From ab0172b9babc0f5552f35a7dbd27076deba48c18 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 21 Nov 2016 21:37:45 -0500 Subject: Add some simple OCSP tests Nothing much but better than nothing. Also add a useful arg check to OCSP::Request constructor. --- src/tests/data/ocsp/gmail.pem | 27 +++++++++++++++++++++++++++ src/tests/data/ocsp/google_g2.pem | 24 ++++++++++++++++++++++++ src/tests/data/ocsp/resp1.der | Bin 0 -> 1595 bytes src/tests/data/ocsp/resp2.der | Bin 0 -> 463 bytes src/tests/data/ocsp/resp3.der | Bin 0 -> 472 bytes 5 files changed, 51 insertions(+) create mode 100644 src/tests/data/ocsp/gmail.pem create mode 100644 src/tests/data/ocsp/google_g2.pem create mode 100644 src/tests/data/ocsp/resp1.der create mode 100644 src/tests/data/ocsp/resp2.der create mode 100644 src/tests/data/ocsp/resp3.der (limited to 'src/tests/data') diff --git a/src/tests/data/ocsp/gmail.pem b/src/tests/data/ocsp/gmail.pem new file mode 100644 index 000000000..f96928a64 --- /dev/null +++ b/src/tests/data/ocsp/gmail.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEnTCCA4WgAwIBAgIIQkg+DF+RYMYwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE +BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl +cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMTEwMTUzMDAwWhcNMTcwMjAyMTUzMDAw +WjBjMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN +TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzESMBAGA1UEAwwJZ21h +aWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuw15ghutT7Ne +eTd1u+TXCoyDK0/XwotRrrfP3+HU6f611WbUi+Eb4mpZ7ZnjBUBOWizRqr7XwURV +7LpwC/Xxn2OlK+yFFeTZYRyZqKhtY3UQsbztAlc8s7LmBTU2bC2wR942SfTpEufB +j+Qloc8WnyVVGqU3IhV1vLPZiNwUtRMKSZiuUDOH0M10icmXDyAl3zNw119ax6bf +P4fROHmLydGP6xcAXEQ9MnJ8cec5V3R505UaxVMROF/TZ2PricWyoz53Tu8AGHXT +81AH/Gq51ettup+CeYFdpxC4lEvZZwxeHo0kHkFv4od8g3HDYkjKfYkOi4vfFg1Z +hMJG02d17QIDAQABo4IBbTCCAWkwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF +BwMCMDsGA1UdEQQ0MDKCCWdtYWlsLmNvbYILKi5nbWFpbC5jb22CGHBvbGljeS5t +dGEtc3RzLmdtYWlsLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0 +dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6 +Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFOssHSlSYSvxTr/l +pRnYGdp+QKZoMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWB +trtiGrpagS8wIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNV +HR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0G +CSqGSIb3DQEBCwUAA4IBAQArrTNbfuMTZTUrfImB3oS0ffMhbymSV8wCPvuC8+LO +yj/1rclI+0NRI32oUgwyjk9xOkPY/uUBk3KXl2b39R4tr67acyUPtuVGY5Nam3Jk +c/7oqREBJr+M/Qr7nYQqTMzh4LXekl/Nh+ZHRnRzYP+q0DE9f8AkiIs9ESziym1d +UY7u/IgelaCyh8CNZoYqui7I4DPfegz/De39rtbCPunC9VQtlMDas4FIOjQrSTIz +tV/xNJMR9ka57B4YLfzoTHq7w7zw+fqeebpyKa4MqOzK9kgrfASYe1YpWEy0SBBT +4zfVLXqyr5eDeaJJjpRJEcSopc0nIN9qBCLc2K7GI54v +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/google_g2.pem b/src/tests/data/ocsp/google_g2.pem new file mode 100644 index 000000000..b663266fc --- /dev/null +++ b/src/tests/data/ocsp/google_g2.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG +EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy +bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP +VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv +h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE +ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ +EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC +DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 +qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD +VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov +L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig +JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ +MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt +10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN +tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA +EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs +eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt +F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS +wSHGFg== +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/resp1.der b/src/tests/data/ocsp/resp1.der new file mode 100644 index 000000000..dd5420378 Binary files /dev/null and b/src/tests/data/ocsp/resp1.der differ diff --git a/src/tests/data/ocsp/resp2.der b/src/tests/data/ocsp/resp2.der new file mode 100644 index 000000000..ea993bf5d Binary files /dev/null and b/src/tests/data/ocsp/resp2.der differ diff --git a/src/tests/data/ocsp/resp3.der b/src/tests/data/ocsp/resp3.der new file mode 100644 index 000000000..416678cae Binary files /dev/null and b/src/tests/data/ocsp/resp3.der differ -- cgit v1.2.3 From 28b38adb037719ba08691a4e8c6f59ea2e854760 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 21 Nov 2016 23:51:44 -0500 Subject: Better OCSP tests including online tests Tests touching network are gated by --run-online-tests flag. --- src/lib/x509/cert_status.h | 6 ++- src/lib/x509/x509path.cpp | 6 +++ src/scripts/ci/travis/build.sh | 2 +- src/tests/data/ocsp/geotrust.pem | 21 ++++++++ src/tests/data/ocsp/identrust.pem | 20 +++++++ src/tests/data/ocsp/letsencrypt.pem | 27 ++++++++++ src/tests/data/ocsp/randombit.pem | 32 +++++++++++ src/tests/data/ocsp/randombit_ocsp.der | Bin 0 -> 527 bytes src/tests/main.cpp | 6 ++- src/tests/test_ocsp.cpp | 96 +++++++++++++++++++++++++++++++-- src/tests/tests.cpp | 9 ++++ src/tests/tests.h | 4 +- 12 files changed, 218 insertions(+), 11 deletions(-) create mode 100644 src/tests/data/ocsp/geotrust.pem create mode 100644 src/tests/data/ocsp/identrust.pem create mode 100644 src/tests/data/ocsp/letsencrypt.pem create mode 100644 src/tests/data/ocsp/randombit.pem create mode 100644 src/tests/data/ocsp/randombit_ocsp.der (limited to 'src/tests/data') diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h index 921fd2b09..8f514c092 100644 --- a/src/lib/x509/cert_status.h +++ b/src/lib/x509/cert_status.h @@ -1,5 +1,5 @@ /* -* Result enums +* Path validation result enums * (C) 2013 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) @@ -8,6 +8,8 @@ #ifndef BOTAN_X509_PATH_RESULT_H__ #define BOTAN_X509_PATH_RESULT_H__ +#include + namespace Botan { /** @@ -77,7 +79,7 @@ enum class Certificate_Status_Code { * @param code the certifcate status * @return string literal constant, or nullptr if code unknown */ -const char* to_string(Certificate_Status_Code code); +BOTAN_DLL const char* to_string(Certificate_Status_Code code); } diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index 946539bab..c57985766 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -161,6 +161,9 @@ PKIX::check_ocsp(const std::vector>& cer } } + while(cert_status.back().empty()) + cert_status.pop_back(); + return cert_status; } @@ -203,6 +206,9 @@ PKIX::check_crl(const std::vector>& cert } } + while(cert_status.back().empty()) + cert_status.pop_back(); + return cert_status; } diff --git a/src/scripts/ci/travis/build.sh b/src/scripts/ci/travis/build.sh index 0344fd892..516b391ce 100755 --- a/src/scripts/ci/travis/build.sh +++ b/src/scripts/ci/travis/build.sh @@ -54,7 +54,7 @@ elif [ "${BUILD_MODE:0:5}" != "cross" ]; then if [ "$BUILD_MODE" = "coverage" ]; then CFG_FLAGS+=(--with-tpm) - TEST_FLAGS="--pkcs11-lib=/tmp/softhsm/lib/softhsm/libsofthsm2.so" + TEST_FLAGS="--run-online-tests --pkcs11-lib=/tmp/softhsm/lib/softhsm/libsofthsm2.so" fi # Avoid OpenSSL when using dynamic checkers... diff --git a/src/tests/data/ocsp/geotrust.pem b/src/tests/data/ocsp/geotrust.pem new file mode 100644 index 000000000..33cc0023e --- /dev/null +++ b/src/tests/data/ocsp/geotrust.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw +WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE +AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m +OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu +T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c +JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR +Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz +PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm +aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM +TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g +LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO +BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv +dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB +AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL +NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W +b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/identrust.pem b/src/tests/data/ocsp/identrust.pem new file mode 100644 index 000000000..b2e43c938 --- /dev/null +++ b/src/tests/data/ocsp/identrust.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/letsencrypt.pem b/src/tests/data/ocsp/letsencrypt.pem new file mode 100644 index 000000000..0002462ce --- /dev/null +++ b/src/tests/data/ocsp/letsencrypt.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/randombit.pem b/src/tests/data/ocsp/randombit.pem new file mode 100644 index 000000000..d5986c21c --- /dev/null +++ b/src/tests/data/ocsp/randombit.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFkTCCBHmgAwIBAgISA+ie0HpCS3KjX60Wf0ik8lrSMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjExMTgxMTE2MDBaFw0x +NzAyMTYxMTE2MDBaMBgxFjAUBgNVBAMTDXJhbmRvbWJpdC5uZXQwggGiMA0GCSqG +SIb3DQEBAQUAA4IBjwAwggGKAoIBgQCxYsED7KF8RGFWcq1tQdvRExLdDjGJcw1j +4uV6a/yt2v/wDSUPIXNak9Psm5V56AH2tV/nMuwiFAyqlZiPFcCD5clXoIkJBW2c +hXYM1js6tNlX6iBA0Cl/ug0+sNYiJP7GZAZFGLy7itGYpLn5DtawQfWxt4ENoZ+x +MQVAjRrb2oH/BNTBvvMjJNehxkf4RGo9BiwNHwxw/3SQHsObzLvYwnIe7pNCw5gu +Ol4ekligjh481WIvOS6/dOu2FOuutKKsOFasxyaE8qArs2Nwb0fSS+LG3U7t7jP5 +MuBS+kfp1/jQ8qvV5dJpKcw6D2q4qjmOiAHSXOY/+1GoaKus6xB7NTXbiMsHR/VH +hnupKYzsR3Fs4+agHXpM/8n6erVsXtwPdw6uFwrVlpAOvu56PiSgaBZLpex/Z4bk +tqcCQ2EJcjKUU5Ht5TKUFaXv7v/WLkbGdbdVDHh9cEnOthGme8QgaDPZp+mND6Bs +QyJQgpQ57hsS55l9XehXzNu5SOr/F58CAwEAAaOCAiEwggIdMA4GA1UdDwEB/wQE +AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw +ADAdBgNVHQ4EFgQUpAkBML2UJvHr4dXnxC2gVnY5NAkwHwYDVR0jBBgwFoAUqEpq +YwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNo +dHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYj +aHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wKwYDVR0RBCQwIoIN +cmFuZG9tYml0Lm5ldIIRd3d3LnJhbmRvbWJpdC5uZXQwgf4GA1UdIASB9jCB8zAI +BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v +Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp +ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll +cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv +bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5 +LzANBgkqhkiG9w0BAQsFAAOCAQEAXAh1j/hxsJMCMSfQWLSDMNQQirlWJafG2mao +P5ZwjkGyPoM6q1E/G60TRFSbqwvI9b1SrMipuz5fqf6q7VTac2DZyC7hx5RXvDk3 +ZD93DYYlwOw1RMrfUZtk7F1maqxESxd3V7L8DQWaPx01KZj4kJkP/cwT3t0GWgF2 +DLdltmWqjuFdrxY+XYTdvsk+U85rhosm/4UGlJENdagRMAoRuco/y7MRuKSCWewN +Vc57atZpfZahpqG10Bld8uf3ApP5eoNWKxbePFMhdWyj8o1N6p57pRn+Qp/mV+0B +I6IbQv9+D/qEFgHkHDPClaoRjM0+bRI53+uTt5I70VcimVY+wg== +-----END CERTIFICATE----- diff --git a/src/tests/data/ocsp/randombit_ocsp.der b/src/tests/data/ocsp/randombit_ocsp.der new file mode 100644 index 000000000..93d1c6287 Binary files /dev/null and b/src/tests/data/ocsp/randombit_ocsp.der differ diff --git a/src/tests/main.cpp b/src/tests/main.cpp index cf61ea0b0..3fa6ce4ab 100644 --- a/src/tests/main.cpp +++ b/src/tests/main.cpp @@ -35,7 +35,7 @@ namespace { class Test_Runner : public Botan_CLI::Command { public: - Test_Runner() : Command("test --threads=0 --soak=5 --drbg-seed= --data-dir= --pkcs11-lib= --log-success *suites") {} + Test_Runner() : Command("test --threads=0 --soak=5 --run-online-tests --drbg-seed= --data-dir= --pkcs11-lib= --log-success *suites") {} std::string help_text() const override { @@ -76,6 +76,7 @@ class Test_Runner : public Botan_CLI::Command const size_t soak_level = get_arg_sz("soak"); const std::string drbg_seed = get_arg("drbg-seed"); const bool log_success = flag_set("log-success"); + const bool run_online_tests = flag_set("run-online-tests"); const std::string data_dir = get_arg_or("data-dir", "src/tests/data"); const std::string pkcs11_lib = get_arg("pkcs11-lib"); @@ -179,7 +180,8 @@ class Test_Runner : public Botan_CLI::Command throw Botan_Tests::Test_Error("No usable RNG enabled in build, aborting tests"); } - Botan_Tests::Test::setup_tests(soak_level, log_success, data_dir, pkcs11_lib, rng.get()); + Botan_Tests::Test::setup_tests(soak_level, log_success, run_online_tests, + data_dir, pkcs11_lib, rng.get()); const size_t failed = run_tests(req, output(), threads); diff --git a/src/tests/test_ocsp.cpp b/src/tests/test_ocsp.cpp index 39bc9e77a..58fa46086 100644 --- a/src/tests/test_ocsp.cpp +++ b/src/tests/test_ocsp.cpp @@ -8,7 +8,9 @@ #if defined(BOTAN_HAS_OCSP) #include - #include + #include + #include + #include #endif namespace Botan_Tests { @@ -18,18 +20,18 @@ namespace Botan_Tests { class OCSP_Tests : public Test { private: - std::vector slurp_data_file(const std::string& path) + std::vector slurp_data_file(const std::string& path) { const std::string fsname = Test::data_file(path); std::ifstream file(fsname.c_str()); if(!file.good()) throw Test_Error("Error reading from " + fsname); - std::vector contents; + std::vector contents; while(file.good()) { - std::vector buf(4096); + std::vector buf(4096); file.read(reinterpret_cast(buf.data()), buf.size()); size_t got = file.gcount(); @@ -42,6 +44,16 @@ class OCSP_Tests : public Test return contents; } + std::shared_ptr load_test_X509_cert(const std::string& path) + { + return std::make_shared(Test::data_file(path)); + } + + std::shared_ptr load_test_OCSP_resp(const std::string& path) + { + return std::make_shared(slurp_data_file(path)); + } + Test::Result test_response_parsing() { Test::Result result("OCSP response parsing"); @@ -71,7 +83,7 @@ class OCSP_Tests : public Test Test::Result test_request_encoding() { - Test::Result result("OCSP encoding"); + Test::Result result("OCSP request encoding"); const Botan::X509_Certificate end_entity(Test::data_file("ocsp/gmail.pem")); const Botan::X509_Certificate issuer(Test::data_file("ocsp/google_g2.pem")); @@ -96,6 +108,76 @@ class OCSP_Tests : public Test return result; } + Test::Result test_response_verification() + { + Test::Result result("OCSP request check"); + + std::shared_ptr ee = load_test_X509_cert("ocsp/randombit.pem"); + std::shared_ptr ca = load_test_X509_cert("ocsp/letsencrypt.pem"); + std::shared_ptr trust_root = load_test_X509_cert("ocsp/geotrust.pem"); + + const std::vector> cert_path = { ee, ca, trust_root }; + + std::shared_ptr ocsp = load_test_OCSP_resp("ocsp/randombit_ocsp.der"); + + Botan::Certificate_Store_In_Memory certstore; + certstore.add_certificate(trust_root); + + // Some arbitrary time within the validity period of the test certs + const auto valid_time = Botan::calendar_point(2016,11,20,8,30,0).to_std_timepoint(); + + std::vector> ocsp_status = Botan::PKIX::check_ocsp( + cert_path, + { ocsp }, + { &certstore }, + valid_time); + + if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) + { + if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) + { + result.confirm("Status good", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD)); + } + } + + return result; + } + + Test::Result test_online_request() + { + Test::Result result("OCSP online check"); + + std::shared_ptr ee = load_test_X509_cert("ocsp/randombit.pem"); + std::shared_ptr ca = load_test_X509_cert("ocsp/letsencrypt.pem"); + std::shared_ptr trust_root = load_test_X509_cert("ocsp/identrust.pem"); + + const std::vector> cert_path = { ee, ca, trust_root }; + + Botan::Certificate_Store_In_Memory certstore; + certstore.add_certificate(trust_root); + + std::vector> ocsp_status = Botan::PKIX::check_ocsp_online( + cert_path, + { &certstore }, + std::chrono::system_clock::now(), + std::chrono::milliseconds(3000), + true); + + if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 2)) + { + if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) + { + result.confirm("Status good", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD)); + } + if(result.test_eq("Expected size of ocsp_status[1]", ocsp_status[1].size(), 1)) + { + result.confirm("Status good", ocsp_status[1].count(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD)); + } + } + + return result; + } + public: std::vector run() override { @@ -103,6 +185,10 @@ class OCSP_Tests : public Test results.push_back(test_request_encoding()); results.push_back(test_response_parsing()); + results.push_back(test_response_verification()); + + if(Test::run_online_tests()) + results.push_back(test_online_request()); return results; } diff --git a/src/tests/tests.cpp b/src/tests/tests.cpp index 13094f5dc..1fe41428e 100644 --- a/src/tests/tests.cpp +++ b/src/tests/tests.cpp @@ -467,11 +467,13 @@ Botan::RandomNumberGenerator* Test::m_test_rng = nullptr; std::string Test::m_data_dir; size_t Test::m_soak_level = 0; bool Test::m_log_success = false; +bool Test::m_run_online_tests = false; std::string Test::m_pkcs11_lib; //static void Test::setup_tests(size_t soak, bool log_success, + bool run_online, const std::string& data_dir, const std::string& pkcs11_lib, Botan::RandomNumberGenerator* rng) @@ -479,6 +481,7 @@ void Test::setup_tests(size_t soak, m_data_dir = data_dir; m_soak_level = soak; m_log_success = log_success; + m_run_online_tests = run_online; m_test_rng = rng; m_pkcs11_lib = pkcs11_lib; } @@ -507,6 +510,12 @@ bool Test::log_success() return m_log_success; } +//static +bool Test::run_online_tests() + { + return m_run_online_tests; + } + //static std::string Test::pkcs11_lib() { diff --git a/src/tests/tests.h b/src/tests/tests.h index 236a89d6f..7d168be72 100644 --- a/src/tests/tests.h +++ b/src/tests/tests.h @@ -358,12 +358,14 @@ class Test static void setup_tests(size_t soak, bool log_succcss, + bool run_online_tests, const std::string& data_dir, const std::string& pkcs11_lib, Botan::RandomNumberGenerator* rng); static size_t soak_level(); static bool log_success(); + static bool run_online_tests(); static std::string pkcs11_lib(); static const std::string& data_dir(); @@ -376,7 +378,7 @@ class Test static std::string m_data_dir; static Botan::RandomNumberGenerator* m_test_rng; static size_t m_soak_level; - static bool m_log_success; + static bool m_log_success, m_run_online_tests; static std::string m_pkcs11_lib; }; -- cgit v1.2.3 From cdb20d3599f38807f4495c9c705b5864928b2824 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Fri, 25 Nov 2016 15:57:59 -0500 Subject: Account for new string in test data --- src/tests/data/x509test/expected.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/tests/data') diff --git a/src/tests/data/x509test/expected.txt b/src/tests/data/x509test/expected.txt index 23cc9daf1..14782ecf8 100644 --- a/src/tests/data/x509test/expected.txt +++ b/src/tests/data/x509test/expected.txt @@ -1,4 +1,4 @@ -InvalidExtendedKeyUsage.pem:Invalid usage +InvalidExtendedKeyUsage.pem:Certificate does not allow the requested usage InvalidIntCAFlag.pem:CA certificate not allowed to issue certs InvalidIntCAKeyUsage.pem:CA certificate not allowed to issue certs InvalidIntCALen.pem:Certificate chain too long @@ -6,7 +6,7 @@ InvalidIntCALoop.pem:Loop in certificate chain InvalidIntCASelfSign.pem:Cannot establish trust InvalidIntCAVersionOne.pem:CA certificate not allowed to issue certs InvalidIntCAVersionTwo.pem:CA certificate not allowed to issue certs -InvalidKeyUsage.pem:Invalid usage +InvalidKeyUsage.pem:Certificate does not allow the requested usage InvalidName.pem:Certificate does not match provided name InvalidNameAltName.pem:Certificate does not match provided name InvalidNameAltNameWithSubj.pem:Certificate does not match provided name -- cgit v1.2.3