// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
// the certificate that the OCSP response is for. That sub-CA cert is included
// in the OCSP response before the OCSP responder cert.
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
good_indirect_subca_1_first)
{
static const char* subCAName = "CN=good_indirect_subca_1_first sub-CA";
static const char* signerName = "CN=good_indirect_subca_1_first OCSP signer";
// sub-CA of root (root is the direct issuer of endEntity)
const SECItem* subCAExtensions[] = {
CreateEncodedBasicConstraints(arena.get(), true, 0,
ExtensionCriticality::NotCritical),
nullptr
};
ScopedSECKEYPrivateKey subCAPrivateKey;
SECItem* subCADER(CreateEncodedCertificate(arena.get(), ++rootIssuedCount,
rootName,
oneDayBeforeNow, oneDayAfterNow,
subCAName, subCAExtensions,
rootPrivateKey.get(),
subCAPrivateKey));
ASSERT_TRUE(subCADER);
// Delegated responder cert signed by that sub-CA
static const SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER;
const SECItem* extensions[] = {
CreateEncodedEKUExtension(arena.get(), &signerEKU, 1,
ExtensionCriticality::NotCritical),
nullptr
};
ScopedSECKEYPrivateKey signerPrivateKey;
SECItem* signerDER(CreateEncodedCertificate(arena.get(), 1, subCAName,
oneDayBeforeNow, oneDayAfterNow,
signerName, extensions,
subCAPrivateKey.get(),
signerPrivateKey));
ASSERT_TRUE(signerDER);
// OCSP response signed by the delegated responder issued by the sub-CA
// that is trying to impersonate the root.
SECItem const* const certs[] = { subCADER, signerDER, nullptr };
SECItem* response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, signerName,
signerPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
&oneDayAfterNow,
certs));
ASSERT_TRUE(response);
bool expired;
ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
END_ENTITY_MAX_LIFETIME_IN_DAYS,
*response, expired));
ASSERT_FALSE(expired);
}
// The result is owned by the arena
Input CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::CertStatus certStatus,
const CertID& certID,
/*optional*/ const char* signerName,
const ScopedSECKEYPrivateKey& signerPrivateKey,
PRTime producedAt, PRTime thisUpdate,
/*optional*/ const PRTime* nextUpdate,
/*optional*/ SECItem const* const* certs = nullptr)
{
OCSPResponseContext context(arena.get(), certID, producedAt);
if (signerName) {
context.signerNameDER = ASCIIToDERName(arena.get(), signerName);
EXPECT_TRUE(context.signerNameDER);
}
context.signerPrivateKey = SECKEY_CopyPrivateKey(signerPrivateKey.get());
EXPECT_TRUE(context.signerPrivateKey);
context.responseStatus = OCSPResponseContext::successful;
context.producedAt = producedAt;
context.certs = certs;
context.certIDHashAlg = SEC_OID_SHA1;
context.certStatus = certStatus;
context.thisUpdate = thisUpdate;
context.nextUpdate = nextUpdate ? *nextUpdate : 0;
context.includeNextUpdate = nextUpdate != nullptr;
SECItem* response = CreateEncodedOCSPResponse(context);
EXPECT_TRUE(response);
Input result;
EXPECT_EQ(Success, result.Init(response->data, response->len));
return result;
}
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer)
{
static const char* subCAName = "CN=good_indirect_unknown_issuer sub-CA";
static const char* signerName = "CN=good_indirect_unknown_issuer OCSP signer";
// unknown issuer
ScopedSECKEYPublicKey unknownPublicKey;
ScopedSECKEYPrivateKey unknownPrivateKey;
ASSERT_SECSuccess(GenerateKeyPair(unknownPublicKey, unknownPrivateKey));
// Delegated responder cert signed by unknown issuer
static const SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER;
const SECItem* extensions[] = {
CreateEncodedEKUExtension(arena.get(), &signerEKU, 1,
ExtensionCriticality::NotCritical),
nullptr
};
ScopedSECKEYPrivateKey signerPrivateKey;
SECItem* signerDER(CreateEncodedCertificate(arena.get(), 1,
subCAName, oneDayBeforeNow, oneDayAfterNow,
signerName, extensions, unknownPrivateKey.get(),
signerPrivateKey));
ASSERT_TRUE(signerDER);
// OCSP response signed by that delegated responder
SECItem const* const certs[] = { signerDER, nullptr };
SECItem* response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
ASSERT_TRUE(response);
bool expired;
ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
END_ENTITY_MAX_LIFETIME_IN_DAYS,
*response, expired));
ASSERT_FALSE(expired);
}