ocsp: add test for response with unusable internal cert

- Added a new test case `resp_bad_embedded_cert` in `create_ocsp_test_blobs.py` to test OCSP response with an unusable internal cert that can be verified in Cert Manager. - Updated `test_ocsp_response_parsing` in `ocsp.c` to include the new test case. - Ensured the new test case checks for proper handling of OCSP responses with incorrect internal certificates.
2025-08-01 03:34:39 +02:00 · 2025-02-05 16:36:52 +00:00
parent 2c2eb2a285
commit 3724094ce2
2 changed files with 29 additions and 0 deletions
--- a/tests/api/create_ocsp_test_blobs.py
+++ b/tests/api/create_ocsp_test_blobs.py
@@ -382,6 +382,23 @@ if __name__ == '__main__':
            'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
            'name': 'resp_bad_noauth'
        },
+        {
+            'response_status': 0,
+            'signature_algorithm': signature_algorithm(),
+            'responder_by_name': True,
+            'responses': [
+                {
+                    'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
+                    'serial': 0x01,
+                    'status': CERT_GOOD
+                },
+            ],
+            # unrelated cert
+            'certs_path' : [WOLFSSL_OCSP_CERT_PATH + 'intermediate2-ca-cert.pem'],
+            'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
+            'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem',
+            'name': 'resp_bad_embedded_cert'
+        },
    ]

    with open('./tests/api/ocsp_test_blobs.h', 'w') as f:
--- a/tests/api/test_ocsp.c
+++ b/tests/api/test_ocsp.c
@@ -141,6 +141,18 @@ int test_ocsp_response_parsing(void)
 #endif
    ret = test_ocsp_response_with_cm(&conf, expectedRet);
    ExpectIntEQ(ret, TEST_SUCCESS);
+
+    /* Test response with unusable internal cert but that can be verified in CM */
+    conf.resp = (unsigned char*)resp_bad_embedded_cert;  // Response with wrong internal cert
+    conf.respSz = sizeof(resp_bad_embedded_cert);
+    conf.ca0 = root_ca_cert_pem;     // Root CA cert
+    conf.ca0Sz = sizeof(root_ca_cert_pem);
+    conf.ca1 = NULL;
+    conf.ca1Sz = 0;
+    conf.targetCert = intermediate1_ca_cert_pem;
+    conf.targetCertSz = sizeof(intermediate1_ca_cert_pem);
+    ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), TEST_SUCCESS);
+
    return EXPECT_SUCCESS();
 }
 #else  /* HAVE_OCSP */