Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:26
erlang
1501-public_key-OCSP-response-verification-code...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1501-public_key-OCSP-response-verification-code.patch of Package erlang
From 2b1a742c651b90f8a7a1fb2ddde73f29915ea376 Mon Sep 17 00:00:00 2001 From: Jakub Witczak <kuba@erlang.org> Date: Mon, 29 Jan 2024 11:11:53 +0100 Subject: [PATCH 1/2] public_key: OCSP response verification code --- lib/public_key/doc/src/public_key.xml | 25 ++ lib/public_key/src/pubkey_ocsp.erl | 207 ++++++---- lib/public_key/src/public_key.erl | 109 +++-- lib/public_key/test/Makefile | 3 +- lib/public_key/test/pubkey_ocsp_SUITE.erl | 463 +++++++--------------- lib/public_key/test/public_key_SUITE.erl | 101 ++++- 6 files changed, 457 insertions(+), 451 deletions(-) diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 3e02049bb2..35d0a6e66e 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -771,6 +771,31 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, </desc> </func> + <func> + <name name="pkix_ocsp_validate" arity="5" since="OTP 27.0"/> + <fsummary>Validate OCSP response.</fsummary> + <desc> + <p>Perform OCSP response validation according to RFC + 6960. Returns 'ok' when OCSP response is successfully + validated and {error, {bad_cert, Reason}} otherwise.</p> + + <p>Available options:</p> + <taglist> + <tag>{is_trusted_responder_fun, fun()}</tag> + <item> + <p>The fun has the following type specification:</p> + <code> fun(#cert{}) -> + boolean()</code> + <p>The fun returns the <c>true</c> if certificate in the + argument is trusted. If this fun is not specified, Public + Key uses the default implementation: + </p> + <code> fun(_) -> false end</code> + </item> + </taglist> + </desc> + </func> + <func> <name name="pkix_sign" arity="2" since="OTP R14B"/> <fsummary>Signs certificate.</fsummary> diff --git a/lib/public_key/src/pubkey_ocsp.erl b/lib/public_key/src/pubkey_ocsp.erl index 6bdb9a563f..fa4254fd8e 100644 --- a/lib/public_key/src/pubkey_ocsp.erl +++ b/lib/public_key/src/pubkey_ocsp.erl @@ -19,23 +19,18 @@ %% -module(pubkey_ocsp). +-feature(maybe_expr,enable). -include("public_key.hrl"). -export([find_single_response/3, get_acceptable_response_types_extn/0, get_nonce_extn/1, - get_ocsp_responder_id/1, - ocsp_status/1, - verify_ocsp_response/3, - decode_ocsp_response/1]). + status/1, + verify_response/5, + decode_response/1]). %% Tracing -export([handle_trace/3]). --spec get_ocsp_responder_id(#'Certificate'{}) -> binary(). -get_ocsp_responder_id(#'Certificate'{tbsCertificate = TbsCert}) -> - public_key:der_encode( - 'ResponderID', {byName, TbsCert#'TBSCertificate'.subject}). - -spec get_nonce_extn(undefined | binary()) -> undefined | #'Extension'{}. get_nonce_extn(undefined) -> undefined; @@ -45,10 +40,29 @@ get_nonce_extn(Nonce) when is_binary(Nonce) -> extnValue = Nonce }. --spec verify_ocsp_response(#'BasicOCSPResponse'{}, list(), undefined | binary()) -> +-spec verify_response(#'BasicOCSPResponse'{}, list(), undefined | binary(), + public_key:cert(), fun()) -> {ok, term()} | {error, term()}. -verify_ocsp_response(OCSPResponse, ResponderCerts, Nonce) -> - do_verify_ocsp_response(OCSPResponse, ResponderCerts, Nonce). +verify_response(#'BasicOCSPResponse'{ + tbsResponseData = ResponseData, + signatureAlgorithm = SignatureAlgo, + signature = Signature}, + ResponderCerts, Nonce, IssuerCert, + IsTrustedResponderFun) -> + #'ResponseData'{responderID = ResponderID, + producedAt = ProducedAt} = ResponseData, + maybe + ok ?= verify_past_timestamp(ProducedAt), + ok ?= verify_signature( + public_key:der_encode('ResponseData', ResponseData), + SignatureAlgo#'AlgorithmIdentifier'.algorithm, + Signature, ResponderCerts, + ResponderID, IssuerCert, IsTrustedResponderFun), + verify_nonce(ResponseData, Nonce) + else + {error, Reason} -> + {error, Reason} + end. -spec get_acceptable_response_types_extn() -> #'Extension'{}. get_acceptable_response_types_extn() -> @@ -67,15 +81,15 @@ find_single_response(Cert, IssuerCert, SingleResponseList) -> SerialNum = get_serial_num(Cert), match_single_response(IssuerName, IssuerKey, SerialNum, SingleResponseList). --spec ocsp_status({atom(), term()}) -> atom() | {atom(), {atom(), term()}}. -ocsp_status({good, _}) -> - valid; -ocsp_status({unknown, Reason}) -> - {bad_cert, {revocation_status_undetermined, Reason}}; -ocsp_status({revoked, Reason}) -> - {bad_cert, {revoked, Reason}}. +-spec status({atom(), term()}) -> ok | {error, {bad_cert, term()}}. +status({good, _}) -> + ok; +status({unknown, Reason}) -> + {error, {bad_cert, {revocation_status_undetermined, Reason}}}; +status({revoked, Reason}) -> + {error, {bad_cert, {revoked, Reason}}}. -decode_ocsp_response(ResponseDer) -> +decode_response(ResponseDer) -> Resp = public_key:der_decode('OCSPResponse', ResponseDer), case Resp#'OCSPResponse'.responseStatus of successful -> @@ -92,16 +106,23 @@ match_single_response(_IssuerName, _IssuerKey, _SerialNum, []) -> match_single_response(IssuerName, IssuerKey, SerialNum, [#'SingleResponse'{ certID = #'CertID'{hashAlgorithm = Algo} = CertID} = - Response | Responses]) -> + SingleResponse | Tail]) -> + #'SingleResponse'{thisUpdate = ThisUpdate, + nextUpdate = NextUpdate} = SingleResponse, HashType = public_key:pkix_hash_type(Algo#'AlgorithmIdentifier'.algorithm), case (SerialNum == CertID#'CertID'.serialNumber) andalso (crypto:hash(HashType, IssuerName) == CertID#'CertID'.issuerNameHash) andalso - (crypto:hash(HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) of + (crypto:hash(HashType, IssuerKey) == CertID#'CertID'.issuerKeyHash) andalso + verify_past_timestamp(ThisUpdate) == ok andalso + verify_next_update(NextUpdate) == ok of true -> - {ok, Response}; + {ok, SingleResponse}; false -> - match_single_response(IssuerName, IssuerKey, SerialNum, Responses) - end. + match_single_response(IssuerName, IssuerKey, SerialNum, Tail) + end; +match_single_response(IssuerName, IssuerKey, SerialNum, + [_BadSingleResponse | Tail]) -> + match_single_response(IssuerName, IssuerKey, SerialNum, Tail). get_serial_num(#'OTPCertificate'{tbsCertificate = TbsCert}) -> TbsCert#'OTPTBSCertificate'.serialNumber. @@ -113,24 +134,7 @@ decode_response_bytes(#'ResponseBytes'{ decode_response_bytes(#'ResponseBytes'{responseType = RespType}) -> {error, {ocsp_response_type_not_supported, RespType}}. -do_verify_ocsp_response(#'BasicOCSPResponse'{ - tbsResponseData = ResponseData, - signatureAlgorithm = SignatureAlgo, - signature = Signature}, - ResponderCerts, Nonce) -> - #'ResponseData'{responderID = ResponderID} = ResponseData, - case verify_ocsp_signature( - public_key:der_encode('ResponseData', ResponseData), - SignatureAlgo#'AlgorithmIdentifier'.algorithm, - Signature, ResponderCerts, - ResponderID) of - ok -> - verify_ocsp_nonce(ResponseData, Nonce); - {error, Reason} -> - {error, Reason} - end. - -verify_ocsp_nonce(ResponseData, Nonce) -> +verify_nonce(ResponseData, Nonce) -> #'ResponseData'{responses = Responses, responseExtensions = ResponseExtns} = ResponseData, case get_nonce_value(ResponseExtns) of @@ -153,31 +157,91 @@ get_nonce_value([#'Extension'{ get_nonce_value([_Extn | Rest]) -> get_nonce_value(Rest). -verify_ocsp_signature(ResponseDataDer, SignatureAlgo, Signature, - Certs, ResponderID) -> - case find_responder_cert(ResponderID, Certs) of - {ok, Cert} -> - do_verify_ocsp_signature( - ResponseDataDer, Signature, SignatureAlgo, Cert); - {error, Reason} -> - {error, Reason} +verify_signature(_, _, _, [], _, _, _) -> + {error, ocsp_responder_cert_not_found}; +verify_signature(ResponseDataDer, SignatureAlgo, Signature, + [ResponderCert | RCs], ResponderID, IssuerCert, + IsTrustedResponderFun) -> + maybe + true ?= is_responder_cert(ResponderID, ResponderCert), + true ?= is_authorized_responder(ResponderCert, IssuerCert, + IsTrustedResponderFun), + ok ?= do_verify_signature(ResponseDataDer, Signature, SignatureAlgo, + ResponderCert) + else + _-> + verify_signature(ResponseDataDer, SignatureAlgo, Signature, + RCs, ResponderID, IssuerCert, + IsTrustedResponderFun) end. -find_responder_cert(_ResponderID, []) -> - {error, ocsp_responder_cert_not_found}; -find_responder_cert(ResponderID, [Cert | TCerts]) -> - case is_responder(ResponderID, Cert) of +verify_past_timestamp(Timestamp) -> + {Now, TimestampSec} = get_time_in_sec(Timestamp), + verify_timestamp(Now, TimestampSec, past_timestamp). + +verify_future_timestamp(Timestamp) -> + {Now, TimestampSec} = get_time_in_sec(Timestamp), + verify_timestamp(Now, TimestampSec, future_timestamp). + +verify_timestamp(Now, Timestamp, past_timestamp) when Timestamp =< Now -> + ok; +verify_timestamp(Now, Timestamp, future_timestamp) when Now =< Timestamp -> + ok; +verify_timestamp(_, _, _) -> + {error, ocsp_stale_response}. + +get_time_in_sec(Timestamp) -> + Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()), + TimestampSec = pubkey_cert:time_str_2_gregorian_sec( + {generalTime, Timestamp}), + {Now, TimestampSec}. + +verify_next_update(asn1_NOVALUE) -> + ok; +verify_next_update(NextUpdate) -> + verify_future_timestamp(NextUpdate). + +is_responder_cert({byName, Name}, #cert{otp = Cert}) -> + public_key:der_encode('Name', Name) == get_subject_name(Cert); +is_responder_cert({byKey, Key}, #cert{otp = Cert}) -> + Key == crypto:hash(sha, get_public_key(Cert)). + +is_authorized_responder(CombinedResponderCert = #cert{otp = ResponderCert}, + IssuerCert, IsTrustedResponderFun) -> + Case1 = + %% the CA who issued the certificate in question signed the + %% response + fun() -> + ResponderCert == IssuerCert + end, + Case2 = + %% a CA Designated Responder (Authorized Responder, defined in + %% Section 4.2.2.2) who holds a specially marked certificate + %% issued directly by the CA, indicating that the responder may + %% issue OCSP responses for that CA (id-kp-OCSPSigning) + fun() -> + public_key:pkix_is_issuer(ResponderCert, IssuerCert) andalso + designated_for_ocsp_signing(ResponderCert) + end, + Case3 = + %% a Trusted Responder whose public key is trusted by the requestor + fun() -> + IsTrustedResponderFun(CombinedResponderCert) + end, + + case lists:any(fun(E) -> E() end, [Case1, Case2, Case3]) of true -> - {ok, Cert}; + true; false -> - find_responder_cert(ResponderID, TCerts) + not_authorized_responder end. -do_verify_ocsp_signature(ResponseDataDer, Signature, AlgorithmID, Cert) -> +do_verify_signature(ResponseDataDer, Signature, AlgorithmID, + #cert{otp = ResponderCert}) -> {DigestType, _SignatureType} = public_key:pkix_sign_types(AlgorithmID), case public_key:verify( ResponseDataDer, DigestType, Signature, - get_public_key_rec(Cert)) of + get_public_key_rec(ResponderCert)) of true -> ok; false -> @@ -188,11 +252,6 @@ get_public_key_rec(#'OTPCertificate'{tbsCertificate = TbsCert}) -> PKInfo = TbsCert#'OTPTBSCertificate'.subjectPublicKeyInfo, PKInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey. -is_responder({byName, Name}, Cert) -> - public_key:der_encode('Name', Name) == get_subject_name(Cert); -is_responder({byKey, Key}, Cert) -> - Key == crypto:hash(sha, get_public_key(Cert)). - get_subject_name(#'OTPCertificate'{tbsCertificate = TbsCert}) -> public_key:pkix_encode('Name', TbsCert#'OTPTBSCertificate'.subject, otp). @@ -207,22 +266,26 @@ enc_pub_key({DsaInt, #'Dss-Parms'{}}) when is_integer(DsaInt) -> enc_pub_key({#'ECPoint'{point = Key}, _ECParam}) -> Key. +designated_for_ocsp_signing(OtpCert) -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + TBSExtensions = TBSCert#'OTPTBSCertificate'.extensions, + Extensions = pubkey_cert:extensions_list(TBSExtensions), + case pubkey_cert:select_extension(?'id-ce-extKeyUsage', Extensions) of + undefined -> + false; + #'Extension'{extnValue = KeyUses} -> + lists:member(?'id-kp-OCSPSigning', KeyUses) + end. + %%%################################################################ %%%# %%%# Tracing %%%# -handle_trace(csp, - {call, {?MODULE, do_verify_ocsp_response, [BasicOcspResponse | _]}}, Stack) -> - #'BasicOCSPResponse'{ - tbsResponseData = - #'ResponseData'{responderID = ResponderID, - producedAt = ProducedAt}} = BasicOcspResponse, - {io_lib:format("ResponderId = ~W producedAt = ~p", [ResponderID, 5, ProducedAt]), Stack}; handle_trace(csp, {call, {?MODULE, match_single_response, [_IssuerName, _IssuerKey, _SerialNum, [#'SingleResponse'{thisUpdate = ThisUpdate, - nextUpdate = NextUpdate}]]}}, Stack) -> + nextUpdate = NextUpdate} | _]]}}, Stack) -> {io_lib:format("ThisUpdate = ~p NextUpdate = ~p", [ThisUpdate, NextUpdate]), Stack}; handle_trace(csp, {call, {?MODULE, is_responder, [Id, Cert]}}, Stack) -> diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index ee27a7b8a4..93d217cb98 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -21,7 +21,7 @@ %% -module(public_key). - +-feature(maybe_expr,enable). -include("public_key.hrl"). -export([pem_decode/1, pem_encode/1, @@ -62,7 +62,6 @@ pkix_test_data/1, pkix_test_root_cert/2, pkix_ocsp_validate/5, - ocsp_responder_id/1, ocsp_extensions/1, cacerts_get/0, cacerts_load/0, @@ -174,8 +173,11 @@ -type oid() :: tuple(). -type cert_id() :: {SerialNr::integer(), issuer_name()} . -type issuer_name() :: {rdnSequence,[[#'AttributeTypeAndValue'{}]]} . --type bad_cert_reason() :: cert_expired | invalid_issuer | invalid_signature | name_not_permitted | missing_basic_constraint | invalid_key_usage | duplicate_cert_in_path | - {'policy_requirement_not_met', term()} | {'invalid_policy_mapping', term()} | {revoked, crl_reason()} | invalid_validity_dates | atom(). +-type bad_cert_reason() :: cert_expired | invalid_issuer | invalid_signature | name_not_permitted | + missing_basic_constraint | invalid_key_usage | duplicate_cert_in_path | + {'policy_requirement_not_met', term()} | {'invalid_policy_mapping', term()} | + {revoked, crl_reason()} | invalid_validity_dates | + {revocation_status_undetermined, term()} | atom(). -type combined_cert() :: #cert{}. -type cert() :: der_cert() | otp_cert(). @@ -1387,52 +1389,47 @@ pkix_test_data(#{} = Chain) -> pkix_test_root_cert(Name, Opts) -> pubkey_cert:root_cert(Name, Opts). - + %%-------------------------------------------------------------------- --spec pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, - ResponderCerts, NonceExt) -> valid | {bad_cert, Reason} - when Cert:: cert(), - IssuerCert:: cert(), +-spec pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, Options) -> + ok | {error, {bad_cert, Reason}} + when Cert::cert(), + IssuerCert::cert(), OcspRespDer::der_encoded(), - ResponderCerts::[der_cert()], NonceExt::undefined | binary(), - Reason::term(). - -%% Description: Validate OCSP staple response + Options::[{is_trusted_responder_fun, + fun((combined_cert()) -> boolean)}], + Reason::bad_cert_reason(). +%% Description: Validate OCSP response %%-------------------------------------------------------------------- -pkix_ocsp_validate(DerCert, IssuerCert, OcspRespDer, ResponderCerts, NonceExt) +pkix_ocsp_validate(DerCert, IssuerCert, OcspRespDer, NonceExt, Options) when is_binary(DerCert) -> - pkix_ocsp_validate(pkix_decode_cert(DerCert, otp), IssuerCert, OcspRespDer, - ResponderCerts, NonceExt); -pkix_ocsp_validate(Cert, DerIssuerCert, OcspRespDer, ResponderCerts, NonceExt) + pkix_ocsp_validate( + pkix_decode_cert(DerCert, otp), IssuerCert, OcspRespDer, NonceExt, Options); +pkix_ocsp_validate(Cert, DerIssuerCert, OcspRespDer, NonceExt, Options) when is_binary(DerIssuerCert) -> - pkix_ocsp_validate(Cert, pkix_decode_cert(DerIssuerCert, otp), OcspRespDer, - ResponderCerts, NonceExt); -pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, ResponderCerts, NonceExt) -> - OcspResponse = pubkey_ocsp:decode_ocsp_response(OcspRespDer), - OcspCertResponses = - case OcspResponse of - {ok, BasicOcspResponse = #'BasicOCSPResponse'{certs = Certs}} -> - OcspResponseCerts = [otp_cert(C) || C <- Certs], - UserResponderCerts = - [otp_cert(pkix_decode_cert(C, plain)) || C <- ResponderCerts], - pubkey_ocsp:verify_ocsp_response( - BasicOcspResponse, OcspResponseCerts ++ UserResponderCerts, - NonceExt); - {error, _} = Error -> - Error - end, - case OcspCertResponses of - {ok, Responses} -> - case pubkey_ocsp:find_single_response( - otp_cert(Cert), otp_cert(IssuerCert), Responses) of - {ok, #'SingleResponse'{certStatus = CertStatus}} -> - pubkey_ocsp:ocsp_status(CertStatus); - {error, no_matched_response = Reason} -> - {bad_cert, {revocation_status_undetermined, Reason}} - end; + pkix_ocsp_validate( + Cert, pkix_decode_cert(DerIssuerCert, otp), OcspRespDer, NonceExt, Options); +pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, Options) + when is_record(Cert, 'OTPCertificate'), + is_record(IssuerCert, 'OTPCertificate') -> + IsTrustedResponderFun = + proplists:get_value(is_trusted_responder_fun, Options, + fun(_) -> false end), + maybe + {ok, BasicOcspResponse = #'BasicOCSPResponse'{certs = Certs}} ?= + pubkey_ocsp:decode_response(OcspRespDer), + OcspResponseCerts = [combined_cert(C) || C <- Certs], + {ok, Responses} ?= + pubkey_ocsp:verify_response( + BasicOcspResponse, OcspResponseCerts, NonceExt, IssuerCert, + IsTrustedResponderFun), + {ok, #'SingleResponse'{certStatus = CertStatus}} ?= + pubkey_ocsp:find_single_response(Cert, IssuerCert, Responses), + pubkey_ocsp:status(CertStatus) + else {error, Reason} -> - {bad_cert, {revocation_status_undetermined, Reason}} + {error, {bad_cert, {revocation_status_undetermined, Reason}}} end. %%-------------------------------------------------------------------- @@ -1444,14 +1441,6 @@ ocsp_extensions(Nonce) -> pubkey_ocsp:get_acceptable_response_types_extn()], erlang:is_record(Extn, 'Extension')]. -%%-------------------------------------------------------------------- --spec ocsp_responder_id(binary()) -> binary(). -%% -%% Description: Get the OCSP responder ID der -%%-------------------------------------------------------------------- -ocsp_responder_id(CertDer) -> - pubkey_ocsp:get_ocsp_responder_id(pkix_decode_cert(CertDer, plain)). - %%-------------------------------------------------------------------- -spec cacerts_get() -> [combined_cert()]. %% @@ -1700,9 +1689,12 @@ otp_cert(Der) when is_binary(Der) -> otp_cert(#'OTPCertificate'{} = Cert) -> Cert; otp_cert(#cert{otp = OtpCert}) -> - OtpCert; -otp_cert(#'Certificate'{} = Cert) -> - pkix_decode_cert(der_encode('Certificate', Cert), otp). + OtpCert. + +combined_cert(#'Certificate'{} = Cert) -> + Der = der_encode('Certificate', Cert), + Otp = pkix_decode_cert(Der, otp), + #cert{der = Der, otp = Otp}. der_cert(#'OTPCertificate'{} = Cert) -> pkix_encode('OTPCertificate', Cert, otp); @@ -2119,15 +2111,6 @@ subject_public_key_info(Alg, PubKey) -> %%%# %%%# Tracing %%%# -handle_trace(csp, - {call, {?MODULE, ocsp_responder_id, [Cert]}}, Stack) -> - {io_lib:format("pkix_decode_cert(Cert, plain) = ~W", [Cert, 5]), - %% {io_lib:format("pkix_decode_cert(Cert, plain) = ~s", [ssl_test_lib:format_cert(Cert)]), - Stack}; -handle_trace(csp, - {return_from, {?MODULE, ocsp_responder_id, 1}, Return}, - Stack) -> - {io_lib:format("OCSP Responder ID = ~P", [Return, 10]), Stack}; handle_trace(crt, {call, {?MODULE, pkix_decode_cert, [Cert, _Type]}}, Stack) -> {io_lib:format("Cert = ~W", [Cert, 5]), Stack}; diff --git a/lib/public_key/test/Makefile b/lib/public_key/test/Makefile index 79dcacb6ce..c0bbed3af7 100644 --- a/lib/public_key/test/Makefile +++ b/lib/public_key/test/Makefile @@ -34,7 +34,8 @@ MODULES= \ pbe_SUITE \ pkits_SUITE \ pubkey_cert_SUITE \ - pubkey_policy_tree_SUITE + pubkey_policy_tree_SUITE \ + pubkey_ocsp_SUITE ERL_FILES= $(MODULES:%=%.erl) diff --git a/lib/public_key/test/pubkey_ocsp_SUITE.erl b/lib/public_key/test/pubkey_ocsp_SUITE.erl index 006741e81a..b2f42d7c09 100644 --- a/lib/public_key/test/pubkey_ocsp_SUITE.erl +++ b/lib/public_key/test/pubkey_ocsp_SUITE.erl @@ -22,17 +22,92 @@ -include_lib("common_test/include/ct.hrl"). -include_lib("public_key/include/public_key.hrl"). - %% Note: This directive should only be used in test suites. --compile(export_all). +-compile([export_all, nowarn_export_all]). + +-define(NONCE, + <<4,8,93,33,1,52,187,3,12,142>>). +-define(OCSP_RESPONSE_DER, + <<48,130,7,36,10,1,0,160,130,7,29,48,130,7,25,6,9,43,6,1,5,5,7,48,1,1,4,130,7,10,48,130,7,6,48,130,1,10,161,129,134,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101, + 114,105,99,115,115,111,110,46,115,101,24,15,50,48,50,51,48,55,50,48,49,50,50,57,52,57,90,48,81,48,79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232,4,20,34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171,2,1,9,128,0,24,15,50,48,50,51,48,55,50,48,49,50,50,57,52,57,90,161,27,48,25,48,23,6,9,43,6,1,5,5,7,48,1,2,4,10,4,8,93,33,1,52,187,3,12,142,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,182,228,165,33, + 173,232,46,125,152,237,37,120,186,223,188,231,181,61,72,89,210,75,38,182,146,218,223,53,38,104,100,89,19,79,48,159,109,70,25,34,143,253,199,92,162,248,245,240,61,82,39,44,243,148,109,21,112,74,206,246,5,146,12,175,235,170,225,206,115,148,109,1,216,194,98,149,105,106,232,83,95,229,196,237,246,6,177,167,177,52,242,63,56,93,74,92,28,246,138,137,99,28,239,68,130,184,182,140,50,206,10,166,243,118,11,153,79,178,220,166,161,45,83,90,58,152,78,229,27,54,147,125,106,199,192,182,242,242,98,69,94,148, + 163,130,154,168,134,24,7,211,176,133,1,156,206,22,197,139,59,66,110,121,187,101,221,16,11,114,106,56,178,21,3,189,89,233,228,8,127,150,247,151,97,145,204,117,80,120,174,191,12,150,148,180,86,16,86,82,170,184,185,10,182,252,210,66,238,144,233,244,94,144,143,200,0,172,179,194,109,137,186,95,180,111,242,81,132,254,70,174,168,9,181,145,154,180,7,78,17,56,24,195,236,80,46,1,241,0,52,172,84,154,43,117,130,153,160,130,4,224,48,130,4,220,48,130,4,216,48,130,3,192,160,3,2,1,2,2,1,1,48,13,6,9,42,134, + 72,134,247,13,1,1,11,5,0,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,30,23,13,50,51,48,55,50,48,49,50,50,57, + 52,52,90,23,13,51,51,48,53,50,56,49,50,50,57,52,52,90,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,130,1,34,48,13,6,9,42, + 134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,224,126,14,188,23,118,17,120,117,2,151,131,96,96,81,128,52,8,219,111,48,52,116,100,176,30,58,84,47,206,254,180,60,112,107,216,0,213,16,164,57,110,181,88,62,78,208,125,127,255,36,56,29,37,165,108,64,115,95,46,212,88,172,92,20,177,247,84,13,124,142,41,248,131,77,91,114,228,157,125,20,155,64,70,60,206,180,54,12,80,153,230,208,10,189,163,140,22,146,156,99,21,213,182,98,144,208,94,71,69,249,100,109,104,226,169,55,210,194,244,111,92, + 16,87,6,93,42,174,62,243,175,60,139,134,67,116,107,208,120,214,103,12,182,22,229,195,60,133,235,228,230,17,0,101,185,117,3,52,252,75,173,144,14,30,36,132,251,47,0,161,159,183,230,201,93,76,82,202,66,213,34,44,88,148,92,240,21,152,135,102,160,212,173,100,225,227,143,229,74,120,120,147,179,228,80,127,246,118,213,141,122,209,29,48,47,188,130,179,111,83,234,203,22,0,167,15,53,193,172,80,117,62,98,63,233,161,102,96,21,10,72,179,86,205,96,124,62,133,9,28,197,39,190,23,72,49,2,3,1,0,1,163,130,1,80, + 48,130,1,76,48,15,6,3,85,29,19,1,1,255,4,5,48,3,1,1,255,48,11,6,3,85,29,15,4,4,3,2,1,6,48,29,6,3,85,29,14,4,22,4,20,34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171,48,129,198,6,3,85,29,35,4,129,190,48,129,187,128,20,196,35,212,128,180,55,39,81,140,96,141,212,14,41,206,56,214,196,133,175,161,129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11, + 69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,20,43,178,6,127,40,48,98,119,68,20,137,15,178,249,179,119,3,205,202,41,48,33,6,3,85,29,17,4,26,48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,33,6,3,85,29,18,4,26,48,24,129, + 22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,2,39,149,225,217,60,119,245,177,96,137,169,49,169,0,163,164,218,40,228,230,193,142,138,206,47,0,176,80,99,16,226,79,124,237,230,91,57,148,49,250,208,42,193,106,53,86,163,205,254,245,90,45,240,172,107,162,160,59,7,246,245,41,106,44,239,47,78,197,79,123,55,217,87,181,221,73,88,47,122,30,195,225,6,28,237,49,250,105,85,214,69,86,243,73,81,101,192,31,250,31, + 55,111,63,11,1,147,63,144,241,132,32,161,92,168,152,19,29,233,88,234,4,134,144,26,70,162,219,31,125,205,202,94,45,111,3,17,66,62,208,17,188,179,94,222,238,248,79,102,80,138,217,80,233,100,152,240,11,81,36,130,175,152,182,221,2,26,24,33,180,242,63,33,223,18,131,11,52,51,1,193,24,222,91,47,100,131,173,32,69,159,13,94,246,193,182,127,242,164,131,112,92,179,65,79,235,174,161,194,201,255,119,2,251,215,203,135,16,154,55,69,82,33,69,60,223,118,35,56,22,228,106,80,57,180,62,124,121,244,121,197,123, + 242,190,55,26,32,214,176,53,28,117,171,162,76,160>>). +-define(ISSUER_CERT, + {'OTPCertificate',{'OTPTBSCertificate',v3,1, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'Validity',{utcTime,"230720122944Z"},{utcTime,"330528122944Z"}}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'}, + {'RSAPublicKey',28339541610808720697355110173776661351591299627563886520724840524156173758352096851973677497931775737934761046080070714946146799362954032218057107079242015447767834113919294749723734648362271942219510034694564267611067362221363996274084106982740657802072527220370548608128815474010110407985824336936761317435951968068792959040741225688753787656107492053262271328711261658605960823613199135109317800726834363235926476527282638847781232871073244485999722937494811217769991698287040924806827188498324716317026838449695477777978536565396172198805249805405552866638039988130119465502001541293012996469049417900821835106353, + 65537}}, + asn1_NOVALUE,asn1_NOVALUE, + [{'Extension',{2,5,29,19},true,{'BasicConstraints',true,asn1_NOVALUE}}, + {'Extension',{2,5,29,15},false,[keyCertSign,cRLSign]}, + {'Extension',{2,5,29,14},false,<<34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171>>}, + {'Extension',{2,5,29,35}, + false, + {'AuthorityKeyIdentifier',<<196,35,212,128,180,55,39,81,140,96,141,212,14,41,206,56,214,196,133,175>>, + [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}], + [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}], + [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}], + [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}], + [{'AttributeTypeAndValue',{2,5,4,6},"SE"}], + [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}], + 249456701733760087187851894331345805369320262185}}, + {'Extension',{2,5,29,17},false,[{rfc822Name,"peter@erix.ericsson.se"}]}, + {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]}, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + <<2,39,149,225,217,60,119,245,177,96,137,169,49,169,0,163,164,218,40,228,230,193,142,138,206,47,0,176,80,99,16,226,79,124,237,230,91,57,148,49,250,208,42,193,106,53,86,163,205,254,245,90,45,240,172,107,162,160,59,7,246,245,41,106,44,239,47,78,197,79,123,55,217,87,181,221,73,88,47,122,30,195,225,6,28,237,49,250,105,85,214,69,86,243,73,81,101,192,31,250,31,55,111,63,11,1,147,63,144,241,132,32,161,92,168,152,19,29,233,88,234,4,134,144,26,70,162,219,31,125,205,202,94,45,111,3,17, + 66,62,208,17,188,179,94,222,238,248,79,102,80,138,217,80,233,100,152,240,11,81,36,130,175,152,182,221,2,26,24,33,180,242,63,33,223,18,131,11,52,51,1,193,24,222,91,47,100,131,173,32,69,159,13,94,246,193,182,127,242,164,131,112,92,179,65,79,235,174,161,194,201,255,119,2,251,215,203,135,16,154,55,69,82,33,69,60,223,118,35,56,22,228,106,80,57,180,62,124,121,244,121,197,123,242,190,55,26,32,214,176,53,28,117,171,162,76,160>>} + ). +-define(RESPONDER_CERT, #cert{otp = ?ISSUER_CERT}). +-define(A_SERVER_CERT, + {'OTPCertificate',{'OTPTBSCertificate',v3,9, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'Validity',{utcTime,"230720133137Z"},{utcTime,"330528133137Z"}}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"a.server">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'}, + {'RSAPublicKey',21289228001579879261333836287004823332222603265803194664536540127079242843046558012638236832904402369325784443025964406623777246658832921141960060475804229950419927075126320682148878633948860170628231809668072735203197673472127901696952853229103382707195692260834407944629128675563945194876045436588557031550105450845916227210816469918126215406473272174435113136059751668904728646605321836951857481644376964329827326510385947455341932553729402879301386590388317914766820519616318357183422565964994898098302388155119056040428369731559112404176013041801429296771966314089067058782535413289830323744573459011210321571511, + 65537}}, + asn1_NOVALUE,asn1_NOVALUE, + [{'Extension',{2,5,29,19},false,{'BasicConstraints',false,asn1_NOVALUE}}, + {'Extension',{2,5,29,15},false,[digitalSignature,nonRepudiation,keyEncipherment]}, + {'Extension',{2,5,29,14},false,<<135,115,253,182,154,247,175,77,237,3,215,88,195,15,182,214,248,144,201,202>>}, + {'Extension',{2,5,29,35}, + false, + {'AuthorityKeyIdentifier',<<63,22,3,246,66,83,233,142,103,82,105,230,175,132,130,192,87,79,122,232>>, + [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}], + [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}], + [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}], + [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}], + [{'AttributeTypeAndValue',{2,5,4,6},"SE"}], + [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}], + 1}}, + {'Extension',{2,5,29,17},false,[{dNSName,"host.example.com"}]}, + {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]}, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + <<194,57,242,156,210,120,172,248,208,88,233,168,205,61,179,61,2,85,56,96,136,83,210,119,125,103,192,129,116,221,161,132,108,92,219,163,233,228,179,34,47,164,22,72,45,203,239,245,155,67,137,138,191,142,152,135,233,57,229,36,0,69,149,197,54,204,25,147,4,223,251,99,183,6,158,247,67,220,83,177,77,117,131,196,144,151,105,108,83,227,69,84,143,238,81,189,141,167,155,224,8,199,237,102,62,92,133,120,118,133,41,142,45,9,195,211,95,49,101,226,51,225,78,198,255,142,182,113,179,20,36,214, + 62,56,147,108,248,95,132,193,0,194,102,78,45,7,102,167,183,146,79,108,190,65,108,0,92,40,164,29,81,63,204,59,252,170,33,209,139,181,226,35,136,229,147,190,3,119,238,178,83,203,7,92,103,21,22,171,75,199,87,255,171,219,146,122,207,235,188,254,247,58,64,1,31,190,233,135,232,47,71,117,82,107,254,74,23,178,186,85,110,204,185,51,113,160,41,145,190,52,63,103,210,54,235,206,82,160,188,238,209,99,90,100,138,147,84,20,30,47,253,73,245,168,13,222>>} + ). %%-------------------------------------------------------------------- %% Common Test interface functions ----------------------------------- %%-------------------------------------------------------------------- -all() -> +all() -> [ocsp_test]. -groups() -> +groups() -> []. %%-------------------------------------------------------------------- @@ -63,314 +138,76 @@ end_per_testcase(_TestCase, _Config) -> ocsp_test() -> [{doc, "Test functions in pubkey_ocsp"}]. ocsp_test(Config) when is_list(Config) -> - %% Feeding data - SingleResponseGood = - [#'SingleResponse'{ - certID = {'CertID', - {'AlgorithmIdentifier',{1,3,14,3,2,26},<<5,0>>}, - <<227,147,252,182,155,101,129,45,194,162, - 22,93,127,46,112,193,196,28,241,232>>, - <<99,34,37,88,164,188,98,22,125,252,71,72, - 246,115,141,222,108,19,122,168>>,7}, - certStatus = {good,'NULL'}, - thisUpdate = "20200428083205Z", - nextUpdate = asn1_NOVALUE, - singleExtensions = asn1_NOVALUE}], - - Nonce = <<226,210,104,247,153,233,71,246>>, - - NonceExtension = - #'Extension'{ - extnID = ?'id-pkix-ocsp-nonce', - extnValue = Nonce - }, - - OCSPResponseDer = - <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6, - 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3, - 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108, - 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115, - 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12, - 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9, - 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111, - 