diff --git a/tests/api/create_ocsp_test_blobs.py b/tests/api/create_ocsp_test_blobs.py index 82c2cfde9..f86547081 100644 --- a/tests/api/create_ocsp_test_blobs.py +++ b/tests/api/create_ocsp_test_blobs.py @@ -382,6 +382,23 @@ if __name__ == '__main__': 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', 'name': 'resp_bad_noauth' }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + }, + ], + # unrelated cert + 'certs_path' : [WOLFSSL_OCSP_CERT_PATH + 'intermediate2-ca-cert.pem'], + 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem', + 'name': 'resp_bad_embedded_cert' + }, ] with open('./tests/api/ocsp_test_blobs.h', 'w') as f: diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 299b45265..d17711a0c 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -141,6 +141,18 @@ int test_ocsp_response_parsing(void) #endif ret = test_ocsp_response_with_cm(&conf, expectedRet); ExpectIntEQ(ret, TEST_SUCCESS); + + /* Test response with unusable internal cert but that can be verified in CM */ + conf.resp = (unsigned char*)resp_bad_embedded_cert; // Response with wrong internal cert + conf.respSz = sizeof(resp_bad_embedded_cert); + conf.ca0 = root_ca_cert_pem; // Root CA cert + conf.ca0Sz = sizeof(root_ca_cert_pem); + conf.ca1 = NULL; + conf.ca1Sz = 0; + conf.targetCert = intermediate1_ca_cert_pem; + conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), TEST_SUCCESS); + return EXPECT_SUCCESS(); } #else /* HAVE_OCSP */