@@ -4,10 +4,13 @@ import (
44 "bytes"
55 "context"
66 "crypto"
7+ "crypto/x509"
8+ "crypto/x509/pkix"
79 "errors"
810 "io"
911 "net/http"
1012 "net/http/httptest"
13+ "strings"
1114 "testing"
1215
1316 "golang.org/x/crypto/ocsp"
@@ -153,6 +156,69 @@ func TestStapleOCSP(t *testing.T) {
153156 })
154157}
155158
159+ func TestValidateOCSPResponder (t * testing.T ) {
160+ issuer := mustMakeCertificate (t , caCert , caKey ).Leaf
161+
162+ tests := []struct {
163+ name string
164+ resp * ocsp.Response
165+ wantErr string
166+ }{
167+ {
168+ name : "issuer signed response with no embedded cert" ,
169+ resp : & ocsp.Response {Certificate : nil },
170+ },
171+ {
172+ name : "embedded responder cert is issuer cert" ,
173+ resp : & ocsp.Response {Certificate : issuer },
174+ },
175+ {
176+ name : "delegated responder with OCSP signing eku" ,
177+ resp : & ocsp.Response {Certificate : & x509.Certificate {
178+ Subject : pkix.Name {CommonName : "Delegated OCSP Responder" },
179+ ExtKeyUsage : []x509.ExtKeyUsage {
180+ x509 .ExtKeyUsageServerAuth ,
181+ x509 .ExtKeyUsageOCSPSigning ,
182+ },
183+ }},
184+ },
185+ {
186+ name : "delegated responder without OCSP signing eku" ,
187+ resp : & ocsp.Response {Certificate : & x509.Certificate {
188+ Subject : pkix.Name {CommonName : "Not Authorized" },
189+ ExtKeyUsage : []x509.ExtKeyUsage {x509 .ExtKeyUsageServerAuth },
190+ }},
191+ wantErr : "does not carry id-kp-OCSPSigning" ,
192+ },
193+ {
194+ name : "delegated responder with empty eku" ,
195+ resp : & ocsp.Response {Certificate : & x509.Certificate {
196+ Subject : pkix.Name {CommonName : "No EKU" },
197+ }},
198+ wantErr : "does not carry id-kp-OCSPSigning" ,
199+ },
200+ }
201+
202+ for _ , tc := range tests {
203+ t .Run (tc .name , func (t * testing.T ) {
204+ err := validateOCSPResponder (tc .resp , issuer )
205+ if tc .wantErr == "" {
206+ if err != nil {
207+ t .Fatalf ("unexpected error: %v" , err )
208+ }
209+ return
210+ }
211+
212+ if err == nil {
213+ t .Fatalf ("expected error containing %q, got nil" , tc .wantErr )
214+ }
215+ if ! strings .Contains (err .Error (), tc .wantErr ) {
216+ t .Fatalf ("expected error containing %q, got %q" , tc .wantErr , err .Error ())
217+ }
218+ })
219+ }
220+ }
221+
156222func mustMakeCertificate (t * testing.T , cert , key string ) Certificate {
157223 t .Helper ()
158224 c , err := makeCertificate ([]byte (cert ), []byte (key ))
0 commit comments