Merge pull request #5197 from JacobBarthelmeh/OCSP

RSA-PSS with OCSP and add simple OCSP response der verify test case
2026-04-29 11:33:22 +02:00 · 2022-09-13 15:10:00 +10:00
parent e867f0d312 6c71777ca6
commit 38418b31f1
8 changed files with 172 additions and 6 deletions
@@ -32,4 +32,7 @@ EXTRA_DIST += \
        certs/ocsp/server5-key.pem \
        certs/ocsp/server5-cert.pem \
        certs/ocsp/root-ca-key.pem \
-        certs/ocsp/root-ca-cert.pem
+        certs/ocsp/root-ca-cert.pem \
+        certs/ocsp/test-response.der \
+        certs/ocsp/test-response-rsapss.der \
+        certs/ocsp/test-response-nointern.der
@@ -79,3 +79,27 @@ update_cert server2          "www2.wolfssl.com"                intermediate1-ca
 update_cert server3          "www3.wolfssl.com"                intermediate2-ca v3_req2 07
 update_cert server4          "www4.wolfssl.com"                intermediate2-ca v3_req2 08 # REVOKED
 update_cert server5          "www5.wolfssl.com"                intermediate3-ca v3_req3 09
+
+
+# Create response DER buffer for test
+openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain &
+PID=$!
+
+openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
+openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
+kill $PID
+wait $PID
+
+
+# now start up a responder that signs using rsa-pss
+openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
+PID=$!
+
+openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify
+# can verify with the following command
+# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
+
+kill $PID
+wait $PID
+
+exit 0