Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 72f5216

Browse filesBrowse files
panvaaduh95
panva
authored and
aduh95
committed
test: use valid DER OCSP responses
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62805 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
1 parent e242394 commit 72f5216
Copy full SHA for 72f5216

1 file changed

+24-3Lines changed: 24 additions & 3 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎test/parallel/test-tls-ocsp-callback.js‎

Copy file name to clipboardExpand all lines: test/parallel/test-tls-ocsp-callback.js
+24-3Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ if (!common.hasCrypto) {
2929
const crypto = require('crypto');
3030
const tls = require('tls');
3131
const fixtures = require('../common/fixtures');
32+
const { hasOpenSSL } = require('../common/crypto');
3233

3334
const assert = require('assert');
3435

@@ -90,7 +91,10 @@ function test(testOptions, cb) {
9091

9192
client.on('OCSPResponse', common.mustCall((resp) => {
9293
if (testOptions.response) {
93-
assert.strictEqual(resp.toString(), testOptions.response);
94+
if (Buffer.isBuffer(testOptions.response))
95+
assert.deepStrictEqual(resp, testOptions.response);
96+
else
97+
assert.strictEqual(resp.toString(), testOptions.response);
9498
client.destroy();
9599
} else {
96100
assert.strictEqual(resp, null);
@@ -103,10 +107,27 @@ function test(testOptions, cb) {
103107
}));
104108
}
105109

110+
// OpenSSL 3.6+ validates that the value passed to
111+
// SSL_set_tlsext_status_ocsp_resp parses as DER, so the test responses need
112+
// to be valid DER-encoded OCSPResponse values.
113+
// Minimal OCSPResponse is SEQUENCE { ENUMERATED responseStatus } where
114+
// 0 = successful and 1 = malformedRequest.
115+
const response1 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x00]);
116+
const response2 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x01]);
117+
106118
test({ ocsp: true, response: false });
107-
test({ ocsp: true, response: 'hello world' });
119+
test({ ocsp: true, response: response1 });
108120
test({ ocsp: false });
109121

110122
if (!crypto.getFips()) {
111-
test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
123+
test({ ocsp: true, response: response2, pfx: pfx, passphrase: 'sample' });
124+
}
125+
126+
// Older OpenSSL versions accept arbitrary bytes (not just DER) as the OCSP
127+
// response, so additionally exercise the string path there.
128+
if (!hasOpenSSL(3, 6)) {
129+
test({ ocsp: true, response: 'hello world' });
130+
if (!crypto.getFips()) {
131+
test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
132+
}
112133
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.