Skip to content

Commit 5cc916d

Browse files
panvapanva
committed
test: use valid DER OCSP responses
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
1 parent f69ddff commit 5cc916d

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

test/parallel/test-tls-ocsp-callback.js

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ if (!common.hasCrypto) {
2929
const crypto = require('crypto');
3030
const tls = require('tls');
3131
const fixtures = require('../common/fixtures');
32+
const { hasOpenSSL } = require('../common/crypto');
3233

3334
const assert = require('assert');
3435

@@ -90,7 +91,10 @@ function test(testOptions, cb) {
9091

9192
client.on('OCSPResponse', common.mustCall((resp) => {
9293
if (testOptions.response) {
93-
assert.strictEqual(resp.toString(), testOptions.response);
94+
if (Buffer.isBuffer(testOptions.response))
95+
assert.deepStrictEqual(resp, testOptions.response);
96+
else
97+
assert.strictEqual(resp.toString(), testOptions.response);
9498
client.destroy();
9599
} else {
96100
assert.strictEqual(resp, null);
@@ -103,10 +107,27 @@ function test(testOptions, cb) {
103107
}));
104108
}
105109

110+
// OpenSSL 3.6+ validates that the value passed to
111+
// SSL_set_tlsext_status_ocsp_resp parses as DER, so the test responses need
112+
// to be valid DER-encoded OCSPResponse values.
113+
// Minimal OCSPResponse is SEQUENCE { ENUMERATED responseStatus } where
114+
// 0 = successful and 1 = malformedRequest.
115+
const response1 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x00]);
116+
const response2 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x01]);
117+
106118
test({ ocsp: true, response: false });
107-
test({ ocsp: true, response: 'hello world' });
119+
test({ ocsp: true, response: response1 });
108120
test({ ocsp: false });
109121

110122
if (!crypto.getFips()) {
111-
test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
123+
test({ ocsp: true, response: response2, pfx: pfx, passphrase: 'sample' });
124+
}
125+
126+
// Older OpenSSL versions accept arbitrary bytes (not just DER) as the OCSP
127+
// response, so additionally exercise the string path there.
128+
if (!hasOpenSSL(3, 6)) {
129+
test({ ocsp: true, response: 'hello world' });
130+
if (!crypto.getFips()) {
131+
test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
132+
}
112133
}

0 commit comments

Comments
 (0)