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48, - 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194, - 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125, - 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52, - 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8, - 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3, - 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52, - 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234, - 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182, - 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132, - 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252, - 158,253,167,143,114,14,184,198,144,51,195,44,16,38,255,112,124,81,201,255, - 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252, - 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106, - 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191, - 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8, - 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38, - 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115, - 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48, - 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129, - 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12, - 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114, - 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16, - 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72, - 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, - 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48, - 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6, - 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69, - 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99, - 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85, - 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247, - 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115, - 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0, - 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, - 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147, - 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73, - 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115, - 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230, - 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, - 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249, - 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78, - 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180, - 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167, - 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, - 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209, - 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163, - 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5, - 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231, - 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20, - 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161, - 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97, - 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84, - 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49, - 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85, - 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116, - 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130, - 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109, - 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116, - 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48, - 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193, - 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9, - 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174, - 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166, - 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49, - 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94, - 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176, - 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101, - 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206, - 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, - 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242, - 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111, - 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>, - - MalOCSPResponseDer = - <<48,130,7,6,10,1,0,160,130,6,255,48,130,6,251,6,9,43,6,1,5,5,7,48,1,1,4,130,6, - 236,48,130,6,232,48,130,1,11,161,129,137,48,129,134,49,17,48,15,6,3,85,4,3, - 12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69,114,108, - 97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115, - 111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12, - 9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9, - 1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111, - 110,46,115,101,24,15,50,48,50,48,48,52,50,56,48,56,51,50,48,53,90,48,81,48, - 79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194, - 162,22,93,127,46,112,193,196,28,241,232,4,20,99,34,37,88,164,188,98,22,125, - 252,71,72,246,115,141,222,108,19,122,168,2,1,7,128,0,24,15,50,48,50,48,48,52, - 50,56,48,56,51,50,48,53,90,161,25,48,23,48,21,6,9,43,6,1,5,5,7,48,1,2,4,8, - 226,210,104,247,153,233,71,246,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3, - 130,1,1,0,85,82,43,226,38,172,139,105,77,248,24,250,244,154,2,174,232,141,52, - 93,102,37,177,31,59,105,104,242,117,238,102,93,61,56,24,47,69,169,184,234, - 109,204,5,64,109,101,23,197,234,6,250,223,95,175,131,138,227,66,123,199,182, - 57,102,47,221,72,112,208,1,4,128,209,235,108,64,209,31,128,37,130,176,132, - 203,119,24,188,187,254,8,167,54,80,28,208,26,118,236,149,184,182,25,236,252, - 158,253,167,143,114,14,184,198,168,56,195,44,16,38,255,112,124,81,201,255, - 132,143,98,119,135,23,232,10,184,54,150,227,131,212,81,101,158,152,82,252, - 156,28,30,163,203,145,11,179,105,230,187,132,119,186,189,67,198,165,48,106, - 114,75,151,128,108,28,44,121,195,162,222,25,45,99,46,84,116,125,51,72,191, - 250,186,71,78,21,222,219,232,143,233,226,56,163,23,51,170,69,152,223,0,63,8, - 236,219,175,18,165,88,166,125,71,31,53,40,12,133,64,250,30,190,113,10,187,38, - 171,17,210,170,126,198,232,195,224,228,1,246,75,140,139,121,229,17,153,115, - 199,68,227,171,176,163,117,171,160,130,4,193,48,130,4,189,48,130,4,185,48, - 130,3,161,160,3,2,1,2,2,1,9,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,129, - 131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12, - 10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114, - 105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16, - 6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72, - 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, - 99,115,115,111,110,46,115,101,48,30,23,13,50,48,48,52,50,56,48,56,51,50,48, - 53,90,23,13,51,48,48,51,48,55,48,56,51,50,48,53,90,48,129,134,49,17,48,15,6, - 3,85,4,3,12,8,98,46,115,101,114,118,101,114,49,19,48,17,6,3,85,4,11,12,10,69, - 114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99, - 115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85, - 4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247, - 13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115, - 115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0, - 3,130,1,15,0,48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, - 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171,127,79,157,147, - 235,14,61,25,162,207,134,25,239,35,62,57,10,214,115,231,71,203,226,198,73, - 223,222,199,165,82,67,33,78,176,116,241,192,97,169,143,164,219,152,40,115, - 229,242,128,97,98,183,217,199,35,127,146,94,20,115,0,250,200,39,9,255,230, - 216,80,140,6,133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, - 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232,228,220,249, - 113,86,186,212,176,194,66,14,164,236,219,138,254,80,57,118,232,163,192,94,78, - 224,100,124,206,199,81,105,54,222,26,245,170,147,184,192,237,77,143,154,180, - 79,42,107,75,77,81,215,19,75,8,160,106,199,196,66,53,16,233,184,175,85,167, - 148,12,232,248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, - 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131,227,64,152,209, - 205,63,24,172,223,194,254,97,133,255,192,133,148,237,178,115,2,3,1,0,1,163, - 130,1,49,48,130,1,45,48,9,6,3,85,29,19,4,2,48,0,48,11,6,3,85,29,15,4,4,3,2,5, - 224,48,29,6,3,85,29,14,4,22,4,20,63,72,140,0,84,13,114,48,50,31,9,241,231, - 177,20,184,8,114,244,29,48,129,179,6,3,85,29,35,4,129,171,48,129,168,128,20, - 99,34,37,88,164,188,98,22,125,252,71,72,246,115,141,222,108,19,122,168,161, - 129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97, - 110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84, - 80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49, - 18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85, - 4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116, - 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130, - 1,1,48,27,6,3,85,29,17,4,20,48,18,130,16,104,111,115,116,46,101,120,97,109, - 112,108,101,46,99,111,109,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101,116, - 101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48, - 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,86,112,29,225,102,143,193, - 55,126,115,187,208,118,153,111,177,160,121,55,33,184,60,27,111,40,7,93,241,9, - 226,40,125,181,36,173,116,190,43,187,52,254,50,229,222,56,215,132,67,217,174, - 121,24,94,240,163,56,12,36,212,2,40,94,102,126,206,52,40,32,218,59,86,166, - 238,137,144,90,57,211,141,81,32,102,215,180,59,133,125,208,199,166,81,35,49, - 24,88,100,127,90,145,237,150,249,227,123,120,98,230,12,106,72,201,127,54,94, - 164,204,23,158,3,230,232,181,95,251,98,6,28,115,46,153,241,233,254,152,176, - 114,12,148,24,234,185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101, - 56,222,188,78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206, - 52,220,63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, - 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160,242, - 247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13,122,111, - 22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>, - - ResponderIDer = - <<161,129,135,48,129,132,49,17,48,15,6,3,85,4,3,12,8,98,46, - 115,101,114,118,101,114,49,18,48,16,6,3,85,4,11,12,10,69, - 114,108,97,110,103,79,84,80,49,19,48,17,6,3,85,4,10,12,11, - 69,114,105,99,115,115,111,110,65,66,49,11,48,9,6,3,85,4,6, - 19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107, - 104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1, - 22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105, - 99,115,115,111,110,46,115,101>>, + undefined = pubkey_ocsp:get_nonce_extn(undefined), + #'Extension'{extnID = ?'id-pkix-ocsp-nonce', + extnValue = ?NONCE} = pubkey_ocsp:get_nonce_extn(?NONCE), + + {ok, OcspResponse = #'BasicOCSPResponse'{}} = + pubkey_ocsp:decode_response(?OCSP_RESPONSE_DER), + + IsTrustedReponderFun = fun(_) -> true end, + {ok, [SingleResponse]} = + pubkey_ocsp:verify_response(OcspResponse, + [?RESPONDER_CERT], + ?NONCE, + ?ISSUER_CERT, + IsTrustedReponderFun), + {'SingleResponse', + {'CertID', + {'AlgorithmIdentifier', + {1,3,14,3,2,26},<<5,0>>}, + <<227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232>>, + <<34,25,129,87,115,255,155,246,200,97,92,7,51,110,152,61,97,155,164,171>>,9}, + {good,'NULL'},"20230720122949Z",asn1_NOVALUE,asn1_NOVALUE} = + SingleResponse, + + CertId = SingleResponse#'SingleResponse'.certID, + WrongNameHashSingleResponse = + SingleResponse#'SingleResponse'{ + certID = CertId#'CertID'{issuerNameHash = <<"rubbish_hash">>}}, + NextUpdateFromPast = SingleResponse#'SingleResponse'{nextUpdate = "19820720122949Z"}, + ThisUpdateFromFuture = SingleResponse#'SingleResponse'{thisUpdate = "21230720122949Z"}, + {ok, SingleResponse} = + pubkey_ocsp:find_single_response( + ?A_SERVER_CERT, ?ISSUER_CERT, + [rubbish_single_response, + WrongNameHashSingleResponse, + NextUpdateFromPast, + ThisUpdateFromFuture, + SingleResponse, rubbish_single_response]), + + %% invalid responses + IsNotTrustedReponderFun = fun(_) -> false end, + %% passing A_SERVER_CERT to get into Case3 in pubkey_oscp:is_authorized_responder + {error,ocsp_responder_cert_not_found} = + pubkey_ocsp:verify_response(OcspResponse, + [#cert{otp = ?A_SERVER_CERT}], + ?NONCE, + ?ISSUER_CERT, + IsNotTrustedReponderFun), + OcspResponseWrongSignature = + OcspResponse#'BasicOCSPResponse'{signature = <<"rubbish_signature">>}, + {error, ocsp_responder_cert_not_found} = + pubkey_ocsp:verify_response(OcspResponseWrongSignature, + [?RESPONDER_CERT], + ?NONCE, + ?ISSUER_CERT, + IsTrustedReponderFun), - Cert = - #'Certificate'{ - tbsCertificate = #'TBSCertificate'{ - version = v3, - serialNumber = 9, - signature = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>}, - issuer = {rdnSequence, - [[{'AttributeTypeAndValue',{2,5,4,3},<<12,5,111,116,112,67,65>>}], - [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}], - [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}], - [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}], - [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}], - [{'AttributeTypeAndValue', - {1,2,840,113549,1,9,1}, - <<22,22,112,101,116,101,114,64,101,114,105,120,46,101, - 114,105,99,115,115,111,110,46,115,101>>}]]}, - validity = {'Validity',{utcTime,"200428083205Z"},{utcTime,"300307083205Z"}}, - subject = {rdnSequence, - [[{'AttributeTypeAndValue',{2,5,4,3},<<"\f\bb.server">>}], - [{'AttributeTypeAndValue',{2,5,4,11},<<"\f\nErlangOTP">>}], - [{'AttributeTypeAndValue',{2,5,4,10},<<"\f\vEricssonAB">>}], - [{'AttributeTypeAndValue',{2,5,4,6},<<19,2,83,69>>}], - [{'AttributeTypeAndValue',{2,5,4,7},<<"\f\tStockholm">>}], - [{'AttributeTypeAndValue', - {1,2,840,113549,1,9,1}, - <<22,22,112,101,116,101,114,64,101,114,105,120,46,101, - 114,105,99,115,115,111,110,46,115,101>>}]]}, - subjectPublicKeyInfo = {'SubjectPublicKeyInfo', - {'AlgorithmIdentifier',{1,2,840,113549,1,1,1},<<5,0>>}, - <<48,130,1,10,2,130,1,1,0,188,248,42,161,172,252,200,52,180,217, - 145,59,193,72,33,176,213,106,37,81,119,251,205,254,70,196,171, - 127,79,157,147,235,14,61,25,162,207,134,25,239,35,62,57,10,214, - 115,231,71,203,226,198,73,223,222,199,165,82,67,33,78,176,116, - 241,192,97,169,143,164,219,152,40,115,229,242,128,97,98,183,217, - 199,35,127,146,94,20,115,0,250,200,39,9,255,230,216,80,140,6, - 133,251,39,96,240,176,184,34,1,134,247,126,237,255,130,170,98, - 242,140,104,105,95,48,75,115,135,229,89,191,180,179,123,198,232, - 228,220,249,113,86,186,212,176,194,66,14,164,236,219,138,254,80, - 57,118,232,163,192,94,78,224,100,124,206,199,81,105,54,222,26, - 245,170,147,184,192,237,77,143,154,180,79,42,107,75,77,81,215, - 19,75,8,160,106,199,196,66,53,16,233,184,175,85,167,148,12,232, - 248,113,61,89,14,156,199,128,83,40,214,228,83,9,36,72,188,25,29, - 47,172,78,114,191,120,240,227,234,255,194,61,132,57,1,141,131, - 227,64,152,209,205,63,24,172,223,194,254,97,133,255,192,133,148, - 237,178,115,2,3,1,0,1>>}, - issuerUniqueID = asn1_NOVALUE, - subjectUniqueID = asn1_NOVALUE, - extensions = [{'Extension',{2,5,29,19},false,<<48,0>>}, - {'Extension',{2,5,29,15},false,<<3,2,5,224>>}, - {'Extension', - {2,5,29,14}, - false, - <<4,20,63,72,140,0,84,13,114,48,50,31,9,241,231,177,20,184,8,114, - 244,29>>}, - {'Extension', - {2,5,29,35}, - false, - <<48,129,168,128,20,99,34,37,88,164,188,98,22,125,252,71,72,246, - 115,141,222,108,19,122,168,161,129,140,164,129,137,48,129,134, - 49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19, - 48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49, - 20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65, - 66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108, - 109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72, - 134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120, - 46,101,114,105,99,115,115,111,110,46,115,101,130,1,1>>}, - {'Extension', - {2,5,29,17}, - false, - <<48,18,130,16,104,111,115,116,46,101,120,97,109,112,108,101,46, - 99,111,109>>}, - {'Extension', - {2,5,29,18}, - false, - <<48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101, - 114,105,99,115,115,111,110,46,115,101>>}]}, - signatureAlgorithm = {'AlgorithmIdentifier',{1,2,840,113549,1,1,5},<<5,0>>}, - signature = <<86,112,29,225,102,143,193,55,126,115,187,208,118,153,111,177,160,121,55, - 33,184,60,27,111,40,7,93,241,9,226,40,125,181,36,173,116,190,43,187,52, - 254,50,229,222,56,215,132,67,217,174,121,24,94,240,163,56,12,36,212,2, - 40,94,102,126,206,52,40,32,218,59,86,166,238,137,144,90,57,211,141,81, - 32,102,215,180,59,133,125,208,199,166,81,35,49,24,88,100,127,90,145,237, - 150,249,227,123,120,98,230,12,106,72,201,127,54,94,164,204,23,158,3,230, - 232,181,95,251,98,6,28,115,46,153,241,233,254,152,176,114,12,148,24,234, - 185,204,177,189,70,14,73,181,232,245,63,226,14,138,249,101,56,222,188, - 78,127,191,174,232,182,207,67,162,111,248,192,202,65,96,237,206,52,220, - 63,50,108,82,185,169,29,148,30,75,74,16,156,229,166,96,102,214,145,77, - 225,218,180,54,109,61,62,119,144,231,72,105,61,201,245,219,192,63,160, - 242,247,112,64,199,65,248,252,59,145,150,212,151,166,223,237,121,135,13, - 122,111,22,117,115,166,64,143,10,40,13,5,240,22,38,235,32,107,194,41>>}, - - %% test of the exported functions - ct:pal("Check pubkey_ocsp:verify_ocsp_response/3~n"), - {ok, SingleResponseGood} = - pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], Nonce), - {error, ocsp_response_bad_signature} = - pubkey_ocsp:verify_ocsp_response(MalOCSPResponseDer, [Cert], Nonce), {error, nonce_mismatch} = - pubkey_ocsp:verify_ocsp_response(OCSPResponseDer, [Cert], <<1,2,3>>), - ct:pal("pubkey_ocsp:verify_ocsp_response/3...ok~n"), - - ct:pal("Check pubkey_ocsp:decode_ocsp_response/1~n"), - {ok, #'BasicOCSPResponse'{}} = - pubkey_ocsp:decode_ocsp_response(OCSPResponseDer), - ct:pal("pubkey_ocsp:decode_ocsp_response/1...ok~n"), - - ct:pal("Check pubkey_ocsp:get_ocsp_responder_id/1~n"), - ResponderIDer = - pubkey_ocsp:get_ocsp_responder_id(Cert), - ct:pal("pubkey_ocsp:get_ocsp_responder_id/1...ok~n"), - - ct:pal("Check pubkey_ocsp:get_nonce_extn/1~n"), - undefined = - pubkey_ocsp:get_nonce_extn(undefined), - NonceExtension = - pubkey_ocsp:get_nonce_extn(Nonce), - ct:pal("pubkey_ocsp:get_nonce_extn/1...ok~n"). \ No newline at end of file + pubkey_ocsp:verify_response(OcspResponse, + [?RESPONDER_CERT], + <<"rubbish_nonce">>, + ?ISSUER_CERT, + IsTrustedReponderFun), + + OcspResponseProducedAt22ndCentury = % Year AD 2123 + OcspResponse#'BasicOCSPResponse'{ + tbsResponseData = #'ResponseData'{producedAt = "21230720122949Z"}}, + {error,ocsp_stale_response} = + pubkey_ocsp:verify_response(OcspResponseProducedAt22ndCentury, + [?RESPONDER_CERT], + ?NONCE, + ?ISSUER_CERT, + IsTrustedReponderFun), + ok. diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index ec14647c2f..f2c2fd557a 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -127,6 +127,7 @@ pkix_test_data/1, pkix_is_issuer/0, pkix_is_issuer/1, + pkix_ocsp_validate/0, pkix_ocsp_validate/1, short_cert_issuer_hash/0, short_cert_issuer_hash/1, short_crl_issuer_hash/0, @@ -135,7 +136,8 @@ gen_ec_param_prime_field/1, gen_ec_param_char_2_field/0, gen_ec_param_char_2_field/1, - cacerts_load/0, cacerts_load/1 + cacerts_load/0, cacerts_load/1, + ocsp_extensions/0, ocsp_extensions/1 ]). -export([list_cacerts/0]). % debug exports @@ -183,7 +185,9 @@ all() -> pkix_is_issuer, short_cert_issuer_hash, short_crl_issuer_hash, - cacerts_load + cacerts_load, + ocsp_extensions, + pkix_ocsp_validate ]. groups() -> @@ -1477,6 +1481,99 @@ gen_ec_param_char_2_field(Config) when is_list(Config) -> Datadir = proplists:get_value(data_dir, Config), do_gen_ec_param(filename:join(Datadir, "ec_key_param1.pem")). +%%-------------------------------------------------------------------- +ocsp_extensions() -> + [{doc, "Check OCSP extensions"}]. +ocsp_extensions(_Config) -> + Nonce = <<4,8,66,243,220,236,16,118,51,215>>, + ExpectedExtentions = + [{'Extension', + ?'id-pkix-ocsp-nonce', + asn1_DEFAULT, + <<4,8,66,243,220,236,16,118,51,215>>}, + {'Extension', + ?'id-pkix-ocsp-response', + asn1_DEFAULT, + <<48,11,6,9,43,6,1,5,5,7,48,1,1>>}], + ExpectedExtentions = public_key:ocsp_extensions(Nonce). + +pkix_ocsp_validate() -> + [{doc, "Check OCSP extensions"}]. +pkix_ocsp_validate(_Config) -> + Cert = + {'OTPCertificate',{'OTPTBSCertificate',v3,9, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'Validity',{utcTime,"230721110721Z"},{utcTime,"330529110721Z"}}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"a.server">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'}, + {'RSAPublicKey',19254743747256260264207569423711759377779938665145630924415701722071839009286238971264967781043993434178803001083069740412920664146137571550852074547463946025114390093775800702438227109245066854329070921351832849321692114677809046259034306196616912261365770291322044071697789183279204771685063580949070504947864713748039312242300503875879444809664605423001542854874228001872895975468648787616073960661286876663709764410812833966560999459482926236332297043685455899393823175706646393051956438518613689798667608292659880957737510004003274559865311466147775473832468655042097383293967251824412697382839864114388741712057, + 65537}}, + asn1_NOVALUE,asn1_NOVALUE, + [{'Extension',{2,5,29,19},false,{'BasicConstraints',false,asn1_NOVALUE}}, + {'Extension',{2,5,29,15},false,[digitalSignature,nonRepudiation,keyEncipherment]}, + {'Extension',{2,5,29,14},false,<<175,14,85,35,212,170,133,20,114,234,90,223,163,49,255,87,86,93,165,56>>}, + {'Extension',{2,5,29,35}, + false, + {'AuthorityKeyIdentifier',<<123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255>>, + [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}], + [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}], + [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}], + [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}], + [{'AttributeTypeAndValue',{2,5,4,6},"SE"}], + [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}], + 1}}, + {'Extension',{2,5,29,17},false,[{dNSName,"host.example.com"}]}, + {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]}, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + <<23,196,208,23,144,187,135,84,233,168,123,81,115,112,33,52,77,238,239,70,248,131,119,160,178,216,252,166,176,20,252,211,108,160,202,140,96,84,98,209,7,149,30,184,0,196,139,48,122,36,45,10,198,106,98,33,183,254,48,11,88,64,93,232,152,233,133,216,191,128,35,96,183,221,122,87,230,30,191,199,226,203,164,217,236,101,83,158,113,211,177,52,217,39,96,108,242,87,70,44,246,68,124,122,121,88,188,254,22,48,98,121,238,158,4,160,141,249,255,93,147,83,42,86,62,5,118,164,54,75,87,49,111, + 126,197,89,32,226,89,40,154,70,165,118,239,26,249,59,48,52,237,152,240,131,100,187,14,157,201,103,102,27,81,198,226,121,221,68,244,119,130,149,231,179,35,64,96,254,245,5,199,112,145,65,69,80,87,235,140,137,20,220,148,157,94,123,177,186,187,66,99,92,150,213,147,129,36,126,93,4,10,123,70,238,175,247,102,91,42,201,27,123,76,212,45,115,11,31,114,173,124,27,156,248,36,37,195,111,206,236,43,224,157,50,98,109,179,87,223,187,8,204,197,202,155,60>>}, + IssuerCert = + {'OTPCertificate',{'OTPTBSCertificate',v3,1, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'Validity',{utcTime,"230721110720Z"},{utcTime,"330529110720Z"}}, + {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"otpCA">>}}],[{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}],[{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}],[{'AttributeTypeAndValue',{2,5,4,6},"SE"}],[{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}],[{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}, + {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'}, + {'RSAPublicKey',21858379260819365313885475389172639523863567481982302063462584029790343874819317972475546206568963022785252583910194728269078148431804871680312638323851125861707159230343297343111968246731095811513561212201088276841624533346998017512000090901290490304174895932870845288899008429347052837949441312958652271962356020302617279856538736007013593572768976262766464136388094144122584736630529987720049486299302127652434926700165727330943325372510516379103006575448279898129379834740761468401572505064753618409945975591285059206889943804512145915054818226570266582909516966602868100682823910151957272535898084374557112395143, + 65537}}, + asn1_NOVALUE,asn1_NOVALUE, + [{'Extension',{2,5,29,19},true,{'BasicConstraints',true,asn1_NOVALUE}}, + {'Extension',{2,5,29,15},false,[keyCertSign,cRLSign]}, + {'Extension',{2,5,29,14},false,<<123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255>>}, + {'Extension',{2,5,29,35}, + false, + {'AuthorityKeyIdentifier',<<229,159,14,81,153,72,30,27,33,37,234,91,103,205,230,72,95,185,112,95>>, + [{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},{utf8String,<<"erlangCA">>}}], + [{'AttributeTypeAndValue',{2,5,4,11},{utf8String,<<"Erlang OTP">>}}], + [{'AttributeTypeAndValue',{2,5,4,10},{utf8String,<<"Ericsson AB">>}}], + [{'AttributeTypeAndValue',{2,5,4,7},{utf8String,<<"Stockholm">>}}], + [{'AttributeTypeAndValue',{2,5,4,6},"SE"}], + [{'AttributeTypeAndValue',{1,2,840,113549,1,9,1},"peter@erix.ericsson.se"}]]}}], + 674805639123712796695508479052504582494838106155}}, + {'Extension',{2,5,29,17},false,[{rfc822Name,"peter@erix.ericsson.se"}]}, + {'Extension',{2,5,29,18},false,[{rfc822Name,"peter@erix.ericsson.se"}]}]}, + {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'}, + <<44,128,75,220,253,223,223,77,33,57,30,205,101,103,200,211,254,81,122,195,123,239,98,5,118,58,179,193,24,93,12,243,124,194,160,163,206,243,199,49,143,11,73,192,218,193,154,93,146,232,1,191,99,201,129,94,131,59,107,227,216,17,31,101,67,153,177,189,164,194,224,164,78,160,42,79,131,65,37,78,226,201,200,180,128,38,101,164,193,72,82,196,88,204,145,94,235,84,13,243,0,149,99,175,203,211,108,177,156,17,27,40,87,195,19,56,39,102,103,42,27,60,30,44,204,157,107,121,128,68,93,216,123, + 106,112,105,74,7,142,155,171,1,8,31,123,245,78,142,111,142,178,127,169,202,110,125,35,192,199,23,203,201,103,44,99,100,192,156,214,62,109,71,205,66,32,81,252,124,138,238,225,88,247,85,255,65,141,131,234,184,248,20,51,81,71,19,98,102,114,96,49,77,1,79,27,18,218,79,37,232,194,204,172,54,124,167,188,158,43,54,183,230,40,230,152,216,12,27,56,66,104,238,235,52,176,110,159,88,151,7,228,201,248,195,82,131,220,31,104,44,239,147,61,71,35,245>>}, + OcspRespDer = + <<48,130,7,36,10,1,0,160,130,7,29,48,130,7,25,6,9,43,6,1,5,5,7,48,1,1,4,130,7,10,48,130,7,6,48,130,1,10,161,129,134,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101, + 114,105,99,115,115,111,110,46,115,101,24,15,50,48,50,51,48,55,50,49,49,49,48,55,50,53,90,48,81,48,79,48,58,48,9,6,5,43,14,3,2,26,5,0,4,20,227,147,252,182,155,101,129,45,194,162,22,93,127,46,112,193,196,28,241,232,4,20,123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255,2,1,9,128,0,24,15,50,48,50,51,48,55,50,49,49,49,48,55,50,53,90,161,27,48,25,48,23,6,9,43,6,1,5,5,7,48,1,2,4,10,4,8,244,183,192,191,230,8,236,82,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,151,99, + 102,238,65,164,80,97,143,115,223,2,201,56,75,220,145,150,17,27,9,169,149,158,40,226,29,109,8,35,234,24,59,113,1,26,123,144,32,68,235,210,36,55,61,215,0,183,49,156,52,153,132,237,180,231,43,45,18,138,126,118,173,130,246,213,225,216,15,85,248,146,35,220,27,100,93,232,234,91,206,224,98,18,48,52,95,213,129,117,11,174,228,48,220,235,82,141,157,179,13,119,17,244,189,21,77,102,114,166,227,25,160,113,148,244,142,33,232,161,77,189,187,72,196,144,82,70,200,250,222,68,154,153,20,33,60,4,252,151,16,64, + 207,109,4,30,49,47,75,150,122,24,90,22,226,156,91,30,83,141,79,29,116,58,13,185,66,215,89,19,64,194,190,72,113,112,136,61,75,5,138,239,108,222,87,212,193,155,108,150,47,180,73,3,110,216,68,189,146,8,179,94,110,147,207,86,2,65,251,193,111,254,43,200,77,72,154,214,13,40,48,209,104,42,105,175,163,52,160,39,92,238,240,174,145,3,33,49,33,231,26,14,5,32,33,220,74,149,25,163,131,65,30,63,134,148,160,130,4,224,48,130,4,220,48,130,4,216,48,130,3,192,160,3,2,1,2,2,1,1,48,13,6,9,42,134,72,134,247,13,1, + 1,11,5,0,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,30,23,13,50,51,48,55,50,49,49,49,48,55,50,48,90,23,13, + 51,51,48,53,50,57,49,49,48,55,50,48,90,48,129,131,49,14,48,12,6,3,85,4,3,12,5,111,116,112,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99,115,115,111,110,32,65,66,49,11,48,9,6,3,85,4,6,19,2,83,69,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,130,1,34,48,13,6,9,42,134,72,134,247, + 13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,173,38,214,237,131,195,86,49,85,177,225,21,254,222,227,229,5,62,193,131,224,141,51,233,36,68,108,11,164,68,95,160,243,171,55,43,32,228,15,5,179,194,124,9,53,219,33,15,243,77,206,104,255,63,250,231,185,218,111,190,98,34,71,38,139,51,202,112,110,85,248,177,207,156,210,51,28,18,236,236,4,188,58,33,169,250,181,59,114,133,246,82,217,36,166,28,3,70,49,82,68,36,134,32,57,142,168,231,193,73,219,102,49,13,97,199,40,138,118,250,244,41,206,121,115,208, + 19,230,5,243,38,239,1,36,41,13,232,86,191,182,144,86,6,211,57,117,243,216,229,51,99,224,126,39,125,40,127,104,11,72,234,205,113,200,92,92,16,19,136,114,193,132,13,94,240,242,21,211,46,12,85,64,205,36,26,63,69,187,206,233,0,170,217,10,160,20,147,236,233,244,66,234,133,95,84,34,109,40,107,163,119,22,202,156,112,153,240,188,17,145,105,157,23,239,140,106,7,155,196,161,187,21,174,181,169,137,91,242,134,9,35,52,159,36,160,30,169,36,130,60,61,61,245,235,229,135,2,3,1,0,1,163,130,1,80,48,130,1,76,48, + 15,6,3,85,29,19,1,1,255,4,5,48,3,1,1,255,48,11,6,3,85,29,15,4,4,3,2,1,6,48,29,6,3,85,29,14,4,22,4,20,123,93,133,100,41,175,227,134,140,47,217,84,132,181,89,186,102,41,30,255,48,129,198,6,3,85,29,35,4,129,190,48,129,187,128,20,229,159,14,81,153,72,30,27,33,37,234,91,103,205,230,72,95,185,112,95,161,129,140,164,129,137,48,129,134,49,17,48,15,6,3,85,4,3,12,8,101,114,108,97,110,103,67,65,49,19,48,17,6,3,85,4,11,12,10,69,114,108,97,110,103,32,79,84,80,49,20,48,18,6,3,85,4,10,12,11,69,114,105,99, + 115,115,111,110,32,65,66,49,18,48,16,6,3,85,4,7,12,9,83,116,111,99,107,104,111,108,109,49,11,48,9,6,3,85,4,6,19,2,83,69,49,37,48,35,6,9,42,134,72,134,247,13,1,9,1,22,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,130,20,118,51,84,213,187,124,136,133,219,84,17,35,72,97,52,24,238,100,168,43,48,33,6,3,85,29,17,4,26,48,24,129,22,112,101,116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,33,6,3,85,29,18,4,26,48,24,129,22,112,101, + 116,101,114,64,101,114,105,120,46,101,114,105,99,115,115,111,110,46,115,101,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,44,128,75,220,253,223,223,77,33,57,30,205,101,103,200,211,254,81,122,195,123,239,98,5,118,58,179,193,24,93,12,243,124,194,160,163,206,243,199,49,143,11,73,192,218,193,154,93,146,232,1,191,99,201,129,94,131,59,107,227,216,17,31,101,67,153,177,189,164,194,224,164,78,160,42,79,131,65,37,78,226,201,200,180,128,38,101,164,193,72,82,196,88,204,145,94,235,84,13,243,0,149, + 99,175,203,211,108,177,156,17,27,40,87,195,19,56,39,102,103,42,27,60,30,44,204,157,107,121,128,68,93,216,123,106,112,105,74,7,142,155,171,1,8,31,123,245,78,142,111,142,178,127,169,202,110,125,35,192,199,23,203,201,103,44,99,100,192,156,214,62,109,71,205,66,32,81,252,124,138,238,225,88,247,85,255,65,141,131,234,184,248,20,51,81,71,19,98,102,114,96,49,77,1,79,27,18,218,79,37,232,194,204,172,54,124,167,188,158,43,54,183,230,40,230,152,216,12,27,56,66,104,238,235,52,176,110,159,88,151,7,228,201, + 248,195,82,131,220,31,104,44,239,147,61,71,35,245>>, + NonceExt = <<4,8,244,183,192,191,230,8,236,82>>, + ok = + public_key:pkix_ocsp_validate(Cert, IssuerCert, OcspRespDer, NonceExt, []). + %%-------------------------------------------------------------------- cacerts_load() -> [{doc, "Basic tests of cacerts functionality"}]. -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor