diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 73c5f285d..c5d937ed3 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -32,4 +32,5 @@ EXTRA_DIST += \ certs/ocsp/server5-key.pem \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ - certs/ocsp/root-ca-cert.pem + certs/ocsp/root-ca-cert.pem \ + certs/ocsp/test-response.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 50e9e3d79..96744b6fd 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -79,3 +79,14 @@ update_cert server2 "www2.wolfssl.com" intermediate1-ca update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 + + +# Create response DER buffer for test +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der + +kill $PID +wait $PID + diff --git a/certs/ocsp/test-response.der b/certs/ocsp/test-response.der new file mode 100644 index 000000000..7ebfd0424 Binary files /dev/null and b/certs/ocsp/test-response.der differ diff --git a/tests/api.c b/tests/api.c index 5bec3d5bc..7cab7504b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1403,6 +1403,48 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) return 0; } +static void test_wolfSSL_CheckOCSPResponse(void) +{ +#if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) + const char* responseFile = "./certs/ocsp/test-response.der"; + const char* caFile = "./certs/ocsp/root-ca-cert.pem"; + OcspResponse* res = NULL; + byte data[4096]; + const unsigned char* pt; + int dataSz; + XFILE f; + WOLFSSL_OCSP_BASICRESP* bs; + WOLFSSL_X509_STORE* st; + WOLFSSL_X509* issuer; + + + printf(testingFmt, "wolfSSL_CheckOCSPResponse()"); + + f = XFOPEN(responseFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(issuer); + st = wolfSSL_X509_STORE_new(); + AssertNotNull(st); + AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + bs = wolfSSL_OCSP_response_get1_basic(res); + AssertNotNull(bs); + AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + + printf(resultFmt, passed); +#endif /* HAVE_OCSP */ +} + static int test_wolfSSL_CertManagerLoadCABuffer(void) { int ret; @@ -57441,6 +57483,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file), TEST_DECL(test_wolfSSL_CTX_load_verify_locations), TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), + TEST_DECL(test_wolfSSL_CheckOCSPResponse), TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer), TEST_DECL(test_wolfSSL_CertManagerGetCerts), TEST_DECL(test_wolfSSL_CertManagerSetVerify),