// The CA that issued the OCSP responder cert is a sub-CA of the issuer of // the certificate that the OCSP response is for. That sub-CA cert is included // in the OCSP response before the OCSP responder cert. TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_indirect_subca_1_first) { static const char* subCAName = "CN=good_indirect_subca_1_first sub-CA"; static const char* signerName = "CN=good_indirect_subca_1_first OCSP signer"; // sub-CA of root (root is the direct issuer of endEntity) const SECItem* subCAExtensions[] = { CreateEncodedBasicConstraints(arena.get(), true, 0, ExtensionCriticality::NotCritical), nullptr }; ScopedSECKEYPrivateKey subCAPrivateKey; SECItem* subCADER(CreateEncodedCertificate(arena.get(), ++rootIssuedCount, rootName, oneDayBeforeNow, oneDayAfterNow, subCAName, subCAExtensions, rootPrivateKey.get(), subCAPrivateKey)); ASSERT_TRUE(subCADER); // Delegated responder cert signed by that sub-CA static const SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER; const SECItem* extensions[] = { CreateEncodedEKUExtension(arena.get(), &signerEKU, 1, ExtensionCriticality::NotCritical), nullptr }; ScopedSECKEYPrivateKey signerPrivateKey; SECItem* signerDER(CreateEncodedCertificate(arena.get(), 1, subCAName, oneDayBeforeNow, oneDayAfterNow, signerName, extensions, subCAPrivateKey.get(), signerPrivateKey)); ASSERT_TRUE(signerDER); // OCSP response signed by the delegated responder issued by the sub-CA // that is trying to impersonate the root. SECItem const* const certs[] = { subCADER, signerDER, nullptr }; SECItem* response(CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::good, *endEntityCertID, signerName, signerPrivateKey, oneDayBeforeNow, oneDayBeforeNow, &oneDayAfterNow, certs)); ASSERT_TRUE(response); bool expired; ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now, END_ENTITY_MAX_LIFETIME_IN_DAYS, *response, expired)); ASSERT_FALSE(expired); }
// The result is owned by the arena Input CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::CertStatus certStatus, const CertID& certID, /*optional*/ const char* signerName, const ScopedSECKEYPrivateKey& signerPrivateKey, PRTime producedAt, PRTime thisUpdate, /*optional*/ const PRTime* nextUpdate, /*optional*/ SECItem const* const* certs = nullptr) { OCSPResponseContext context(arena.get(), certID, producedAt); if (signerName) { context.signerNameDER = ASCIIToDERName(arena.get(), signerName); EXPECT_TRUE(context.signerNameDER); } context.signerPrivateKey = SECKEY_CopyPrivateKey(signerPrivateKey.get()); EXPECT_TRUE(context.signerPrivateKey); context.responseStatus = OCSPResponseContext::successful; context.producedAt = producedAt; context.certs = certs; context.certIDHashAlg = SEC_OID_SHA1; context.certStatus = certStatus; context.thisUpdate = thisUpdate; context.nextUpdate = nextUpdate ? *nextUpdate : 0; context.includeNextUpdate = nextUpdate != nullptr; SECItem* response = CreateEncodedOCSPResponse(context); EXPECT_TRUE(response); Input result; EXPECT_EQ(Success, result.Init(response->data, response->len)); return result; }
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer) { static const char* subCAName = "CN=good_indirect_unknown_issuer sub-CA"; static const char* signerName = "CN=good_indirect_unknown_issuer OCSP signer"; // unknown issuer ScopedSECKEYPublicKey unknownPublicKey; ScopedSECKEYPrivateKey unknownPrivateKey; ASSERT_SECSuccess(GenerateKeyPair(unknownPublicKey, unknownPrivateKey)); // Delegated responder cert signed by unknown issuer static const SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER; const SECItem* extensions[] = { CreateEncodedEKUExtension(arena.get(), &signerEKU, 1, ExtensionCriticality::NotCritical), nullptr }; ScopedSECKEYPrivateKey signerPrivateKey; SECItem* signerDER(CreateEncodedCertificate(arena.get(), 1, subCAName, oneDayBeforeNow, oneDayAfterNow, signerName, extensions, unknownPrivateKey.get(), signerPrivateKey)); ASSERT_TRUE(signerDER); // OCSP response signed by that delegated responder SECItem const* const certs[] = { signerDER, nullptr }; SECItem* response(CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::good, *endEntityCertID, signerName, signerPrivateKey, oneDayBeforeNow, oneDayBeforeNow, &oneDayAfterNow, certs)); ASSERT_TRUE(response); bool expired; ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now, END_ENTITY_MAX_LIFETIME_IN_DAYS, *response, expired)); ASSERT_FALSE(expired); }