# OCSP test using http://ocsp.openvalidation.org # # See http://www.openvalidation.org/useocspservicenew.htm for details. We're # using the CA1 certs obtained from # http://www.openvalidation.org/download/downloadrootcertsCA1.htm # # Apparently all requests are signed by Server_CA2, even the ones for # certs which are themselves signed by Server_CA1. So, we need both roots. # # This test does not run as of 10/25/06 because the OCSP responses we get # are past their nextUpdate time of 20060816111203Z. We'll keep this here in # case openvalidation.org updates their server. # globals certNetFetchEnable = false useSystemAnchors = false cacheDisable = false allowUnverified = false end # echo "=================================" test = "no revocation just to make sure we have decent certs" revokePolicy = none cert = User_CA1.crt root = Root_CA1.crt verifyTime=20050101000000 allowUnverified=true end # echo "=================================" test = "OCSP, good status, user cert, cache disabled" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt responderURI = http://ocsp.openvalidation.org:80 responderCert = Server_CA2.crt verifyTime=20050101000000 cacheDisable = true end # echo "=================================" test = "OCSP, good status, user cert, cache enable" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt responderURI = http://ocsp.openvalidation.org:80 responderCert = Server_CA2.crt cacheDisable = false verifyTime=20050101000000 end # echo "=================================" test = "OCSP, good status, user cert, cache disable, net disable, fail" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt # responderURI = http://ocsp.openvalidation.org:80 requireOcspIfPresent = true cacheDisable = true verifyTime=20050101000000 error = APPLETP_OCSP_UNAVAILABLE certerror = 0:APPLETP_OCSP_UNAVAILABLE end # echo "=================================" test = "OCSP, good status, user cert, cache enable, net disable, succeed" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt # responderURI = http://ocsp.openvalidation.org:80 responderCert = Server_CA2.crt reqOcspIfPresent = true # no net but we get it from cache OK cacheDisable = false ocspNetFetchDisable = true verifyTime=20050101000000 end # echo "=================================" test = "OCSP, revoked status, user cert" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt responderURI = http://ocsp.openvalidation.org:8083 responderCert = Server_CA2.crt verifyTime=20050101000000 error = TP_CERT_REVOKED certerror = 0:TP_CERT_REVOKED reqOcspIfPresent = true end # echo "=================================" test = "OCSP, unknown status, fail" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt responderURI = http://ocsp.openvalidation.org:8084 responderCert = Server_CA2.crt allowUnverified = false verifyTime=20050101000000 # port 8084 yields the "I don't know this cert" failure, so the overall result # when we require OCSP per cert is not available error = APPLETP_OCSP_UNAVAILABLE certerror = 0:APPLETP_OCSP_UNAVAILABLE end # echo "=================================" test = "OCSP, unknown status, success" revokePolicy = ocsp cert = User_CA1.crt root = Root_CA1.crt root = Root_CA2.crt responderURI = http://ocsp.openvalidation.org:8084 responderCert = Server_CA2.crt allowUnverified = true verifyTime=20050101000000 end