commit c43f598838acaf3b98df4fce4b6babb663d2f902 Author: Otto Hollmann Date: Fri Jun 30 11:15:30 2023 +0200 Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client. --- apps/s_client.c | 10 + crypto/ocsp/ocsp_vfy.c | 31 +++++ doc/man3/OCSP_response_status.pod | 15 ++ include/openssl/ocsp.h | 1 test/recipes/80-test_ocsp_check.t | 90 +++++++++++++++++ test/recipes/80-test_ocsp_check_data/ca.pem | 19 +++ test/recipes/80-test_ocsp_check_data/index-revoked.txt | 2 test/recipes/80-test_ocsp_check_data/index-valid.txt | 2 test/recipes/80-test_ocsp_check_data/ocsp.key | 28 +++++ test/recipes/80-test_ocsp_check_data/ocsp.pem | 75 ++++++++++++++ test/recipes/80-test_ocsp_check_data/server.key | 28 +++++ test/recipes/80-test_ocsp_check_data/server.pem | 75 ++++++++++++++ util/libcrypto.num | 1 13 files changed, 372 insertions(+), 5 deletions(-) --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3390,7 +3390,7 @@ static void print_stuff(BIO *bio, SSL *s static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; - int len; + int len, ret; OCSP_RESPONSE *rsp; len = SSL_get_tlsext_status_ocsp_resp(s, &p); BIO_puts(arg, "OCSP response: "); @@ -3407,8 +3407,14 @@ static int ocsp_resp_cb(SSL *s, void *ar BIO_puts(arg, "\n======================================\n"); OCSP_RESPONSE_print(arg, rsp, 0); BIO_puts(arg, "======================================\n"); + ret = OCSP_RESPONSE_check_status(rsp); OCSP_RESPONSE_free(rsp); - return 1; + if (ret <= -1) { + BIO_puts(arg, "unable to verify OCSP response\n"); + } else if (ret == 0) { + BIO_puts(arg, "revoked certificate found in OCSP response\n"); + } + return ret; } # endif --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -433,3 +433,34 @@ static int ocsp_req_find_signer(X509 **p } return 0; } + +/* + * Check an OCSP response for revoked certificate. Return a negative value on + * error; 0 if the response is not acceptable (in which case the handshake + * will fail) or a positive value if it is acceptable (no revoked certificate + * is found). + */ + +int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o) +{ + int i; + OCSP_BASICRESP *br = NULL; + OCSP_RESPDATA *rd = NULL; + OCSP_SINGLERESP *single = NULL; + OCSP_RESPBYTES *rb = o->responseBytes; + if (rb == NULL) + return -1; + if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) + return -1; + if ((br = OCSP_response_get1_basic(o)) == NULL) + return -1; + rd = &br->tbsResponseData; + for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { + if (!sk_OCSP_SINGLERESP_value(rd->responses, i)) + continue; + single = sk_OCSP_SINGLERESP_value(rd->responses, i); + if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + return 0; + } + return 1; +} --- a/doc/man3/OCSP_response_status.pod +++ b/doc/man3/OCSP_response_status.pod @@ -2,8 +2,8 @@ =head1 NAME -OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, -OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, +OCSP_response_status, OCSP_RESPONSE_check_status, OCSP_response_get1_basic, +OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, OCSP_RESPID_set_by_key, OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions @@ -12,6 +12,7 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - O #include int OCSP_response_status(OCSP_RESPONSE *resp); + int OCSP_RESPONSE_check_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); @@ -34,6 +35,10 @@ B B, B B, or B. +OCSP_RESPONSE_check_status() check status of the OCSP response I. It +returns a negative value on error; 0 if the response is not acceptable +(e.g. contains revoked certificate) or a positive value if it is acceptable. + OCSP_response_get1_basic() decodes and returns the B structure contained in B. @@ -65,7 +70,11 @@ uses the parameters contained in digest =head1 RETURN VALUES -OCSP_RESPONSE_status() returns a status value. +OCSP_response_status() returns a status value. + +OCSP_RESPONSE_check_status() returns a result of check - negative value on +error; 0 if the response is not acceptable; positive value if response is +acceptable. OCSP_response_get1_basic() returns an B structure pointer or B if an error occurred. --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -340,6 +340,7 @@ const char *OCSP_crl_reason_str(long s); int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); +int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); --- /dev/null +++ b/test/recipes/80-test_ocsp_check.t @@ -0,0 +1,90 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use IPC::Open2; +use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; +use OpenSSL::Test::Utils; + +setup("test_ocsp_check"); + +plan tests => 2; + +my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); +my $apps_openssl = bldtop_file("apps", "openssl"); +my $ca = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.pem"); +my $ca_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.key"); +my $ocsp = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.pem"); +my $ocsp_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.key"); +my $server = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.pem"); +my $server_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.key"); +my $index; +my $ocsp_port = 9999; +my $https_port = 8443; +# 20 July 2023 so we don't get certificate expiry errors. +my @check_time=("-attime", "1689811200"); + +sub run_test { + my $id = shift; + my $connect_good = 0; + + if ($id == 0) { + $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-valid.txt"); + } + if ($id == 1) { + $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-revoked.txt"); + } + # OCSP responder + my @o_cmd = ("ocsp", "-index", $index, "-port", "$ocsp_port", "-rsigner", $ocsp, "-rkey", $ocsp_key, "-CA", $ca, "-nrequest", "1", @check_time); + # server + my @s_cmd = ("s_server", "-www", "-status_url", "http://127.0.0.1:$ocsp_port", "-accept", "$https_port", "-cert", $server, "-key", $server_key, "-state", "-CAfile", $ca, "-naccept", "1", @check_time); + # client + my @c_cmd = ("s_client", "-connect", ":$https_port", "-CAfile", $ca, "-status", "-verify_return_error", "-strict", @check_time); + + # Run the OCSP responder + my $o_pid = open2(my $o_out, my $o_in, $shlib_wrap, $apps_openssl, @o_cmd); + + # Start up the server + my $s_pid = open2(my $s_out, my $s_in, $shlib_wrap, $apps_openssl, @s_cmd); + while (<$s_out>) { + chomp; + if (/^ACCEPT$/) { + print "Server ready\n"; + last; + } + } + + # Start up the client + my $c_pid = open2(my $c_out, my $c_in, $shlib_wrap, $apps_openssl, @c_cmd); + if ($id == 0) { + # Do the "GET", which will cause the client to finish + print $c_in "GET /\r\n"; + } + + waitpid($c_pid, 0); + waitpid($s_pid, 0); + waitpid($o_pid, 0); + + # Check the client output + while (<$c_out>) { + chomp; + if ($id == 0) { + $connect_good = 1 if /^Content-type: text/; + } + if ($id == 1) { + $connect_good = 1 if /^revoked certificate found in OCSP response/; + } + } + print STDERR "Connection failed\n" if ! ok($connect_good); +} + +for my $index (0..1) { + run_test($index) +} \ No newline at end of file --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUZot4eag1ZaofYsMIB7HIzq8+zGEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMzA3MTIwOTI5NDdaFw0zMzA3MDkw +OTI5NDdaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDRRSlP0gUVVlzMkEtVzX95n5lM+P36lyNgevKqY1Dl3ygPAzaq +HRUBsgcxdDwWwMPO2u5UJOWaQ80nwFGROwX8WrRoBTvsUZ+URyXx98tHrhnD6wI9 +v30xYGN0RU2Ef2XnMvThhKRQVZJJWAHFPWZdPes0/g3H4FGJudOQJUHpiDD1UEF+ +cWxyujhVbvBFCX+mBS+r/tn75axjsUqmbxwCE7TK3CD0JdvlLUYxtybvozYoONot +/mFleCMmPaTzPHan+iXNHp4Tn+3Ssndo3uiTr0pEbGgSOy2PppbZmv0ml0+CSLN4 +G8VaBBf7VTMayowEmmDgTpsOTi9tJqW2CcGzAgMBAAGjUzBRMB0GA1UdDgQWBBRj +L87V9mqTdWYMCNNBb6Hay7OwPjAfBgNVHSMEGDAWgBRjL87V9mqTdWYMCNNBb6Ha +y7OwPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC09qzufLI/ +AoBscY8e9Q4pRhzeVVAKQ6yAZiO2O0o3trI5xKqD3iD0pOC7Mbfg0e0lneK6ovpd +J178HwF4PMdiwvPH0KkAf0DaB96nC6U6oGQmItq8668jeVBjat0UCP3xiLmLhhAl +mnnsgFC1eALmpWQPVlixUaXF4ri3R0QBUcc2kIV5zr1P3LJVboMSgCZULvrlfQLC +kA0GdCCf6h08AFHRaIW8EE3I1IHNZc7eQcmnCLewHU5cPAYJ69GjhblSLS8kbpXK +k7BllPLkk99zc/94okTasTjUkmha3RhRqMNL8jrYVc1m7H4U+4XUyh1y4C4Nmz18 +fBbrMxN2SCXM +-----END CERTIFICATE----- --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/index-revoked.txt @@ -0,0 +1,2 @@ +V 240711093229Z 1000 unknown /CN=OCSP +R 240711093313Z 230621000000Z 1001 unknown /CN=Server --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/index-valid.txt @@ -0,0 +1,2 @@ +V 240711093229Z 1000 unknown /CN=OCSP +V 240711093313Z 1001 unknown /CN=Server --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/ocsp.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ2OLi8cpvoinQ +bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ +4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi +moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j +vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 +bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S +647ud7enAgMBAAECggEAFy+JbQxn9nwExZ2Cy4wWGFM0lF5vPhhmu4IpRTIhB4Vo +gIYbIg5y6/vBhidWRYICUVXP2ZrkLTVd97kxlqBmuCzdeZAcEKXxavacoAfaK142 +n2mDaP+CsgPzGJMfj2nXOLxvlxNd+qBey1J/oDC8+eEl/yqfwLT5hiA/2dz08hI6 +IU0BudOB6H5iBK74MJsubdm0tsY4iqTykXeiR+n5dvVGDXLUX74BDHlD9O7AAo10 +h74Vw22luigsV0spCVLoOYy6z9KMkOaHZRruPmF3UCsfJZFY2y6uMapvbdgUavr9 +5fpsx40ep/mjRkYainHfJK1YkV/AoTxKjPQu2owJIQKBgQD0akN75lGXaAMQ0oEA +1UrvZg75BQxPN+3qVtyynoQGVh58uRIaeG4DQdtc4nNPYI6o6NGbJk4T4wXU7W/3 +XUr+U/LdSGpHfM9gXGCUNgoJeUKY3NLUGdE4DIGDiJrmJfd5NDj37+PAQUTLBO49 +A0+BPnictZPffXuXCGL7lt7hYQKBgQDkLD9jV6HNtv8pAxFdQM+89NhWZCvpuTAs +rihG3ebblBotMuGsrZDJ75UKq5wPEGCZWDc5q2h8L6CiyQF7Vht4/pi4NEhsA9My +5hOGUJJVvvFmEIYz0GoCGqoDqag1XpKx8MYMvcc52bhzsYCy+dpnqraISeyiFPLM +hdy+3jROBwKBgAqKEoLjOZ13xLoS+bEZgXO1SOwABbncxYuXV0j0gOjtCb+DE37E +tqm5S0ZEFYjUtxIdh/xSuIcvAO9flbZq9XLmF9Dm8H5IqYCUOy3o7qHd8rs4unae +7mCmWWdcmqFV/cfiMpquY3nE1rySZ9uFqwX9taG8SrYWaR/oIqyKou3BAoGBAJgX +2oT4s/UxJzKKRffYLOEygEZN7WuVMsSFrnlWjv0M4soAIaf95gaFOd7r91GfRBTT +VbSOSk6FXNlFjUROaG+lnd0jlKbTgeNqs9cTPAgGCFlVaG9/XDpc1bktTN+OU9Bi +w1FY60TnmOkdh8FFhM0XYSbFyANeXV3xWOytp0XfAoGBAO2FkR3oGd3DSJmeljwJ +HciEmlYCk38z93mZXiDTh4axS+mxAMYVRXt0dDUveyImlpcGi9coYmQPEzgk6spQ +DOeRzRQcWQWfny9/UoGFU/Kv6QmpteAWaSjinBWKONx9d5AGzAkzms79tS8JMeL5 ++wlkyD8NclbRA+ILu+V8HLed +-----END PRIVATE KEY----- --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/ocsp.pem @@ -0,0 +1,75 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Root CA + Validity + Not Before: Jul 12 09:32:29 2023 GMT + Not After : Jul 11 09:32:29 2024 GMT + Subject: CN=OCSP + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d9:d8:e2:e2:f1:ca:6f:a2:29:d0:6e:ce:18:12: + 69:3d:19:d4:0d:72:0f:7e:cc:14:47:cb:f6:11:24: + 5f:9b:6d:da:de:20:dc:1e:2d:88:a0:1e:0d:83:de: + b7:09:9e:b8:d7:90:d0:26:77:4f:1a:0f:4c:7e:e2: + 2a:b9:f1:3b:f2:e4:fe:3c:55:9f:9c:d5:1d:d7:52: + cd:58:41:1d:b4:b0:a8:27:33:cc:3e:b8:5d:92:5f: + 15:f5:f0:87:72:df:5a:4d:12:b6:21:dc:9f:23:56: + 90:62:9a:83:0f:f5:d0:b6:da:23:41:e2:44:ca:7f: + 53:91:33:a1:da:2a:71:cc:f3:08:37:27:35:ef:f6: + 55:68:21:08:00:83:20:26:24:ea:10:5e:14:3c:2a: + 7d:40:3a:3d:e3:be:9d:49:82:6d:a1:23:87:b6:31: + 38:e0:8e:b6:93:f6:c2:b1:3d:72:19:90:a9:d3:c2: + 76:57:f3:c3:29:13:d1:ef:b1:0e:d7:57:60:9d:62: + 63:2b:cb:e2:fa:f5:7e:bc:6e:5d:d2:d5:e8:ac:0e: + 37:88:bc:73:ed:cf:a4:de:9d:9b:3b:c3:16:ee:a7: + 2e:ce:b5:d3:8a:47:16:bf:98:38:7d:0b:be:97:1e: + 23:4f:a2:e9:14:17:53:55:67:dd:d2:eb:8e:ee:77: + b7:a7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 2B:C9:AC:45:83:BB:96:5B:73:77:1A:F8:DB:F9:98:44:C6:E8:55:95 + X509v3 Authority Key Identifier: + 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 02:87:49:a3:6f:c4:59:38:94:f9:f7:1a:ff:6f:4c:b4:6b:bd: + d2:79:98:5c:90:a8:49:45:ec:91:4e:ac:45:ec:8d:81:7f:ce: + ea:2f:93:c1:40:49:d4:c7:f2:ae:c0:60:1d:7d:65:91:83:63: + 51:4c:f0:ce:ef:81:dc:43:a6:b3:01:39:66:52:2d:1d:08:16: + a7:a7:54:78:e6:7a:06:49:5f:86:37:12:48:42:ab:37:a9:c0: + 04:98:70:45:50:9e:6d:30:6d:6d:81:05:79:1b:5c:2b:75:b9: + a8:46:22:4a:80:c9:ab:7c:f7:b2:63:69:ed:08:31:32:bd:8e: + f8:d7:8e:8e:29:8e:f6:b0:52:c2:a3:19:c1:e0:88:de:de:94: + 4f:f1:a5:9b:1c:1c:c0:11:79:7f:df:38:1b:97:a9:6c:26:fc: + 7e:31:f5:78:ba:c1:1d:e6:7c:e1:8e:b3:c5:91:fc:f6:5f:44: + 18:44:0b:15:c8:94:a5:a7:02:58:2f:be:f4:e4:80:0a:ce:8e: + 33:36:dd:0f:39:d3:b6:ae:57:d2:46:b4:a2:d1:49:c9:29:a7: + a0:a7:62:a7:2e:2d:7d:91:94:12:f7:55:13:54:d5:4e:4d:eb: + 1f:78:a7:9e:a9:93:f9:6c:a9:ec:97:2e:c6:04:67:fa:95:47: + 1e:2c:d2:74 +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v +dCBDQTAeFw0yMzA3MTIwOTMyMjlaFw0yNDA3MTEwOTMyMjlaMA8xDTALBgNVBAMM +BE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ2OLi8cpvoinQ +bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ +4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi +moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j +vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 +bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S +647ud7enAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCvJrEWDu5Zbc3ca ++Nv5mETG6FWVMB8GA1UdIwQYMBaAFGMvztX2apN1ZgwI00FvodrLs7A+MA0GCSqG +SIb3DQEBCwUAA4IBAQACh0mjb8RZOJT59xr/b0y0a73SeZhckKhJReyRTqxF7I2B +f87qL5PBQEnUx/KuwGAdfWWRg2NRTPDO74HcQ6azATlmUi0dCBanp1R45noGSV+G +NxJIQqs3qcAEmHBFUJ5tMG1tgQV5G1wrdbmoRiJKgMmrfPeyY2ntCDEyvY74146O +KY72sFLCoxnB4Ije3pRP8aWbHBzAEXl/3zgbl6lsJvx+MfV4usEd5nzhjrPFkfz2 +X0QYRAsVyJSlpwJYL7705IAKzo4zNt0POdO2rlfSRrSi0UnJKaegp2KnLi19kZQS +91UTVNVOTesfeKeeqZP5bKnsly7GBGf6lUceLNJ0 +-----END CERTIFICATE----- --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDb4qMIdALYSZd7 +/RBJ5PTRZS23d4SkIxZuOGXiSdYNyDNqg+jZZ5HPJu1ZcZFZ7AYINCAnk/yv1rPd +Aoz50sZKTjHacQZLhaSds0PlN5/TrkwU0WUbalFWm5D6LB+VlDdkOSWSO3UNo23n +X3wBMCWL9tTqNCwzNx8o3P6L8gjEOyOU3lIB3DU0FgGZN0Fkk7ZrbZxoln78Hcgf +wBxWC2SafOwU9zofjdcEQr4Q6kAKDK1M7EYbq8U67BUS7SRRoj2Ub6KNhTGCuH5f +0M4umykvong4bvqYqmrpAM0qV/F0ngus8qJgAH21AeHAvG9iuP/AphbslKFl+Me5 +3J3/2A/lAgMBAAECggEAAsC9Ist1B6kwNNSvwgUUTZTTNDNSXU21J68cE2+yNtz1 +S9WX8jTaPfoySYbi93m9f5fLeUNgjAEHonI4Op55bg+5jw8QMZzcOT83z+RY42kQ +ucf/WI8Fsqxi7cbkpFZFNUOD5WdKKWAM7bMj1c35Al4WP1Jk5UVA5h2SMEVY97/x +2TeQIzxBVX7w8d3jSHQXizWLB06IRs0F1Kpp0qIXJ558GcWEYVLk7ORIcJACWJSh +UmhmtUVXI5OoWTTk4Ac7wus5GlCaLkwZ1RxV8iSwlQ5dhEBdDPRofrH9QgeULJrq +l+G+Cv32FizTzC3QuiPrXrbfPVxffYZuJ5g2RORh9wKBgQD4IqS3WzXYOoKwkA5d +8rVAL55tTE8I7/GZCoMrmRsXKV/30gJjhDlf5TyKWpFB7gcxBBZhd+lK/daH8d+S +EAeBdN45VM/xbQkVKyfOQMQ5JuKmLJUyUP7yevMDZ0TYWQGDWmnVMzhfICIKWQvM +lnPqCHFeYx+zWFBTDukr+aitywKBgQDi2sY1KAJiC24M7DILvjF0vFQGIPCyoOfQ +VKemT3O5BKXbEK/WgBmTHMZzGPUGCZ7dxjEeTpE1d6YIadSa3FMyA34PWi8+3jdn +lGSnK5MBlfKnk8Qo5vYOKPMgVmRPzqyJ8gUorNvAUEKZeFjV+wZeX/0yxSunumCj +dfOk2TWDDwKBgEQE0xxED32HhH2774RHXPIMW6Rgb6XmiFbIb+6KmMd/mwQG+Iqp +G0UzRKY0b28gPa5tDWmIglYBQUagwgV7CWOuUqBqpFns5rl7y/yY+nEkPKsKu5dA +ZrK3i1gafd/EfkqwhSRhVwmUeGBXyok5kOrNh641A+KYyeQKyVY5qMiDAoGALJgb +DIn/5ewfRxULRXmu2SbIUagaCNNOnop1pmDJ+93pCKZAGqd135BxhmCqkfREMY5r +S2zgaKVLky3SqFqVVCiRmEz/KpmeRJNMMfyD2nTyjXSjw/Ka/e+Y04uIDpQvILLd +xsAsNqLQZMDenbnJ57Vw3ZEa4s7lflyKd6ZnOYsCgYEA5jRpE1+lw1mAieDNovqH +Mp2VwrmuFWhkeC7RW0G8ngNRzP9K6p77cDZGuR8GO5OHhpC3JG14OhOGL5rmDcwc +ufXRlGMeAfWSY6EOY2hPWltML4EiX0zRESipQty8ns/HekIVlmOh4sv+3N3EqLlE +edJcYLfcg1FGwnVQLHuVhy4= +-----END PRIVATE KEY----- --- /dev/null +++ b/test/recipes/80-test_ocsp_check_data/server.pem @@ -0,0 +1,75 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4097 (0x1001) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Root CA + Validity + Not Before: Jul 12 09:33:13 2023 GMT + Not After : Jul 11 09:33:13 2024 GMT + Subject: CN=Server + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:db:e2:a3:08:74:02:d8:49:97:7b:fd:10:49:e4: + f4:d1:65:2d:b7:77:84:a4:23:16:6e:38:65:e2:49: + d6:0d:c8:33:6a:83:e8:d9:67:91:cf:26:ed:59:71: + 91:59:ec:06:08:34:20:27:93:fc:af:d6:b3:dd:02: + 8c:f9:d2:c6:4a:4e:31:da:71:06:4b:85:a4:9d:b3: + 43:e5:37:9f:d3:ae:4c:14:d1:65:1b:6a:51:56:9b: + 90:fa:2c:1f:95:94:37:64:39:25:92:3b:75:0d:a3: + 6d:e7:5f:7c:01:30:25:8b:f6:d4:ea:34:2c:33:37: + 1f:28:dc:fe:8b:f2:08:c4:3b:23:94:de:52:01:dc: + 35:34:16:01:99:37:41:64:93:b6:6b:6d:9c:68:96: + 7e:fc:1d:c8:1f:c0:1c:56:0b:64:9a:7c:ec:14:f7: + 3a:1f:8d:d7:04:42:be:10:ea:40:0a:0c:ad:4c:ec: + 46:1b:ab:c5:3a:ec:15:12:ed:24:51:a2:3d:94:6f: + a2:8d:85:31:82:b8:7e:5f:d0:ce:2e:9b:29:2f:a2: + 78:38:6e:fa:98:aa:6a:e9:00:cd:2a:57:f1:74:9e: + 0b:ac:f2:a2:60:00:7d:b5:01:e1:c0:bc:6f:62:b8: + ff:c0:a6:16:ec:94:a1:65:f8:c7:b9:dc:9d:ff:d8: + 0f:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 3E:48:4E:C9:24:FA:DE:27:EA:A4:98:81:2A:06:12:9A:F6:FA:17:4E + X509v3 Authority Key Identifier: + 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 22:fe:de:97:6e:e8:5d:65:91:f0:70:af:97:85:53:5e:8e:c8: + 88:9b:e5:b3:33:d4:21:b9:3b:09:b7:72:70:16:8c:a8:0e:80: + 0f:1b:03:cb:95:94:ae:40:e2:3b:54:06:ec:1e:f5:bc:58:8a: + 22:57:cf:fe:14:b0:15:8c:18:5d:9d:fe:0e:70:55:26:c5:cc: + 92:f3:bf:03:19:e6:bd:41:b5:c3:cf:15:d3:e9:10:df:65:2a: + 68:c0:a3:df:93:a4:b1:66:20:94:1d:df:0a:9c:05:e7:74:a1: + 1a:39:db:c2:5b:78:8c:0c:f6:5e:30:80:cc:39:04:8a:8c:db: + 81:c1:5b:b4:3e:c2:ba:ae:06:ec:19:91:b4:a5:46:05:e7:8c: + ef:88:3f:d1:38:d3:37:42:88:25:c2:43:9b:df:7f:7c:15:c3: + 7b:72:d2:b6:49:45:ce:c8:ce:f1:2d:be:7b:86:1c:31:8d:c9: + de:51:d4:06:9f:1d:f2:86:ac:bf:5f:4d:da:31:26:70:ce:e1: + 0a:87:1f:a9:73:24:78:a2:4a:c2:73:ea:4c:6b:2c:a7:b6:1c: + d7:c3:5e:3a:8a:f9:02:54:62:73:a2:a6:3e:e5:d6:2d:6f:6e: + ba:57:11:20:d1:41:2e:c7:6b:d8:7d:70:5e:1d:17:03:5e:a7: + 16:c9:4b:fb +-----BEGIN CERTIFICATE----- +MIIC7DCCAdSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v +dCBDQTAeFw0yMzA3MTIwOTMzMTNaFw0yNDA3MTEwOTMzMTNaMBExDzANBgNVBAMM +BlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANviowh0AthJ +l3v9EEnk9NFlLbd3hKQjFm44ZeJJ1g3IM2qD6Nlnkc8m7VlxkVnsBgg0ICeT/K/W +s90CjPnSxkpOMdpxBkuFpJ2zQ+U3n9OuTBTRZRtqUVabkPosH5WUN2Q5JZI7dQ2j +bedffAEwJYv21Oo0LDM3Hyjc/ovyCMQ7I5TeUgHcNTQWAZk3QWSTtmttnGiWfvwd +yB/AHFYLZJp87BT3Oh+N1wRCvhDqQAoMrUzsRhurxTrsFRLtJFGiPZRvoo2FMYK4 +fl/Qzi6bKS+ieDhu+piqaukAzSpX8XSeC6zyomAAfbUB4cC8b2K4/8CmFuyUoWX4 +x7ncnf/YD+UCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUPkhOyST63ifq +pJiBKgYSmvb6F04wHwYDVR0jBBgwFoAUYy/O1fZqk3VmDAjTQW+h2suzsD4wDQYJ +KoZIhvcNAQELBQADggEBACL+3pdu6F1lkfBwr5eFU16OyIib5bMz1CG5Owm3cnAW +jKgOgA8bA8uVlK5A4jtUBuwe9bxYiiJXz/4UsBWMGF2d/g5wVSbFzJLzvwMZ5r1B +tcPPFdPpEN9lKmjAo9+TpLFmIJQd3wqcBed0oRo528JbeIwM9l4wgMw5BIqM24HB +W7Q+wrquBuwZkbSlRgXnjO+IP9E40zdCiCXCQ5vff3wVw3ty0rZJRc7IzvEtvnuG +HDGNyd5R1AafHfKGrL9fTdoxJnDO4QqHH6lzJHiiSsJz6kxrLKe2HNfDXjqK+QJU +YnOipj7l1i1vbrpXESDRQS7Ha9h9cF4dFwNepxbJS/s= +-----END CERTIFICATE----- --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4649,3 +4649,4 @@ fips_sli_RAND_bytes_is_approved fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: +OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP