5079590438

Committed 25 May 2023 12:28PM UTC coverage: 92.228% (+0.5%) from 91.723%

Build # 5079590438

Build Type

Pull #3502

github

Pull Request Pull Request #3502: Apply clang-format to the codebase

Run Details

75589 of 81959 relevant lines covered (92.23%)

12139530.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.46

/src/tests/test_ocsp.cpp

/*
* (C) 2016 Jack Lloyd
* (C) 2022 René Meusel, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "botan/types.h"

#if defined(BOTAN_HAS_OCSP)
   #include <botan/certstor.h>
   #include <botan/ocsp.h>
   #include <botan/x509path.h>
   #include <botan/internal/calendar.h>
   #include <fstream>
#endif

#include "tests.h"

namespace Botan_Tests {

#if defined(BOTAN_HAS_OCSP) && defined(BOTAN_HAS_RSA) && defined(BOTAN_HAS_EMSA_PKCS1) && \
   defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)

class OCSP_Tests final : public Test {
   private:
      static Botan::X509_Certificate load_test_X509_cert(const std::string& path) {
         return Botan::X509_Certificate(Test::data_file(path));
      }

      static Botan::OCSP::Response load_test_OCSP_resp(const std::string& path) {
         return Botan::OCSP::Response(Test::read_binary_data_file(path));
      }

      static Test::Result test_response_parsing() {
         Test::Result result("OCSP response parsing");

         // Simple parsing tests
         const std::vector<std::string> ocsp_input_paths = {
            "x509/ocsp/resp1.der", "x509/ocsp/resp2.der", "x509/ocsp/resp3.der"};

         for(const std::string& ocsp_input_path : ocsp_input_paths) {
            try {
               Botan::OCSP::Response resp(Test::read_binary_data_file(ocsp_input_path));
               result.confirm("parsing was successful", resp.status() == Botan::OCSP::Response_Status_Code::Successful);
               result.test_success("Parsed input " + ocsp_input_path);
            } catch(Botan::Exception& e) { result.test_failure("Parsing failed", e.what()); }
         }

         Botan::OCSP::Response resp(
            Test::read_binary_data_file("x509/ocsp/patrickschmidt_ocsp_try_later_wrong_sig.der"));
         result.confirm("parsing exposes correct status code",
                        resp.status() == Botan::OCSP::Response_Status_Code::Try_Later);

         return result;
      }

      static Test::Result test_response_certificate_access() {
         Test::Result result("OCSP response certificate access");

         try {
            Botan::OCSP::Response resp1(Test::read_binary_data_file("x509/ocsp/resp1.der"));
            const auto& certs1 = resp1.certificates();
            if(result.test_eq("Expected count of certificates", certs1.size(), 1)) {
               const auto& cert = certs1.front();
               const Botan::X509_DN expected_dn(
                  {std::make_pair("X520.CommonName", "Symantec Class 3 EV SSL CA - G3 OCSP Responder")});
               const bool matches = cert.subject_dn() == expected_dn;
               result.test_eq("CN matches expected", matches, true);
            }

            Botan::OCSP::Response resp2(Test::read_binary_data_file("x509/ocsp/resp2.der"));
            const auto& certs2 = resp2.certificates();
            result.test_eq("Expect no certificates", certs2.size(), 0);
         } catch(Botan::Exception& e) { result.test_failure("Parsing failed", e.what()); }

         return result;
      }

      static Test::Result test_request_encoding() {
         Test::Result result("OCSP request encoding");

         const Botan::X509_Certificate end_entity(Test::data_file("x509/ocsp/gmail.pem"));
         const Botan::X509_Certificate issuer(Test::data_file("x509/ocsp/google_g2.pem"));

         try {
            const Botan::OCSP::Request bogus(end_entity, issuer);
            result.test_failure("Bad arguments (swapped end entity, issuer) accepted");
         } catch(Botan::Invalid_Argument&) { result.test_success("Bad arguments rejected"); }

         const std::string expected_request =
            "ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFPLgavmFih2NcJtJGSN6qbUaKH5kBBRK3QYWG7z2aLV29YG2u2IaulqBLwIIQkg+DF+RYMY=";

         const Botan::OCSP::Request req1(issuer, end_entity);
         result.test_eq("Encoded OCSP request", req1.base64_encode(), expected_request);

         const Botan::OCSP::Request req2(issuer, BigInt::decode(end_entity.serial_number()));
         result.test_eq("Encoded OCSP request", req2.base64_encode(), expected_request);

         return result;
      }

      static Test::Result test_response_find_signing_certificate() {
         Test::Result result("OCSP response finding signature certificates");

         const std::optional<Botan::X509_Certificate> nullopt_cert;

         // OCSP response is signed by the issuing CA itself
         auto randombit_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");
         auto randombit_ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");

         // OCSP response is signed by an authorized responder certificate
         // issued by the issuing CA and embedded in the response
         auto bdr_ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
         auto bdr_responder = load_test_X509_cert("x509/ocsp/bdr-ocsp-responder.pem");
         auto bdr_ca = load_test_X509_cert("x509/ocsp/bdr-int.pem");

         // Dummy OCSP response is not signed at all
         auto dummy_ocsp = Botan::OCSP::Response(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);

         // OCSP response is signed by 3rd party responder certificate that is
         // not included in the OCSP response itself
         // See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
         auto randombit_alt_resp_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");
         auto randombit_alt_resp_cert = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");

         result.test_is_eq("Dummy has no signing certificate",
                           dummy_ocsp.find_signing_certificate(Botan::X509_Certificate()),
                           nullopt_cert);

         result.test_is_eq("CA is returned as signing certificate",
                           randombit_ocsp.find_signing_certificate(randombit_ca),
                           std::optional(randombit_ca));
         result.test_is_eq("No signer certificate is returned when signer couldn't be determined",
                           randombit_ocsp.find_signing_certificate(bdr_ca),
                           nullopt_cert);

         result.test_is_eq("Delegated responder certificate is returned for further validation",
                           bdr_ocsp.find_signing_certificate(bdr_ca),
                           std::optional(bdr_responder));

         result.test_is_eq("Delegated responder without stapled certs does not find signer without user-provided certs",
                           randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca),
                           nullopt_cert);
         auto trusted_responders = std::make_unique<Botan::Certificate_Store_In_Memory>(randombit_alt_resp_cert);
         result.test_is_eq("Delegated responder returns user-provided cert",
                           randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca, trusted_responders.get()),
                           std::optional(randombit_alt_resp_cert));

         return result;
      }

      static Test::Result test_response_verification_with_next_update_without_max_age() {
         Test::Result result("OCSP request check with next_update w/o max_age");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&
                   result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",
                                  ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);

         return result;
      }

      static Test::Result test_response_verification_with_next_update_with_max_age() {
         Test::Result result("OCSP request check with next_update with max_age");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto max_age = std::chrono::minutes(59);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);
            const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);

            return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&
                   result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",
                                  ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);

         return result;
      }

      static Test::Result test_response_verification_without_next_update_with_max_age() {
         Test::Result result("OCSP request check w/o next_update with max_age");

         auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");
         auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto max_age = std::chrono::minutes(59);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);
            const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);

            return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&
                   result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",
                                  ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_IS_TOO_OLD);

         return result;
      }

      static Test::Result test_response_verification_without_next_update_without_max_age() {
         Test::Result result("OCSP request check w/o next_update w/o max_age");

         auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");
         auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&
                   result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",
                                  ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);

         return result;
      }

      static Test::Result test_response_verification_softfail() {
         Test::Result result("OCSP request softfail check");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         Botan::OCSP::Response ocsp(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL);

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto valid_time = Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint();
         const auto ocsp_status =
            Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

         if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) {
            if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {
               result.test_gt(
                  "Status warning", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL), 0);
            }
         }

         return result;
      }

   #if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
      static Test::Result test_online_request() {
         Test::Result result("OCSP online check");

         auto cert = load_test_X509_cert("x509/ocsp/digicert-ecdsa-int.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/digicert-root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {cert, trust_root};

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         const auto ocsp_timeout = std::chrono::milliseconds(3000);
         const auto now = std::chrono::system_clock::now();
         auto ocsp_status = Botan::PKIX::check_ocsp_online(
            cert_path, {&certstore}, now, ocsp_timeout, Botan::Path_Validation_Restrictions());

         if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) {
            if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {
               const bool status_good = ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
               const bool server_not_found =
                  ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);
               result.confirm("Expected status", status_good || server_not_found);
            }
         }

         return result;
      }
   #endif

      static Test::Result test_response_verification_with_additionally_trusted_responder() {
         Test::Result result("OCSP response with user-defined (additional) responder certificate");

         // OCSP response is signed by 3rd party responder certificate that is
         // not included in the OCSP response itself
         // See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");
         auto responder = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");

         std::optional<Botan::X509_Certificate> nullopt_cert;

         Botan::Certificate_Store_In_Memory trusted_responders;

         // without providing the 3rd party responder certificate no issuer will be found
         result.test_is_eq("cannot find signing certificate without trusted responders",
                           ocsp.find_signing_certificate(ca),
                           nullopt_cert);
         result.test_is_eq("cannot find signing certificate without additional help",
                           ocsp.find_signing_certificate(ca, &trusted_responders),
                           nullopt_cert);

         // add the 3rd party responder certificate to the list of trusted OCSP responder certs
         // to find the issuer certificate of this response
         trusted_responders.add_certificate(responder);
         result.test_is_eq("the responder certificate is returned when it is trusted",
                           ocsp.find_signing_certificate(ca, &trusted_responders),
                           std::optional(responder));

         result.test_is_eq("the responder's signature checks out",
                           ocsp.verify_signature(responder),
                           Botan::Certificate_Status_Code::OCSP_SIGNATURE_OK);

         return result;
      }

      static Test::Result test_responder_cert_with_nocheck_extension() {
         Test::Result result("BDr's OCSP response contains certificate featuring NoCheck extension");

         auto ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
         const bool contains_cert_with_nocheck =
            std::find_if(ocsp.certificates().cbegin(), ocsp.certificates().cend(), [](const auto& cert) {
               return cert.v3_extensions().extension_set(Botan::OID::from_string("PKIX.OCSP.NoCheck"));
            }) != ocsp.certificates().end();

         result.confirm("Contains NoCheck extension", contains_cert_with_nocheck);

         return result;
      }

   public:
      std::vector<Test::Result> run() override {
         std::vector<Test::Result> results;

         results.push_back(test_request_encoding());
         results.push_back(test_response_parsing());
         results.push_back(test_response_certificate_access());
         results.push_back(test_response_find_signing_certificate());
         results.push_back(test_response_verification_with_next_update_without_max_age());
         results.push_back(test_response_verification_with_next_update_with_max_age());
         results.push_back(test_response_verification_without_next_update_with_max_age());
         results.push_back(test_response_verification_without_next_update_without_max_age());
         results.push_back(test_response_verification_softfail());
         results.push_back(test_response_verification_with_additionally_trusted_responder());
         results.push_back(test_responder_cert_with_nocheck_extension());

   #if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
         if(Test::options().run_online_tests()) {
            results.push_back(test_online_request());
         }
   #endif

         return results;
      }
};

BOTAN_REGISTER_TEST("x509", "ocsp", OCSP_Tests);

#endif

}

1	/*
2	* (C) 2016 Jack Lloyd
3	* (C) 2022 René Meusel, Rohde & Schwarz Cybersecurity
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include "botan/types.h"
9
10	#if defined(BOTAN_HAS_OCSP)
11	#include <botan/certstor.h>
12	#include <botan/ocsp.h>
13	#include <botan/x509path.h>
14	#include <botan/internal/calendar.h>
15	#include <fstream>
16	#endif
17
18	#include "tests.h"
19
20	namespace Botan_Tests {
21
22	#if defined(BOTAN_HAS_OCSP) && defined(BOTAN_HAS_RSA) && defined(BOTAN_HAS_EMSA_PKCS1) && \
23	defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
24
25	class OCSP_Tests final : public Test {	×
26	private:
27	static Botan::X509_Certificate load_test_X509_cert(const std::string& path) {	23✔
28	return Botan::X509_Certificate(Test::data_file(path));	46✔
29	}
30
31	static Botan::OCSP::Response load_test_OCSP_resp(const std::string& path) {	9✔
32	return Botan::OCSP::Response(Test::read_binary_data_file(path));	18✔
33	}
34
35	static Test::Result test_response_parsing() {	1✔
36	Test::Result result("OCSP response parsing");	1✔
37
38	// Simple parsing tests
39	const std::vector<std::string> ocsp_input_paths = {	1✔
40	"x509/ocsp/resp1.der", "x509/ocsp/resp2.der", "x509/ocsp/resp3.der"};	4✔
41
42	for(const std::string& ocsp_input_path : ocsp_input_paths) {	4✔
43	try {	3✔
44	Botan::OCSP::Response resp(Test::read_binary_data_file(ocsp_input_path));	6✔
45	result.confirm("parsing was successful", resp.status() == Botan::OCSP::Response_Status_Code::Successful);	6✔
46	result.test_success("Parsed input " + ocsp_input_path);	3✔
47	} catch(Botan::Exception& e) { result.test_failure("Parsing failed", e.what()); }	3✔
48	}
49
50	Botan::OCSP::Response resp(	1✔
51	Test::read_binary_data_file("x509/ocsp/patrickschmidt_ocsp_try_later_wrong_sig.der"));	3✔
52	result.confirm("parsing exposes correct status code",	2✔
53	resp.status() == Botan::OCSP::Response_Status_Code::Try_Later);	1✔
54
55	return result;	1✔
56	}	1✔
57
58	static Test::Result test_response_certificate_access() {	1✔
59	Test::Result result("OCSP response certificate access");	1✔
60
61	try {	1✔
62	Botan::OCSP::Response resp1(Test::read_binary_data_file("x509/ocsp/resp1.der"));	3✔
63	const auto& certs1 = resp1.certificates();	1✔
64	if(result.test_eq("Expected count of certificates", certs1.size(), 1)) {	2✔
65	const auto& cert = certs1.front();	1✔
66	const Botan::X509_DN expected_dn(	1✔
67	{std::make_pair("X520.CommonName", "Symantec Class 3 EV SSL CA - G3 OCSP Responder")});	3✔
68	const bool matches = cert.subject_dn() == expected_dn;	1✔
69	result.test_eq("CN matches expected", matches, true);	1✔
70	}	1✔
71
72	Botan::OCSP::Response resp2(Test::read_binary_data_file("x509/ocsp/resp2.der"));	3✔
73	const auto& certs2 = resp2.certificates();	1✔
74	result.test_eq("Expect no certificates", certs2.size(), 0);	1✔
75	} catch(Botan::Exception& e) { result.test_failure("Parsing failed", e.what()); }	1✔
76
77	return result;	1✔
78	}	×
79
80	static Test::Result test_request_encoding() {	1✔
81	Test::Result result("OCSP request encoding");	1✔
82
83	const Botan::X509_Certificate end_entity(Test::data_file("x509/ocsp/gmail.pem"));	2✔
84	const Botan::X509_Certificate issuer(Test::data_file("x509/ocsp/google_g2.pem"));	2✔
85
86	try {	1✔
87	const Botan::OCSP::Request bogus(end_entity, issuer);	1✔
88	result.test_failure("Bad arguments (swapped end entity, issuer) accepted");	×
89	} catch(Botan::Invalid_Argument&) { result.test_success("Bad arguments rejected"); }	2✔
90
91	const std::string expected_request =	1✔
92	"ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFPLgavmFih2NcJtJGSN6qbUaKH5kBBRK3QYWG7z2aLV29YG2u2IaulqBLwIIQkg+DF+RYMY=";	1✔
93
94	const Botan::OCSP::Request req1(issuer, end_entity);	1✔
95	result.test_eq("Encoded OCSP request", req1.base64_encode(), expected_request);	2✔
96
97	const Botan::OCSP::Request req2(issuer, BigInt::decode(end_entity.serial_number()));	2✔
98	result.test_eq("Encoded OCSP request", req2.base64_encode(), expected_request);	2✔
99
100	return result;	2✔
101	}	3✔
102
103	static Test::Result test_response_find_signing_certificate() {	1✔
104	Test::Result result("OCSP response finding signature certificates");	1✔
105
106	const std::optional<Botan::X509_Certificate> nullopt_cert;	1✔
107
108	// OCSP response is signed by the issuing CA itself
109	auto randombit_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");	1✔
110	auto randombit_ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");	1✔
111
112	// OCSP response is signed by an authorized responder certificate
113	// issued by the issuing CA and embedded in the response
114	auto bdr_ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");	1✔
115	auto bdr_responder = load_test_X509_cert("x509/ocsp/bdr-ocsp-responder.pem");	1✔
116	auto bdr_ca = load_test_X509_cert("x509/ocsp/bdr-int.pem");	1✔
117
118	// Dummy OCSP response is not signed at all
