25457312714

Committed 06 May 2026 07:43PM UTC coverage: 89.331% (-2.3%) from 91.667%

Build # 25457312714

Build Type

push

github

Committed by

randombit

Commit Message

In TLS 1.3 verification of client certs, check the correct extension for OCSP

This was checking if the client asked us (the server) for OCSP, instead of
checking if we asked the client for OCSP when we sent the CertificateRequest.

Coverage Stats

107574 of 120422 relevant lines covered (89.33%)

11482758.98 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.0

/src/tests/test_ocsp.cpp

/*
* (C) 2016 Jack Lloyd
* (C) 2022 René Meusel, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "tests.h"

#if defined(BOTAN_HAS_OCSP)
   #include "test_arb_eq.h"
   #include <botan/certstor.h>
   #include <botan/ocsp.h>
   #include <botan/x509path.h>
   #include <botan/internal/calendar.h>
#endif

namespace Botan_Tests {

namespace {

#if defined(BOTAN_HAS_OCSP) && defined(BOTAN_HAS_RSA) && defined(BOTAN_HAS_EMSA_PKCS1) && \
   defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)

class OCSP_Tests final : public Test {
   private:
      static Botan::X509_Certificate load_test_X509_cert(const std::string& path) {
         return Botan::X509_Certificate(Test::data_file(path));
      }

      static Botan::OCSP::Response load_test_OCSP_resp(const std::string& path) {
         return Botan::OCSP::Response(Test::read_binary_data_file(path));
      }

      static Test::Result test_response_parsing() {
         Test::Result result("OCSP response parsing");

         // Simple parsing tests
         const std::vector<std::string> ocsp_input_paths = {
            "x509/ocsp/resp1.der", "x509/ocsp/resp2.der", "x509/ocsp/resp3.der"};

         for(const std::string& ocsp_input_path : ocsp_input_paths) {
            try {
               const Botan::OCSP::Response resp(Test::read_binary_data_file(ocsp_input_path));
               result.test_enum_eq(
                  "parsing was successful", resp.status(), Botan::OCSP::Response_Status_Code::Successful);
               result.test_success("Parsed input " + ocsp_input_path);
            } catch(Botan::Exception& e) {
               result.test_failure("Parsing failed", e.what());
            }
         }

         const Botan::OCSP::Response resp(
            Test::read_binary_data_file("x509/ocsp/patrickschmidt_ocsp_try_later_wrong_sig.der"));
         result.test_enum_eq(
            "parsing exposes correct status code", resp.status(), Botan::OCSP::Response_Status_Code::Try_Later);

         return result;
      }

      static Test::Result test_response_with_bykey_responder_id() {
         // RFC 6960's ASN.1 module is "DEFINITIONS EXPLICIT TAGS" and ResponderID's
         // CHOICE alternatives are not marked IMPLICIT, so byKey is encoded as
         // constructed [2] wrapping a primitive OCTET STRING. The data below
         // was produced using `openssl ocsp ... -resp_key_id`
         Test::Result result("OCSP response with byKey ResponderID");

         const Botan::OCSP::Response resp(Test::read_binary_data_file("x509/ocsp/byKey_responderID.der"));
         result.test_enum_eq(
            "Successful response status", resp.status(), Botan::OCSP::Response_Status_Code::Successful);

         const auto responder = load_test_X509_cert("x509/ocsp/byKey_responder.pem");

         result.test_is_true("byKey response has empty signer_name", resp.signer_name().empty());
         result.test_sz_eq("byKey hash is 20 bytes (SHA-1)", resp.signer_key_hash().size(), 20);
         result.test_bin_eq("byKey hash matches responder pubkey SHA-1",
                            resp.signer_key_hash(),
                            responder.subject_public_key_bitstring_sha1());

         test_arb_eq(
            result, "Responder is found via byKey", resp.find_signing_certificate(responder), std::optional(responder));

         return result;
      }

      static Test::Result test_response_certificate_access() {
         Test::Result result("OCSP response certificate access");

         try {
            const Botan::OCSP::Response resp1(Test::read_binary_data_file("x509/ocsp/resp1.der"));
            const auto& certs1 = resp1.certificates();
            if(result.test_sz_eq("Expected count of certificates", certs1.size(), 1)) {
               const auto& cert = certs1.front();
               const Botan::X509_DN expected_dn(
                  {std::make_pair("X520.CommonName", "Symantec Class 3 EV SSL CA - G3 OCSP Responder")});
               const bool matches = cert.subject_dn() == expected_dn;
               result.test_is_true("CN matches expected", matches);
            }

            const Botan::OCSP::Response resp2(Test::read_binary_data_file("x509/ocsp/resp2.der"));
            const auto& certs2 = resp2.certificates();
            result.test_sz_eq("Expect no certificates", certs2.size(), 0);
         } catch(Botan::Exception& e) {
            result.test_failure("Parsing failed", e.what());
         }

         return result;
      }

      static Test::Result test_request_encoding() {
         Test::Result result("OCSP request encoding");

         const Botan::X509_Certificate end_entity(Test::data_file("x509/ocsp/gmail.pem"));
         const Botan::X509_Certificate issuer(Test::data_file("x509/ocsp/google_g2.pem"));

         try {
            const Botan::OCSP::Request bogus(end_entity, issuer);
            result.test_failure("Bad arguments (swapped end entity, issuer) accepted");
         } catch(Botan::Invalid_Argument&) {
            result.test_success("Bad arguments rejected");
         }

         const std::string expected_request =
            "ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFPLgavmFih2NcJtJGSN6qbUaKH5kBBRK3QYWG7z2aLV29YG2u2IaulqBLwIIQkg+DF+RYMY=";

         const Botan::OCSP::Request req1(issuer, end_entity);
         result.test_str_eq("Encoded OCSP request", req1.base64_encode(), expected_request);

         const Botan::OCSP::Request req2(issuer, BigInt::from_bytes(end_entity.serial_number()));
         result.test_str_eq("Encoded OCSP request", req2.base64_encode(), expected_request);

         return result;
      }

      static Test::Result test_response_find_signing_certificate() {
         Test::Result result("OCSP response finding signature certificates");

         // OCSP response is signed by the issuing CA itself
         auto randombit_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");
         auto randombit_ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");

         // OCSP response is signed by an authorized responder certificate
         // issued by the issuing CA and embedded in the response
         auto bdr_ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
         auto bdr_responder = load_test_X509_cert("x509/ocsp/bdr-ocsp-responder.pem");
         auto bdr_ca = load_test_X509_cert("x509/ocsp/bdr-int.pem");

         // The response in bdr_ocsp contains two certificates
         if(result.test_sz_eq("both certificates found", bdr_ocsp.certificates().size(), 2)) {
            result.test_str_eq("first cert in response",
                               bdr_ocsp.certificates()[0].subject_info("X520.CommonName").at(0),
                               "D-TRUST OCSP 4 2-2 EV 2016");
            result.test_str_eq("second cert in response",
                               bdr_ocsp.certificates()[1].subject_info("X520.CommonName").at(0),
                               "D-TRUST CA 2-2 EV 2016");
         }

         // Dummy OCSP response is not signed at all
         auto dummy_ocsp = Botan::OCSP::Response(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);

         // OCSP response is signed by 3rd party responder certificate that is
         // not included in the OCSP response itself
         // See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
         auto randombit_alt_resp_ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");
         auto randombit_alt_resp_cert = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");

         result.test_opt_is_null("Dummy has no signing certificate",
                                 dummy_ocsp.find_signing_certificate(Botan::X509_Certificate()));

         test_arb_eq(result,
                     "CA is returned as signing certificate",
                     randombit_ocsp.find_signing_certificate(randombit_ca),
                     std::optional(randombit_ca));
         result.test_opt_is_null("No signer certificate is returned when signer couldn't be determined",
                                 randombit_ocsp.find_signing_certificate(bdr_ca));

         test_arb_eq(result,
                     "Delegated responder certificate is returned for further validation",
                     bdr_ocsp.find_signing_certificate(bdr_ca),
                     std::optional(bdr_responder));

         result.test_opt_is_null(
            "Delegated responder without stapled certs does not find signer without user-provided certs",
            randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca));

         auto trusted_responders = std::make_unique<Botan::Certificate_Store_In_Memory>(randombit_alt_resp_cert);
         test_arb_eq(result,
                     "Delegated responder returns user-provided cert",
                     randombit_alt_resp_ocsp.find_signing_certificate(randombit_ca, trusted_responders.get()),
                     std::optional(randombit_alt_resp_cert));

         return result;
      }

      static Test::Result test_response_verification_with_next_update_without_max_age() {
         Test::Result result("OCSP request check with next_update w/o max_age");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            return result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 2) &&
                   result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.test_is_true(std::string("Status: '") + Botan::to_string(expected) + "'",
                                       ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);

         return result;
      }

      static Test::Result test_response_verification_with_next_update_with_max_age() {
         Test::Result result("OCSP request check with next_update with max_age");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto max_age = std::chrono::minutes(59);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);
            const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);

            return result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 2) &&
                   result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1) &&
                   result.test_is_true(std::string("Status: '") + Botan::to_string(expected) + "'",
                                       ocsp_status[0].contains(expected));
         };

         check_ocsp(Botan::calendar_point(2016, 11, 11, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2016, 11, 28, 8, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);

         return result;
      }

      static Test::Result test_response_verification_without_next_update_with_max_age() {
         Test::Result result("OCSP request check w/o next_update with max_age");

         auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");
         auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto max_age = std::chrono::minutes(59);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const Botan::Path_Validation_Restrictions pvr(false, 110, false, max_age);
            const auto ocsp_status = Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, pvr);

            result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 2);

            if(!ocsp_status.empty()) {
               result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1);

               result.test_is_true(std::string("Status: '") + Botan::to_string(expected) + "'",
                                   ocsp_status[0].contains(expected));
            }
         };

         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_IS_TOO_OLD);

         return result;
      }

      static Test::Result test_response_verification_without_next_update_without_max_age() {
         Test::Result result("OCSP request check w/o next_update w/o max_age");

         auto ee = load_test_X509_cert("x509/ocsp/patrickschmidt.pem");
         auto ca = load_test_X509_cert("x509/ocsp/bdrive_encryption.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/bdrive_root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         auto ocsp = load_test_OCSP_resp("x509/ocsp/patrickschmidt_ocsp.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         auto check_ocsp = [&](const std::chrono::system_clock::time_point valid_time,
                               const Botan::Certificate_Status_Code expected) {
            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 2);

            if(!ocsp_status.empty()) {
               result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1);
               result.test_is_true(std::string("Status: '") + Botan::to_string(expected) + "'",
                                   ocsp_status[0].contains(expected));
            }
         };

         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 7, 30, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
         check_ocsp(Botan::calendar_point(2019, 5, 28, 8, 0, 0).to_std_timepoint(),
                    Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);

         return result;
      }

      static Test::Result test_response_verification_softfail() {
         Test::Result result("OCSP request softfail check");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         Botan::OCSP::Response ocsp(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL);

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         // Some arbitrary time within the validity period of the test certs
         const auto valid_time = Botan::calendar_point(2016, 11, 20, 8, 30, 0).to_std_timepoint();
         const auto ocsp_status =
            Botan::PKIX::check_ocsp(cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

         if(result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 2)) {
            if(result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {
               result.test_sz_gt(
                  "Status warning", ocsp_status[0].count(Botan::Certificate_Status_Code::OCSP_NO_REVOCATION_URL), 0);
            }
         }

         return result;
      }

   #if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
      static Test::Result test_online_request() {
         Test::Result result("OCSP online check");

         auto cert = load_test_X509_cert("x509/ocsp/digicert-ecdsa-int.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/digicert-root.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {cert, trust_root};

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         const auto ocsp_timeout = std::chrono::milliseconds(3000);
         const auto now = std::chrono::system_clock::now();
         auto ocsp_status = Botan::PKIX::check_ocsp_online(
            cert_path, {&certstore}, now, ocsp_timeout, Botan::Path_Validation_Restrictions());

         if(result.test_sz_eq("Expected size of ocsp_status", ocsp_status.size(), 1)) {
            if(result.test_sz_eq("Expected size of ocsp_status[0]", ocsp_status[0].size(), 1)) {
               const bool status_good = ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD);
               const bool server_not_found =
                  ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE);
               result.test_is_true("Expected status", status_good || server_not_found);
            }
         }

         return result;
      }
   #endif

      static Test::Result test_response_verification_with_additionally_trusted_responder() {
         Test::Result result("OCSP response with user-defined (additional) responder certificate");

         // OCSP response is signed by 3rd party responder certificate that is
         // not included in the OCSP response itself
         // See `src/scripts/randombit_ocsp_forger.sh` for a helper script to recreate those.
         auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp_forged_valid_nocerts.der");
         auto responder = load_test_X509_cert("x509/ocsp/randombit_ocsp_forged_responder.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");

         Botan::Certificate_Store_In_Memory trusted_responders;

         // without providing the 3rd party responder certificate no issuer will be found
         result.test_opt_is_null("cannot find signing certificate without trusted responders",
                                 ocsp.find_signing_certificate(ca));
         result.test_opt_is_null("cannot find signing certificate without additional help",
                                 ocsp.find_signing_certificate(ca, &trusted_responders));

         // add the 3rd party responder certificate to the list of trusted OCSP responder certs
         // to find the issuer certificate of this response
         trusted_responders.add_certificate(responder);
         test_arb_eq(result,
                     "the responder certificate is returned when it is trusted",
                     ocsp.find_signing_certificate(ca, &trusted_responders),
                     std::optional(responder));

         result.test_enum_eq("the responder's signature checks out",
                             ocsp.verify_signature(responder),
                             Botan::Certificate_Status_Code::OCSP_SIGNATURE_OK);

         return result;
      }

      static Test::Result test_forged_ocsp_signature_is_rejected() {
         Test::Result result("OCSP response with forged signature is rejected by path validation");

         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/geotrust.pem");

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         const auto valid_time = Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint();

         // Verify the unmodified response is accepted
         {
            auto ocsp = load_test_OCSP_resp("x509/ocsp/randombit_ocsp.der");
            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            if(result.test_sz_eq("Legitimate: expected result count", ocsp_status.size(), 2) &&
               result.test_sz_eq("Legitimate: expected status count", ocsp_status[0].size(), 1)) {
               result.test_is_true("Legitimate response is accepted",
                                   ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD));
            }
         }

         // Tamper with the signature and verify check_ocsp rejects it
         {
            auto ocsp_bytes = Test::read_binary_data_file("x509/ocsp/randombit_ocsp.der");
            ocsp_bytes.back() ^= 0x01;
            Botan::OCSP::Response forged_ocsp(ocsp_bytes.data(), ocsp_bytes.size());

            const auto ocsp_status = Botan::PKIX::check_ocsp(
               cert_path, {forged_ocsp}, {&certstore}, valid_time, Botan::Path_Validation_Restrictions());

            if(result.test_sz_eq("Forged: expected result count", ocsp_status.size(), 2) &&
               result.test_sz_eq("Forged: expected status count", ocsp_status[0].size(), 1)) {
               result.test_is_true("Forged signature is rejected",
                                   ocsp_status[0].contains(Botan::Certificate_Status_Code::OCSP_SIGNATURE_ERROR));
            }
         }

         return result;
      }

      static Test::Result test_partial_stapling_preserves_per_slot_gap() {
         Test::Result result("OCSP partial stapling preserves per-slot gap for online fallback");

         auto ee = load_test_X509_cert("x509/ocsp/mychain_ee.pem");
         auto ca = load_test_X509_cert("x509/ocsp/mychain_int.pem");
         auto trust_root = load_test_X509_cert("x509/ocsp/mychain_root.pem");

         auto ocsp_for_ee = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_ee.der");
         auto ocsp_for_int = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_int_self_signed.der");

         Botan::Certificate_Store_In_Memory certstore;
         certstore.add_certificate(trust_root);

         const std::vector<Botan::X509_Certificate> cert_path = {ee, ca, trust_root};
         const auto valid_time = Botan::calendar_point(2022, 9, 22, 22, 30, 0).to_std_timepoint();
         const auto restrictions = Botan::Path_Validation_Restrictions();

         // Here the intermediate has a stapled OCSP but the leaf does not
         {
            const std::vector<std::optional<Botan::OCSP::Response>> staples = {std::nullopt, ocsp_for_int};
            const auto ocsp_status =
               Botan::PKIX::check_ocsp(cert_path, staples, {&certstore}, valid_time, restrictions);

            result.test_sz_eq("missing-leaf: ocsp_status sized to non-root certs", ocsp_status.size(), 2);
            if(ocsp_status.size() == 2) {
               result.test_is_true("missing-leaf: leaf slot is empty", ocsp_status[0].empty());
               result.test_is_false("missing-leaf: intermediate slot is filled", ocsp_status[1].empty());
            }
         }

         // Here the leaf has a stapled OCSP but the intermediate does not
         {
            const std::vector<std::optional<Botan::OCSP::Response>> staples = {ocsp_for_ee, std::nullopt};
            const auto ocsp_status =
               Botan::PKIX::check_ocsp(cert_path, staples, {&certstore}, valid_time, restrictions);

            result.test_sz_eq("missing-intermediate: ocsp_status sized to non-root certs", ocsp_status.size(), 2);
            if(ocsp_status.size() == 2) {
               result.test_is_false("missing-intermediate: leaf slot is filled", ocsp_status[0].empty());
               result.test_is_true("missing-intermediate: intermediate slot is empty", ocsp_status[1].empty());
            }
         }

         return result;
      }

      static Test::Result test_responder_cert_with_nocheck_extension() {
         Test::Result result("BDr's OCSP response contains certificate featuring NoCheck extension");

         auto ocsp = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
         const bool contains_cert_with_nocheck =
            std::find_if(ocsp.certificates().cbegin(), ocsp.certificates().cend(), [](const auto& cert) {
               return cert.v3_extensions().extension_set(Botan::OID::from_string("PKIX.OCSP.NoCheck"));
            }) != ocsp.certificates().end();

         result.test_is_true("Contains NoCheck extension", contains_cert_with_nocheck);

         return result;
      }

   public:
      std::vector<Test::Result> run() override {
         std::vector<Test::Result> results;

         results.push_back(test_request_encoding());
         results.push_back(test_response_parsing());
         results.push_back(test_response_with_bykey_responder_id());
         results.push_back(test_response_certificate_access());
         results.push_back(test_response_find_signing_certificate());
         results.push_back(test_response_verification_with_next_update_without_max_age());
         results.push_back(test_response_verification_with_next_update_with_max_age());
         results.push_back(test_response_verification_without_next_update_with_max_age());
         results.push_back(test_response_verification_without_next_update_without_max_age());
         results.push_back(test_response_verification_softfail());
         results.push_back(test_response_verification_with_additionally_trusted_responder());
         results.push_back(test_forged_ocsp_signature_is_rejected());
         results.push_back(test_partial_stapling_preserves_per_slot_gap());
         results.push_back(test_responder_cert_with_nocheck_extension());

   #if defined(BOTAN_HAS_ONLINE_REVOCATION_CHECKS)
         if(Test::options().run_online_tests()) {
            results.push_back(test_online_request());
         }
   #endif

         return results;
      }
};

BOTAN_REGISTER_TEST("x509", "ocsp", OCSP_Tests);

#endif

}  // namespace

}  // namespace Botan_Tests

randombit / botan / 25457312714

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous