tests: add OCSP responder CertID issuerKeyHash binding test

Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.

Author: julek-wolfssl

tests/api.c

@@ -37520,6 +37520,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_inject),
     TEST_DECL(test_ocsp_status_callback),
     TEST_DECL(test_ocsp_basic_verify),
+    TEST_DECL(test_ocsp_responder_keyhash_binding),
     TEST_DECL(test_ocsp_response_parsing),
     TEST_DECL(test_ocsp_certid_enc_dec),
     TEST_DECL(test_ocsp_certid_dup),

tests/api/create_ocsp_test_blobs.py

@@ -266,6 +266,23 @@ def create_response(rd: dict) -> rfc6960.OCSPResponse:
     for entry in rd.get('responses', []):
         if entry.get('certificate'):
             sr = single_response_from_cert(entry['certificate'], entry['status'])
+        elif entry.get('name_cert') and entry.get('key_cert'):
+            # Forge a CertID where issuerNameHash and issuerKeyHash are taken
+            # from different certificates. Used to test that responder
+            # authorization is bound to BOTH halves of the CertID.
+            name_der = cert_pem_to_der(entry['name_cert'])
+            name_cert, _ = decode(bytes(name_der), asn1Spec=rfc6960.Certificate())
+            key_der = cert_pem_to_der(entry['key_cert'])
+            key_cert, _ = decode(bytes(key_der), asn1Spec=rfc6960.Certificate())
+            issuer_name_hash = sha1(encode(get_name(name_cert))).digest()
+            issuer_key_hash = sha1(get_key(key_cert).asOctets()).digest()
+            cid = cert_id_from_hash(issuer_name_hash, issuer_key_hash,
+                                    entry['serial'])
+            sr = rfc6960.SingleResponse().clone()
+            sr.setComponentByName('certID', cid)
+            sr['certStatus'] = cert_status(entry['status'])
+            sr['thisUpdate'] = useful.GeneralizedTime().fromDateTime(
+                datetime.now() - timedelta(days=1))
         else:
             sr = single_response(entry['issuer_cert'], entry['serial'], entry['status'])
         responses.append(sr)
@@ -480,6 +497,28 @@ def create_bad_response(rd: dict) -> bytes:
             'responder_key': WOLFSSL_OCSP_CERT_PATH + '../ca-key.pem',
             'name': 'resp_server_cert_unknown'
         },
+        {
+            # Forged response: CertID's issuerNameHash points at the legitimate
+            # root CA, but issuerKeyHash points at the imposter root CA (same
+            # DN, different key). Signed by the legitimate ocsp-responder so
+            # the response signature alone verifies. Used to confirm that
+            # responder authorization rejects mismatched CertID halves.
+            'response_status': 0,
+            'signature_algorithm': signature_algorithm(),
+            'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem'],
+            'responder_by_name': True,
+            'responses': [
+                {
+                    'name_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
+                    'key_cert':  WOLFSSL_OCSP_CERT_PATH +
+                                 'imposter-root-ca-cert.pem',
+                    'serial': 0x01,
+                    'status': CERT_GOOD
+                }
+            ],
+            'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem',
+            'name': 'resp_certid_keyhash_mismatch'
+        },
     ]
 
     with open('./tests/api/test_ocsp_test_blobs.h', 'w') as f:
@@ -517,6 +556,7 @@ def create_bad_response(rd: dict) -> bytes:
         add_certificate(WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem', f)
         add_certificate(WOLFSSL_OCSP_CERT_PATH + '../server-cert.pem', f)
         add_certificate(WOLFSSL_OCSP_CERT_PATH + 'intermediate1-ca-cert.pem', f)
+        add_certificate(WOLFSSL_OCSP_CERT_PATH + 'imposter-root-ca-cert.pem', f)
         br = create_bad_response({
             'response_status': 0,
             'responder_by_key': True,

tests/api/test_ocsp.c

@@ -382,6 +382,48 @@ int test_ocsp_basic_verify(void)
 }
 #endif /* HAVE_OCSP  && (OPENSSL_ALL || OPENSSL_EXTRA) */
 
+#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \
+    !defined(NO_RSA) && !defined(WOLFSSL_NO_OCSP_ISSUER_CHECK)
+/* Verify that OCSP responder authorization is bound to BOTH halves of the
+ * CertID (issuerNameHash AND issuerKeyHash). The forged response in
+ * resp_certid_keyhash_mismatch was signed by the legitimate ocsp-responder
+ * (so the response signature itself verifies) but its CertID pairs the
+ * legitimate root CA's name hash with the imposter root CA's key hash. With
+ * a name-only authorization check the response would be incorrectly
+ * accepted; the CertID-bound check must reject it. */
+int test_ocsp_responder_keyhash_binding(void)
+{
+    EXPECT_DECLS;
+    WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL;
+    WOLFSSL_X509_STORE* store = NULL;
+    const unsigned char* ptr = NULL;
+    OcspResponse* response = NULL;
+
+    ExpectIntEQ(test_ocsp_create_x509store(&store, root_ca_cert_pem,
+                    sizeof(root_ca_cert_pem)),
+        TEST_SUCCESS);
+    ExpectIntEQ(test_create_stack_of_x509(&certs, ocsp_responder_cert_pem,
+                    sizeof(ocsp_responder_cert_pem)),
+        TEST_SUCCESS);
+
+    ptr = (const unsigned char*)resp_certid_keyhash_mismatch;
+    ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr,
+                      sizeof(resp_certid_keyhash_mismatch)));
+    ExpectIntNE(wolfSSL_OCSP_basic_verify(response, certs, store, 0),
+        WOLFSSL_SUCCESS);
+
+    wolfSSL_OCSP_RESPONSE_free(response);
+    wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free);
+    wolfSSL_X509_STORE_free(store);
+    return EXPECT_RESULT();
+}
+#else
+int test_ocsp_responder_keyhash_binding(void)
+{
+    return TEST_SKIPPED;
+}
+#endif
+
 #if defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) &&     \
     defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) &&  \
     defined(OPENSSL_ALL) && !defined(WOLFSSL_SMALL_CERT_VERIFY)

tests/api/test_ocsp.h

@@ -26,6 +26,7 @@ int test_ocsp_certid_enc_dec(void);
 int test_ocsp_certid_dup(void);
 int test_ocsp_status_callback(void);
 int test_ocsp_basic_verify(void);
+int test_ocsp_responder_keyhash_binding(void);
 int test_ocsp_response_parsing(void);
 int test_ocsp_tls_cert_cb(void);
 int test_ocsp_cert_unknown_crl_fallback(void);