From a9d5dcae58aa4f2b5c5e9dda96248913b5758bd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= <moises@wolfssl.com>
Date: Fri, 3 Feb 2017 14:12:47 -0300
Subject: [PATCH] updates ocsp tests; adds check for OCSP response signed by
 issuer.

---
 ...{index0.txt => index-ca-and-intermediate-cas.txt} |  0
 ...1.txt => index-intermediate1-ca-issued-certs.txt} |  0
 ...2.txt => index-intermediate2-ca-issued-certs.txt} |  0
 ...3.txt => index-intermediate3-ca-issued-certs.txt} |  0
 ...rmediate1-ca-issued-certs-with-ca-as-responder.sh |  8 ++++++++
 certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh    |  8 ++++++++
 certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh    |  8 ++++++++
 certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh    |  8 ++++++++
 certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh     |  8 ++++++++
 certs/ocsp/ocspd0.sh                                 |  8 --------
 certs/ocsp/ocspd1.sh                                 |  8 --------
 certs/ocsp/ocspd2.sh                                 |  8 --------
 certs/ocsp/ocspd3.sh                                 |  8 --------
 scripts/ocsp-stapling.test                           |  2 +-
 scripts/ocsp-stapling2.test                          |  6 +++---
 wolfcrypt/src/asn.c                                  | 12 +++++++++---
 16 files changed, 53 insertions(+), 39 deletions(-)
 rename certs/ocsp/{index0.txt => index-ca-and-intermediate-cas.txt} (100%)
 rename certs/ocsp/{index1.txt => index-intermediate1-ca-issued-certs.txt} (100%)
 rename certs/ocsp/{index2.txt => index-intermediate2-ca-issued-certs.txt} (100%)
 rename certs/ocsp/{index3.txt => index-intermediate3-ca-issued-certs.txt} (100%)
 create mode 100755 certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
 create mode 100755 certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
 create mode 100755 certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
 create mode 100755 certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
 create mode 100755 certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
 delete mode 100755 certs/ocsp/ocspd0.sh
 delete mode 100755 certs/ocsp/ocspd1.sh
 delete mode 100755 certs/ocsp/ocspd2.sh
 delete mode 100755 certs/ocsp/ocspd3.sh

diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index-ca-and-intermediate-cas.txt
similarity index 100%
rename from certs/ocsp/index0.txt
rename to certs/ocsp/index-ca-and-intermediate-cas.txt
diff --git a/certs/ocsp/index1.txt b/certs/ocsp/index-intermediate1-ca-issued-certs.txt
similarity index 100%
rename from certs/ocsp/index1.txt
rename to certs/ocsp/index-intermediate1-ca-issued-certs.txt
diff --git a/certs/ocsp/index2.txt b/certs/ocsp/index-intermediate2-ca-issued-certs.txt
similarity index 100%
rename from certs/ocsp/index2.txt
rename to certs/ocsp/index-intermediate2-ca-issued-certs.txt
diff --git a/certs/ocsp/index3.txt b/certs/ocsp/index-intermediate3-ca-issued-certs.txt
similarity index 100%
rename from certs/ocsp/index3.txt
rename to certs/ocsp/index-intermediate3-ca-issued-certs.txt
diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
new file mode 100755
index 000000000..eecd81b58
--- /dev/null
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/intermediate1-ca-cert.pem               \
+    -rkey    certs/ocsp/intermediate1-ca-key.pem                \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    $@
diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
new file mode 100755
index 000000000..debfd63bb
--- /dev/null
+++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22221 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate1-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate1-ca-cert.pem               \
+    $@
diff --git a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
new file mode 100755
index 000000000..0d06c5be1
--- /dev/null
+++ b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22222 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate2-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate2-ca-cert.pem               \
+    $@
diff --git a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
new file mode 100755
index 000000000..5e6a5173c
--- /dev/null
+++ b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22223 -nmin 1                                \
+    -index   certs/ocsp/index-intermediate3-ca-issued-certs.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem                 \
+    -rkey    certs/ocsp/ocsp-responder-key.pem                  \
+    -CA      certs/ocsp/intermediate3-ca-cert.pem               \
+    $@
diff --git a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
new file mode 100755
index 000000000..d3c3bc1ad
--- /dev/null
+++ b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22220 -nmin 1                          \
+    -index   certs/ocsp/index-ca-and-intermediate-cas.txt \
+    -rsigner certs/ocsp/ocsp-responder-cert.pem           \
+    -rkey    certs/ocsp/ocsp-responder-key.pem            \
+    -CA      certs/ocsp/root-ca-cert.pem                  \
+    $@
diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh
deleted file mode 100755
index d0aa0b953..000000000
--- a/certs/ocsp/ocspd0.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22220 -nmin 1                \
-    -index   certs/ocsp/index0.txt              \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem \
-    -rkey    certs/ocsp/ocsp-responder-key.pem  \
-    -CA      certs/ocsp/root-ca-cert.pem        \
-    $@
diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh
deleted file mode 100755
index 91448c004..000000000
--- a/certs/ocsp/ocspd1.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22221 -nmin 1                  \
-    -index   certs/ocsp/index1.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate1-ca-cert.pem \
-    $@
diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh
deleted file mode 100755
index a7748b337..000000000
--- a/certs/ocsp/ocspd2.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22222 -nmin 1                  \
-    -index   certs/ocsp/index2.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate2-ca-cert.pem \
-    $@
diff --git a/certs/ocsp/ocspd3.sh b/certs/ocsp/ocspd3.sh
deleted file mode 100755
index 3e53ceb71..000000000
--- a/certs/ocsp/ocspd3.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-openssl ocsp -port 22223 -nmin 1                  \
-    -index   certs/ocsp/index3.txt                \
-    -rsigner certs/ocsp/ocsp-responder-cert.pem   \
-    -rkey    certs/ocsp/ocsp-responder-key.pem    \
-    -CA      certs/ocsp/intermediate3-ca-cert.pem \
-    $@
diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test
index e8984b0aa..3511d4a36 100755
--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@@ -18,7 +18,7 @@ RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
 
 # setup ocsp responder
-./certs/ocsp/ocspd1.sh &
+./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
 
diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
index 16bd81823..db48161d8 100755
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
 
 # setup ocsp responders
-./certs/ocsp/ocspd0.sh &
-./certs/ocsp/ocspd2.sh &
-./certs/ocsp/ocspd3.sh &
+./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
+./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
+./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
 sleep 1
 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 61134f015..75f993a41 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10768,10 +10768,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
         }
 
         if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
-            WOLFSSL_MSG("\tOCSP Responder key usage check failed");
+            if (XMEMCMP(cert.subjectHash,
+                        resp->issuerHash, KEYID_SIZE) == 0) {
+                WOLFSSL_MSG("\tOCSP Response signed by issuer");
+            }
+            else {
+                WOLFSSL_MSG("\tOCSP Responder key usage check failed");
 
-            FreeDecodedCert(&cert);
-            return BAD_OCSP_RESPONDER;
+                FreeDecodedCert(&cert);
+                return BAD_OCSP_RESPONDER;
+            }
         }
 
         /* ConfirmSignature is blocking here */