119	auto dummy_ocsp = Botan::OCSP::Response(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);	1✔
120
121	// OCSP response is signed by 3rd party responder certificate that is
122	// not included in the OCSP response itself
123	// See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
124	auto randombit_alt_resp_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");	1✔
125	auto randombit_alt_resp_cert = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");	1✔
126
127	result.test_is_eq("Dummy has no signing certificate",	2✔
128	dummy_ocsp.find_signing_certificate(Botan::X509_Certificate()),	2✔
129	nullopt_cert);
130
131	result.test_is_eq("CA is returned as signing certificate",	3✔
132	randombit_ocsp.find_signing_certificate(randombit_ca),	1✔
133	std::optional(randombit_ca));	1✔
134	result.test_is_eq("No signer certificate is returned when signer couldn't be determined",	2✔
135	randombit_ocsp.find_signing_certificate(bdr_ca),	1✔
136	nullopt_cert);
137
138	result.test_is_eq("Delegated responder certificate is returned for further validation",	3✔
139	bdr_ocsp.find_signing_certificate(bdr_ca),	1✔
140	std::optional(bdr_responder));	1✔
141
142	result.test_is_eq("Delegated responder without stapled certs does not find signer without user-provided certs",	2✔
143	randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca),	1✔
144	nullopt_cert);
145	auto trusted_responders = std::make_unique<Botan::Certificate_Store_In_Memory>(randombit_alt_resp_cert);	1✔
146	result.test_is_eq("Delegated responder returns user-provided cert",	3✔
147	randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca, trusted_responders.get()),	2✔
148	std::optional(randombit_alt_resp_cert));	1✔
149
150	return result;	2✔
151	}	1✔
152
153	static Test::Result test_response_verification_with_next_update_without_max_age() {	1✔
154	Test::Result result("OCSP request check with next_update w/o max_age");	1✔
155
156	auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");	2✔
157	auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");	1✔
158	auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");	1✔
159
160	const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};	4✔
161
162	auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");	1✔
163
164	Botan::Certificate_Store_In_Memory certstore;	1✔
165	certstore.add_certificate(trust_root);	1✔
166
167	auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,	5✔
168	const Botan::Certificate_Status_Code expected) {
169	const auto ocsp_status = Botan::PKIX::check_ocsp(	8✔
170	cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());	16✔
171
172	return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&	12✔
173	result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&	12✔
174	result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",	20✔
175	ocsp_status[0].contains(expected));	12✔
176	};	4✔
177
178	check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),	1✔
179	Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
180	check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),	1✔
181	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
182	check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),	1✔
183	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
184	check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),	1✔
185	Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);
186
187	return result;	1✔
188	}	1✔
189
190	static Test::Result test_response_verification_with_next_update_with_max_age() {	1✔
191	Test::Result result("OCSP request check with next_update with max_age");	1✔
192
193	auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");	1✔
194	auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");	1✔
195	auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");	1✔
196
197	const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};	4✔
198
199	auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");	1✔
200
201	Botan::Certificate_Store_In_Memory certstore;	1✔
202	certstore.add_certificate(trust_root);	1✔
203
204	// Some arbitrary time within the validity period of the test certs
205	const auto max_age = std::chrono::minutes(59);	1✔
206
207	auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,	5✔
208	const Botan::Certificate_Status_Code expected) {
209	Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);	4✔
210	const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);	12✔
211
212	return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&	12✔
213	result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&	12✔
214	result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",	20✔
215	ocsp_status[0].contains(expected));	12✔
216	};	4✔
217
218	check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),	1✔
219	Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
220	check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),	1✔
221	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
222	check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),	1✔
223	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
224	check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),	1✔
225	Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);
226
227	return result;	1✔
228	}	1✔
229
230	static Test::Result test_response_verification_without_next_update_with_max_age() {	1✔
231	Test::Result result("OCSP request check w/o next_update with max_age");	1✔
232
233	auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");	1✔
234	auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");	1✔
235	auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");	1✔
236
237	const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};	4✔
238
239	auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");	1✔
240
241	Botan::Certificate_Store_In_Memory certstore;	1✔
242	certstore.add_certificate(trust_root);	1✔
243
244	// Some arbitrary time within the validity period of the test certs
245	const auto max_age = std::chrono::minutes(59);	1✔
246
247	auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,	4✔
248	const Botan::Certificate_Status_Code expected) {
249	Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);	3✔
250	const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);	9✔
251
252	return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&	9✔
253	result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&	9✔
254	result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",	15✔
255	ocsp_status[0].contains(expected));	9✔
256	};	3✔
257
258	check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),	1✔
259	Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
260	check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),	1✔
261	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
262	check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),	1✔
263	Botan::Certificate_Status_Code::OCSP_IS_TOO_OLD);
264
265	return result;	1✔
266	}	1✔
267
268	static Test::Result test_response_verification_without_next_update_without_max_age() {	1✔
269	Test::Result result("OCSP request check w/o next_update w/o max_age");	1✔
270
271	auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");	1✔
272	auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");	1✔
273	auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");	1✔
274
275	const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};	4✔
276
277	auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");	1✔
278
279	Botan::Certificate_Store_In_Memory certstore;	1✔
280	certstore.add_certificate(trust_root);	1✔
281
282	auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,	4✔
283	const Botan::Certificate_Status_Code expected) {
284	const auto ocsp_status = Botan::PKIX::check_ocsp(	6✔
285	cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());	12✔
286
287	return result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1) &&	9✔
288	result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&	9✔
289	result.confirm(std::string("Status: '") + Botan::to_string(expected) + "'",	15✔
290	ocsp_status[0].contains(expected));	9✔
291	};	3✔
292
293	check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),	1✔
294	Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
295	check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),	1✔
296	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
297	check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),	1✔
298	Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
299
300	return result;	1✔
301	}	1✔
302
303	static Test::Result test_response_verification_softfail() {	1✔
304	Test::Result result("OCSP request softfail check");	1✔
305
306	auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");	1✔
307	auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");	1✔
308	auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");	1✔
309
310	const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};	4✔
311
312	Botan::OCSP::Response ocsp(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL);	1✔
313
314	Botan::Certificate_Store_In_Memory certstore;	1✔
315	certstore.add_certificate(trust_root);	1✔
316
317	// Some arbitrary time within the validity period of the test certs
318	const auto valid_time = Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint();	1✔
319	const auto ocsp_status =	1✔
320	Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());	5✔
321
322	if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) {	2✔
323	if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {	2✔
324	result.test_gt(	3✔
325	"Status warning", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL), 0);	1✔
326	}
327	}
328
329	return result;	1✔
330	}	1✔
331
332	#if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
333	static Test::Result test_online_request() {	1✔
