Better OCSP tests including online tests

Tests touching network are gated by --run-online-tests flag.

1 files changed, 91 insertions, 5 deletions

diff --git a/src/tests/test_ocsp.cpp b/src/tests/test_ocsp.cpp
index 39bc9e77a..58fa46086 100644
--- a/src/tests/test_ocsp.cpp
+++ b/src/tests/test_ocsp.cpp
@@ -8,7 +8,9 @@
 
 #if defined(BOTAN_HAS_OCSP)
   #include <botan/ocsp.h>
-  #include <sstream>
+  #include <botan/x509path.h>
+  #include <botan/certstor.h>
+  #include <botan/calendar.h>
 #endif
 
 namespace Botan_Tests {
@@ -18,18 +20,18 @@ namespace Botan_Tests {
 class OCSP_Tests : public Test
    {
    private:
-      std::vector<byte> slurp_data_file(const std::string& path)
+      std::vector<uint8_t> slurp_data_file(const std::string& path)
          {
          const std::string fsname = Test::data_file(path);
          std::ifstream file(fsname.c_str());
          if(!file.good())
             throw Test_Error("Error reading from " + fsname);
 
-         std::vector<byte> contents;
+         std::vector<uint8_t> contents;
 
          while(file.good())
             {
-            std::vector<byte> buf(4096);
+            std::vector<uint8_t> buf(4096);
             file.read(reinterpret_cast<char*>(buf.data()), buf.size());
             size_t got = file.gcount();
 
@@ -42,6 +44,16 @@ class OCSP_Tests : public Test
          return contents;
          }
 
+      std::shared_ptr<const Botan::X509_Certificate> load_test_X509_cert(const std::string& path)
+         {
+         return std::make_shared<const Botan::X509_Certificate>(Test::data_file(path));
+         }
+
+      std::shared_ptr<const Botan::OCSP::Response> load_test_OCSP_resp(const std::string& path)
+         {
+         return std::make_shared<const Botan::OCSP::Response>(slurp_data_file(path));
+         }
+
       Test::Result test_response_parsing()
          {
          Test::Result result("OCSP response parsing");
@@ -71,7 +83,7 @@ class OCSP_Tests : public Test
 
       Test::Result test_request_encoding()
          {
-         Test::Result result("OCSP encoding");
+         Test::Result result("OCSP request encoding");
 
          const Botan::X509_Certificate end_entity(Test::data_file("ocsp/gmail.pem"));
          const Botan::X509_Certificate issuer(Test::data_file("ocsp/google_g2.pem"));
@@ -96,6 +108,76 @@ class OCSP_Tests : public Test
          return result;
          }
 
+      Test::Result test_response_verification()
+         {
+         Test::Result result("OCSP request check");
+
+         std::shared_ptr<const Botan::X509_Certificate> ee = load_test_X509_cert("ocsp/randombit.pem");
+         std::shared_ptr<const Botan::X509_Certificate> ca = load_test_X509_cert("ocsp/letsencrypt.pem");
+         std::shared_ptr<const Botan::X509_Certificate> trust_root = load_test_X509_cert("ocsp/geotrust.pem");
+
+         const std::vector<std::shared_ptr<const Botan::X509_Certificate>> cert_path = { ee, ca, trust_root };
+
+         std::shared_ptr<const Botan::OCSP::Response> ocsp = load_test_OCSP_resp("ocsp/randombit_ocsp.der");
+
+         Botan::Certificate_Store_In_Memory certstore;
+         certstore.add_certificate(trust_root);
+
+         // Some arbitrary time within the validity period of the test certs
+         const auto valid_time = Botan::calendar_point(2016,11,20,8,30,0).to_std_timepoint();
+
+         std::vector<std::set<Botan::Certificate_Status_Code>> ocsp_status = Botan::PKIX::check_ocsp(
+            cert_path,
+            { ocsp },
+            { &certstore },
+            valid_time);
+
+         if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1))
+            {
+            if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1))
+               {
+               result.confirm("Status good", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD));
+               }
+            }
+
+         return result;
+         }
+
+      Test::Result test_online_request()
+         {
+         Test::Result result("OCSP online check");
+
+         std::shared_ptr<const Botan::X509_Certificate> ee = load_test_X509_cert("ocsp/randombit.pem");
+         std::shared_ptr<const Botan::X509_Certificate> ca = load_test_X509_cert("ocsp/letsencrypt.pem");
+         std::shared_ptr<const Botan::X509_Certificate> trust_root = load_test_X509_cert("ocsp/identrust.pem");
+
+         const std::vector<std::shared_ptr<const Botan::X509_Certificate>> cert_path = { ee, ca, trust_root };
+
+         Botan::Certificate_Store_In_Memory certstore;
+         certstore.add_certificate(trust_root);
+
+         std::vector<std::set<Botan::Certificate_Status_Code>> ocsp_status = Botan::PKIX::check_ocsp_online(
+            cert_path,
+            { &certstore },
+            std::chrono::system_clock::now(),
+            std::chrono::milliseconds(3000),
+            true);
+
+         if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 2))
+            {
+            if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1))
+               {
+               result.confirm("Status good", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD));
+               }
+            if(result.test_eq("Expected size of ocsp_status[1]", ocsp_status[1].size(), 1))
+               {
+               result.confirm("Status good", ocsp_status[1].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD));
+               }
+            }
+
+         return result;
+         }
+
    public:
       std::vector<Test::Result> run() override
          {
@@ -103,6 +185,10 @@ class OCSP_Tests : public Test
 
          results.push_back(test_request_encoding());
          results.push_back(test_response_parsing());
+         results.push_back(test_response_verification());
+
+         if(Test::run_online_tests())
+            results.push_back(test_online_request());
 
          return results;
          }