ca-issued-certs.txt
+++ b/certs/ocsp/index-intermediate2-ca-issued-certs.txt
--- a/certs/ocsp/index-intermediate3-ca-issued-certs.txt
+++ b/certs/ocsp/index-intermediate3-ca-issued-certs.txt
--- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/intermediate1-ca-cert.pem               \
+    -rkey    certs/ocsp/intermediate1-ca-key.pem                \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    $@
--- a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    $@
--- a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22222 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate2-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate2-ca-cert.pem               \
+    $@
--- a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
+++ b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22223 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate3-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate3-ca-cert.pem               \
+    $@
--- a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
+++ b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22220 -nmin 1                          \
+    -index   certs/ocsp/index-ca-and-intermediate-cas.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem           \
+    -rkey    certs/ocsp/ocsp-responder-key.pem            \
+    -CA      certs/ocsp/root-ca-cert.pem                  \
+    $@
--- a/certs/ocsp/ocspd0.sh
+++ b/certs/ocsp/ocspd0.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22220 -nmin 1                \
-    -index   certs/ocsp/index0.txt              \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem \
-    -rkey    certs/ocsp/ocsp-responder-key.pem  \
-    -CA      certs/ocsp/root-ca-cert.pem        \
-    $@
--- a/certs/ocsp/ocspd1.sh
+++ b/certs/ocsp/ocspd1.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22221 -nmin 1                  \
-    -index   certs/ocsp/index1.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate1-ca-cert.pem \
-    $@
--- a/certs/ocsp/ocspd2.sh
+++ b/certs/ocsp/ocspd2.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22222 -nmin 1                  \
-    -index   certs/ocsp/index2.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate2-ca-cert.pem \
-    $@
--- a/certs/ocsp/ocspd3.sh
+++ b/certs/ocsp/ocspd3.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22223 -nmin 1                  \
-    -index   certs/ocsp/index3.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate3-ca-cert.pem \
-    $@
--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@@ -18,7 +18,7 @@ RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

 # setup ocsp responder
-./certs/ocsp/ocspd1.sh &
+./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1

 # setup ocsp responders
-./certs/ocsp/ocspd0.sh &
-./certs/ocsp/ocspd2.sh &
-./certs/ocsp/ocspd3.sh &
+./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
+./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
+./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10768,10 +10768,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
        }

        if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
-            WOLFSSL_MSG("\tOCSP Responder key usage check failed");
+            if (XMEMCMP(cert.subjectHash,
+                        resp->issuerHash, KEYID_SIZE) == 0) {
+                WOLFSSL_MSG("\tOCSP Response signed by issuer");
+            }
+            else {
+                WOLFSSL_MSG("\tOCSP Responder key usage check failed");

-            FreeDecodedCert(&cert);
-            return BAD_OCSP_RESPONDER;
+                FreeDecodedCert(&cert);
+                return BAD_OCSP_RESPONDER;
+            }
        }

        /* ConfirmSignature is blocking here */