334	Test::Result result("OCSP online check");	1✔
335
336	auto cert = load_test_X509_cert("x509/ocsp/digicert-ecdsa-int.pem");	1✔
337	auto trust_root = load_test_X509_cert("x509/ocsp/digicert-root.pem");	1✔
338
339	const std::vector<Botan::X509_Certificate> cert_path = {cert, trust_root};	3✔
340
341	Botan::Certificate_Store_In_Memory certstore;	1✔
342	certstore.add_certificate(trust_root);	1✔
343
344	const auto ocsp_timeout = std::chrono::milliseconds(3000);	1✔
345	const auto now = std::chrono::system_clock::now();	1✔
346	auto ocsp_status = Botan::PKIX::check_ocsp_online(	1✔
347	cert_path, {&certstore}, now, ocsp_timeout, Botan::Path_Validation_Restrictions());	2✔
348
349	if(result.test_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) {	2✔
350	if(result.test_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {	2✔
351	const bool status_good = ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);	1✔
352	const bool server_not_found =	1✔
353	ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);	1✔
354	result.confirm("Expected status", status_good \|\| server_not_found);	2✔
355	}
356	}
357
358	return result;	1✔
359	}	1✔
360	#endif
361
362	static Test::Result test_response_verification_with_additionally_trusted_responder() {	1✔
363	Test::Result result("OCSP response with user-defined (additional) responder certificate");	1✔
364
365	// OCSP response is signed by 3rd party responder certificate that is
366	// not included in the OCSP response itself
367	// See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
368	auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");	1✔
369	auto responder = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");	1✔
370	auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");	1✔
371
372	std::optional<Botan::X509_Certificate> nullopt_cert;	1✔
373
374	Botan::Certificate_Store_In_Memory trusted_responders;	1✔
375
376	// without providing the 3rd party responder certificate no issuer will be found
377	result.test_is_eq("cannot find signing certificate without trusted responders",	2✔
378	ocsp.find_signing_certificate(ca),	1✔
379	nullopt_cert);
380	result.test_is_eq("cannot find signing certificate without additional help",	2✔
381	ocsp.find_signing_certificate(ca, &trusted_responders),	1✔
382	nullopt_cert);
383
384	// add the 3rd party responder certificate to the list of trusted OCSP responder certs
385	// to find the issuer certificate of this response
386	trusted_responders.add_certificate(responder);	1✔
387	result.test_is_eq("the responder certificate is returned when it is trusted",	3✔
388	ocsp.find_signing_certificate(ca, &trusted_responders),	1✔
389	std::optional(responder));	1✔
390
391	result.test_is_eq("the responder's signature checks out",	1✔
392	ocsp.verify_signature(responder),	1✔
393	Botan::Certificate_Status_Code::OCSP_SIGNATURE_OK);	1✔
394
395	return result;	1✔
396	}	1✔
397
398	static Test::Result test_responder_cert_with_nocheck_extension() {	1✔
399	Test::Result result("BDr's OCSP response contains certificate featuring NoCheck extension");	1✔
400
401	auto ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");	1✔
402	const bool contains_cert_with_nocheck =	1✔
403	std::find_if(ocsp.certificates().cbegin(), ocsp.certificates().cend(), [](const auto& cert) {	1✔
404	return cert.v3_extensions().extension_set(Botan::OID::from_string("PKIX.OCSP.NoCheck"));	1✔
405	}) != ocsp.certificates().end();	1✔
406
407	result.confirm("Contains NoCheck extension", contains_cert_with_nocheck);	2✔
408
409	return result;	1✔
410	}	1✔
411
412	public:
413	std::vector<Test::Result> run() override {	1✔
414	std::vector<Test::Result> results;	1✔
415
416	results.push_back(test_request_encoding());	2✔
417	results.push_back(test_response_parsing());	2✔
418	results.push_back(test_response_certificate_access());	2✔
419	results.push_back(test_response_find_signing_certificate());	2✔
420	results.push_back(test_response_verification_with_next_update_without_max_age());	2✔
421	results.push_back(test_response_verification_with_next_update_with_max_age());	2✔
422	results.push_back(test_response_verification_without_next_update_with_max_age());	2✔
423	results.push_back(test_response_verification_without_next_update_without_max_age());	2✔
424	results.push_back(test_response_verification_softfail());	2✔
425	results.push_back(test_response_verification_with_additionally_trusted_responder());	2✔
426	results.push_back(test_responder_cert_with_nocheck_extension());	2✔
427
428	#if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
429	if(Test::options().run_online_tests()) {	1✔
430	results.push_back(test_online_request());	2✔
431	}
432	#endif
433
434	return results;	1✔
435	}	×
436	};
437
438	BOTAN_REGISTER_TEST("x509", "ocsp", OCSP_Tests);
439
440	#endif
441
442	}

randombit / botan / 5079590438

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous