Skip to content

test-tools: add generator for test/ocsptest.c PKI#243

Open
bukka wants to merge 2 commits into
openssl:masterfrom
bukka:test-tools-ocsp-verify
Open

test-tools: add generator for test/ocsptest.c PKI#243
bukka wants to merge 2 commits into
openssl:masterfrom
bukka:test-tools-ocsp-verify

Conversation

@bukka

@bukka bukka commented Jul 2, 2026

Copy link
Copy Markdown
Member

Add an ossl_test_tools ocsptest subpackage that generates the root CA, root key, and leaf certificate used by test/ocsptest.c, mirroring the crltest subpackage. The flat root -> leaf chain lets the root act as both the trust anchor and the authorized OCSP responder, and shipping the root key allows the C test to sign its own OCSP responses at run time.

Assisted-by: Claude:claude-opus-4-8

Add an ossl_test_tools ocsptest subpackage that generates the root CA,
root key, and leaf certificate used by test/ocsptest.c, mirroring the
crltest subpackage. The flat root -> leaf chain lets the root act as both
the trust anchor and the authorized OCSP responder, and shipping the root
key allows the C test to sign its own OCSP responses at run time.

Assisted-by: Claude:claude-opus-4-8
@bukka

bukka commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

This is for certs and key used in openssl/openssl#31828

@t8m t8m requested a review from a team July 3, 2026 13:50

cert_util.update_cert_in_c(source_path, "kOcspTestRoot", root)
cert_util.update_key_in_c(source_path, "kOcspTestRootKey", root_key)
cert_util.update_cert_in_c(source_path, "kOcspTestLeaf", leaf)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me a bit concerned for a few reasons:

  1. The updates that happen here don't seem to match the names provided. Running this:
uv run ossl-test-tools crltest all      --source /home/nhorman/git/openssl/test/crltest.c

Produces a diff in the crltest file that looks like this:

diff --git a/test/crltest.c b/test/crltest.c
index 3e06df10b7..5f185a8f78 100644
--- a/test/crltest.c
+++ b/test/crltest.c
@@ -90,21 +90,21 @@ static const char *kRoot2[] = {
     "MzYwMzA3MTIwMDAwWjCBizELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk5ldmFkYTEN\n",
     "MAsGA1UEBwwEUmVubzEZMBcGA1UECgwQRXhhbXBsZSBBbHQgQ29ycDEeMBwGA1UE\n",
     "CwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDDBhFeGFtcGxlIEFsdCBD\n",
-    "b3JwIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTXGOg\n",
...
+    "b3JwIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDfg3jb\n",
...
@@ -810,20 +810,20 @@ static const char *kIndirectCRLIssuer[] = {
     "bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDEV4YW1w\n",
     "bGUgQ29ycDEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSkwJwYDVQQD\n",
     "DCBFeGFtcGxlIENvcnAgSW5kaXJlY3QgQ1JMIElzc3VlcjCCASIwDQYJKoZIhvcN\n",
-    "AQEBBQADggEPADCCAQoCggEBAKgcYFF3+Z/A12AMb3P9Isl959u4QpX/fx4d+A38\n",
...
+    "AQEBBQADggEPADCCAQoCggEBALnOrEYq5K/gMja6UvzOYY1LdQbLjhjCfDjbbhdo\n",
...

i.e. kOcspTestRoot, kOcspTestRootKey, and kOcspTestLeaf (none of which exist in the current crltest.c file) were not modified, but several other certificates/CRL's were, which seems unexpected

  1. We're modifiying source under scm here. While thats fine in and of itself, it seems like that might lead to inadvertent commits in future PR's. It might be nice, instead of modify the c source directly to use this utility to generate new pem files that tests like crltest.c (and others) could be modified to read.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not for crltest.c but for new ocsptest.c added in openssl/openssl#31828 .

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shouldn't be a big issue because it won't be most likely run unless there is a need to replace algorithm or do some modifications. It's really more for just in case situations so it's potentially easy to modify the cert if there is a need for that and also to show what's actually in it.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so perhaps thats my confusion, as the README that was previously added ahead of this PR indicates usage for this tool as follows:

## Use

    uv run ossl-test-tools crltest all      --source path/to/crltest.c
    uv run ossl-test-tools crltest indirect --source path/to/crltest.c
    uv run ossl-test-tools crltest alt-ta   --source path/to/crltest.c
    uv run ossl-test-tools crltest no-chain --source path/to/crltest.c

I ran that because, well, I don't know what I'm doing since this is a new tool for me, but despite your statement above that this is meant for a specific test, I would have expected running this command should have errored out indicating that the requested variables to change weren't found or some such.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it does what it is asked to do. If you want to modify ocsptest you have to run uv run ossl-test-tools ocsptest ....

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah exactly the first param is the test to run. The README.md was a bit poor though so I just pushed update that makes it hopefully clearer.

@bukka bukka changed the title ocsptest: add generator for test/ocsptest.c PKI test-tools: add generator for test/ocsptest.c PKI Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants