test: use valid DER OCSP responses · nodejs/node@036bc6f
@@ -29,6 +29,7 @@ if (!common.hasCrypto) {
2929const crypto = require('crypto');
3030const tls = require('tls');
3131const fixtures = require('../common/fixtures');
32+const { hasOpenSSL } = require('../common/crypto');
32333334const assert = require('assert');
3435@@ -90,7 +91,10 @@ function test(testOptions, cb) {
90919192client.on('OCSPResponse', common.mustCall((resp) => {
9293if (testOptions.response) {
93-assert.strictEqual(resp.toString(), testOptions.response);
94+if (Buffer.isBuffer(testOptions.response))
95+assert.deepStrictEqual(resp, testOptions.response);
96+else
97+assert.strictEqual(resp.toString(), testOptions.response);
9498client.destroy();
9599} else {
96100assert.strictEqual(resp, null);
@@ -103,10 +107,27 @@ function test(testOptions, cb) {
103107}));
104108}
105109110+// OpenSSL 3.6+ validates that the value passed to
111+// SSL_set_tlsext_status_ocsp_resp parses as DER, so the test responses need
112+// to be valid DER-encoded OCSPResponse values.
113+// Minimal OCSPResponse is SEQUENCE { ENUMERATED responseStatus } where
114+// 0 = successful and 1 = malformedRequest.
115+const response1 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x00]);
116+const response2 = Buffer.from([0x30, 0x03, 0x0a, 0x01, 0x01]);
117+106118test({ ocsp: true, response: false });
107-test({ ocsp: true, response: 'hello world' });
119+test({ ocsp: true, response: response1 });
108120test({ ocsp: false });
109121110122if (!crypto.getFips()) {
111-test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
123+test({ ocsp: true, response: response2, pfx: pfx, passphrase: 'sample' });
124+}
125+126+// Older OpenSSL versions accept arbitrary bytes (not just DER) as the OCSP
127+// response, so additionally exercise the string path there.
128+if (!hasOpenSSL(3, 6)) {
129+test({ ocsp: true, response: 'hello world' });
130+if (!crypto.getFips()) {
131+test({ ocsp: true, response: 'hello pfx', pfx: pfx, passphrase: 'sample' });
132+}
112133}