Add support for OCSP verification

Signed-off-by: Fotis Nikolaidis <[email protected]>

CHANGELOG.md

@@ -103,6 +103,8 @@
 - A new `--reproducible` flag for `./mconfig` will configure Singularity so that
   its binaries do not contain non-reproducible paths. This disables plugin
   functionality.
+- Support for online verification checks of x509 certificates using OCSP protocol.
+  (introduced flag: `verify --ocsp-verify`)
 
 ### Bug Fixes
 

CONTRIBUTORS.md

@@ -44,6 +44,7 @@ The following have contributed code and/or documentation to this repository.
 - Eng Zer Jun <[email protected]>
 - Eric Müller <[email protected]>
 - Felix Abecassis <[email protected]>
+- Fotis Nikolaidis <[email protected]>
 - Geoffroy Vallee <[email protected]>, <[email protected]>
 - George Hartzell <[email protected]>
 - Gert Hulselmans <[email protected]>

cmd/internal/cli/verify.go

@@ -25,6 +25,7 @@ var (
 	certificatePath              string // --certificate flag
 	certificateIntermediatesPath string // --certificate-intermediates flag
 	certificateRootsPath         string // --certificate-roots flag
+	ocspVerify                   bool   // --ocsp-verify flag
 	pubKeyPath                   string // --key flag
 	localVerify                  bool   // -l flag
 	jsonVerify                   bool   // -j flag
@@ -113,6 +114,16 @@ var verifyCertificateRootsFlag = cmdline.Flag{
 	EnvKeys:      []string{"VERIFY_ROOTS"},
 }
 
+// --ocsp-verify
+var verifyOCSPFlag = cmdline.Flag{
+	ID:           "ocspVerifyFlag",
+	Value:        &ocspVerify,
+	DefaultValue: false,
+	Name:         "ocsp-verify",
+	Usage:        "enable online revocation check for certificates",
+	EnvKeys:      []string{"VERIFY_OCSP"},
+}
+
 // --key
 var verifyPublicKeyFlag = cmdline.Flag{
 	ID:           "publicKeyFlag",
@@ -175,6 +186,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&verifyCertificateFlag, VerifyCmd)
 		cmdManager.RegisterFlagForCmd(&verifyCertificateIntermediatesFlag, VerifyCmd)
 		cmdManager.RegisterFlagForCmd(&verifyCertificateRootsFlag, VerifyCmd)
+		cmdManager.RegisterFlagForCmd(&verifyOCSPFlag, VerifyCmd)
 		cmdManager.RegisterFlagForCmd(&verifyPublicKeyFlag, VerifyCmd)
 		cmdManager.RegisterFlagForCmd(&verifyLocalFlag, VerifyCmd)
 		cmdManager.RegisterFlagForCmd(&verifyJSONFlag, VerifyCmd)
@@ -228,6 +240,10 @@ func doVerifyCmd(cmd *cobra.Command, cpath string) {
 			opts = append(opts, singularity.OptVerifyWithRoots(p))
 		}
 
+		if cmd.Flag(verifyOCSPFlag.Name).Changed {
+			opts = append(opts, singularity.OptVerifyWithOCSP())
+		}
+
 	case cmd.Flag(verifyPublicKeyFlag.Name).Changed:
 		sylog.Infof("Verifying image with key material from '%v'", pubKeyPath)
 

e2e/verify/ocspcertificates/download_chain.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Step 1: Get the leaf certificate
+openssl s_client -connect www.akamai.com:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p' > leaf.pem
+
+# Step 2: Get the intermediate certificate
+openssl s_client -showcerts -connect www.akamai.com:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p' > intermediate.pem

e2e/verify/ocspcertificates/intermediate.pem

@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCBOmgAwIBAgIQCh5LiVVv3nEde7Li3/+ATzANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
+aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA2MjIwMDAwMDBa
+Fw0yMzA2MjMyMzU5NTlaMHYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo
+dXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxIjAgBgNVBAoTGUFrYW1haSBUZWNo
+bm9sb2dpZXMsIEluYy4xFzAVBgNVBAMTDnd3dy5ha2FtYWkuY29tMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEiuc+zlu43bv55+s0Fj6RiBW+olZmc/AkoTP48CFC
+IGP1DET7Oufx6oe63GIuBzdVfR5D6R2z818b5gY1o2lBxqOCA3swggN3MB8GA1Ud
+IwQYMBaAFLdrouqoqoSMeeq02g+YssWVdrn0MB0GA1UdDgQWBBT86pFIu848aqiQ
+L73R3pUDjECAnDAlBgNVHREEHjAcgg53d3cuYWthbWFpLmNvbYIKYWthbWFpLmNv
+bTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E
+aWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9j
+cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5j
+cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
+dy5kaWdpY2VydC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2Fj
+ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEu
+Y3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB3AOg+0No+
+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABgYi+UIwAAAQDAEgwRgIhAJ1R
+BJT/F3l27vLAd65f6bsRlLdKe2B0g5iaNWn9qUOIAiEAzcfo21akKVUHdySdtIz/
+4xCXsm5hZlIr2AdtGVxiR0IAdgA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gD
+wzvWTAAAAYGIvlCWAAAEAwBHMEUCIQCflW6g5is3DB5BOoiOIck7g1GDZFQPvxYA
+2ssOnVqqkgIgIKBzdY0933/Bvdv69uhR9YGgNjF6pqCqcEFX2IhmqGkAdgC3Pvsk
+35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYGIvlCBAAAEAwBHMEUCIQD6
+l++PTabZ98GPjyGmbbCRsgJEJut6I7J5eolQfKQhAQIgP7sOIn+mhH5HNgU/6cS0
+T/dL3qVKI/DK2VVq2iLHQo8wDQYJKoZIhvcNAQELBQADggEBAEjCX4PWIZW//UGo
+7tBLfNdP3XOo7WbWZNqam9I+hXnlNhV8rl7kNnkhzXMMpF4ljOZ9dOblXT1aFGib
+kc8ucHcBXxd8wO8UB5R8FUeYDhE4BVJWAsdzRL8PT+RuY9xKfntXFKjpUI7FD4Cb
+LhpSh/cnBVfapUTY8RbDjb6SiLEkwWrppWUSEtDG0tSsYPuPHvZM+YTDCAfA2gdt
+yDsiPlNrBjo0h2YAt5kbzj5UoMkRmCGiA0qj/Mo2Cp31OUU45eaEELq0ilgLUlI+
+bjo+7eCvoiEWltwceoWazetWLW7fDTme29dZ4olGdPuGVq9G2Qj4x90sqvJOw+0/
+1to7zMw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
+U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
+qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
+g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
+raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
+Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
+eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
+A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
+GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
+Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
+HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
+bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
+MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
+AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
+ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
+qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
+EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
+ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
+A7sKPPcw7+uvTPyLNhBzPvOk
+-----END CERTIFICATE-----

e2e/verify/ocspcertificates/leaf.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCBOmgAwIBAgIQCh5LiVVv3nEde7Li3/+ATzANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
+aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjA2MjIwMDAwMDBa
+Fw0yMzA2MjMyMzU5NTlaMHYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo
+dXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxIjAgBgNVBAoTGUFrYW1haSBUZWNo
+bm9sb2dpZXMsIEluYy4xFzAVBgNVBAMTDnd3dy5ha2FtYWkuY29tMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEiuc+zlu43bv55+s0Fj6RiBW+olZmc/AkoTP48CFC
+IGP1DET7Oufx6oe63GIuBzdVfR5D6R2z818b5gY1o2lBxqOCA3swggN3MB8GA1Ud
+IwQYMBaAFLdrouqoqoSMeeq02g+YssWVdrn0MB0GA1UdDgQWBBT86pFIu848aqiQ
+L73R3pUDjECAnDAlBgNVHREEHjAcgg53d3cuYWthbWFpLmNvbYIKYWthbWFpLmNv
+bTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E
+aWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5jcmwwQKA+oDyGOmh0dHA6Ly9j
+cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtNC5j
+cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
+dy5kaWdpY2VydC5jb20vQ1BTMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2Fj
+ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEu
+Y3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB3AOg+0No+
+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABgYi+UIwAAAQDAEgwRgIhAJ1R
+BJT/F3l27vLAd65f6bsRlLdKe2B0g5iaNWn9qUOIAiEAzcfo21akKVUHdySdtIz/
+4xCXsm5hZlIr2AdtGVxiR0IAdgA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gD
+wzvWTAAAAYGIvlCWAAAEAwBHMEUCIQCflW6g5is3DB5BOoiOIck7g1GDZFQPvxYA
+2ssOnVqqkgIgIKBzdY0933/Bvdv69uhR9YGgNjF6pqCqcEFX2IhmqGkAdgC3Pvsk
+35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYGIvlCBAAAEAwBHMEUCIQD6
+l++PTabZ98GPjyGmbbCRsgJEJut6I7J5eolQfKQhAQIgP7sOIn+mhH5HNgU/6cS0
+T/dL3qVKI/DK2VVq2iLHQo8wDQYJKoZIhvcNAQELBQADggEBAEjCX4PWIZW//UGo
+7tBLfNdP3XOo7WbWZNqam9I+hXnlNhV8rl7kNnkhzXMMpF4ljOZ9dOblXT1aFGib
+kc8ucHcBXxd8wO8UB5R8FUeYDhE4BVJWAsdzRL8PT+RuY9xKfntXFKjpUI7FD4Cb
+LhpSh/cnBVfapUTY8RbDjb6SiLEkwWrppWUSEtDG0tSsYPuPHvZM+YTDCAfA2gdt
+yDsiPlNrBjo0h2YAt5kbzj5UoMkRmCGiA0qj/Mo2Cp31OUU45eaEELq0ilgLUlI+
+bjo+7eCvoiEWltwceoWazetWLW7fDTme29dZ4olGdPuGVq9G2Qj4x90sqvJOw+0/
+1to7zMw=
+-----END CERTIFICATE-----

e2e/verify/ocspresponder/index.txt

@@ -0,0 +1,3 @@
+V	300401030000Z		01	unknown	= US, O = Sylabs Inc., CN = root
+V	300401030000Z		02	unknown	= US, O = Sylabs Inc., CN = intermediate
+V	300401030000Z		03	unknown	= US, O = Sylabs Inc., CN = leaf

e2e/verify/ocspresponder/ocsp_responder.go

@@ -0,0 +1,62 @@
+// Copyright (c) 2022, Sylabs Inc. All rights reserved.
+// This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
+// distributed with the sources of this project regarding your rights to use or distribute this
+// software.
+
+package ocspresponder
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+var DefaultOCSPResponderArgs = ResponderArgs{
+	IndexFile:    "./index.txt",
+	ServerPort:   "9999",
+	OCSPKeyPath:  filepath.Join("..", "test", "keys", "ecdsa-private.pem"), // see test/gen_certs.go
+	OCSPCertPath: filepath.Join("..", "test", "certs", "root.pem"),         // see test/gen_certs.go
+	CACertPath:   filepath.Join("..", "test", "certs", "root.pem"),
+}
+
+// ResponderArgs specifies the arguments for the OCSP Responder.
+type ResponderArgs struct {
+	// IndexFile is the Certificate status index file
+	IndexFile string
+
+	// ServerPort is the Port to run responder on.
+	ServerPort string
+
+	// OCSPKeyPath is the Responder key to sign responses with.
+	OCSPKeyPath string
+
+	// OCSPCertPath is the Responder certificate to sign responses with.
+	OCSPCertPath string
+
+	// CACertPath is CA certificate filename.
+	CACertPath string
+}
+
+// StartOCSPResponder runs the OCSP responder.
+func StartOCSPResponder(args ResponderArgs) error {
+	// ensure that the index file exists.
+	// if not, create is using the ./add_cert_to_index.sh
+	_, err := os.Stat(args.IndexFile)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.Command("openssl", []string{
+		"ocsp", "-text",
+		"-index", args.IndexFile,
+		"-port", args.ServerPort,
+		"-rsigner", args.OCSPCertPath,
+		"-rkey", args.OCSPKeyPath,
+		"-CA", args.CACertPath,
+	}...)
+
+	// cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	return cmd.Run()
+}

e2e/verify/ocspresponder/standalone/add_cert_to_index.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# pass the path to the PEM-encoded certificate as first argument to the script, and then append to index.txt
+
+crt=$1
+exp=$(date -d "$(openssl x509 -enddate -noout -in $crt | cut -d= -f 2)" +"%y%m%d%H%M%SZ")
+ser=$(openssl x509 -serial -noout -in $crt | cut -d= -f 2)
+sub=$(openssl x509 -subject -noout -in $crt | cut -d= -f 2- | cut -d' ' -f 2-)
+echo -e "V\t$exp\t\t$ser\tunknown\t$sub"

e2e/verify/ocspresponder/standalone/main.go

@@ -0,0 +1,15 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/sylabs/singularity/e2e/verify/ocspresponder"
+)
+
+func main() {
+	if err := ocspresponder.StartOCSPResponder(ocspresponder.DefaultOCSPResponderArgs); err != nil {
+		fmt.Fprintln(os.Stderr, "Error:", err)
+		os.Exit(1)
+	}
+}

e2e/verify/verify.go

@@ -6,9 +6,13 @@
 package verify
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
+
+	"github.com/sylabs/singularity/e2e/verify/ocspresponder"
 
 	"github.com/sylabs/singularity/e2e/internal/e2e"
 	"github.com/sylabs/singularity/e2e/internal/testhelper"
@@ -19,11 +23,15 @@ type ctx struct {
 }
 
 func (c *ctx) verify(t *testing.T) {
-	keyPath := filepath.Join("..", "test", "keys", "ed25519-public.pem")
+	pubKeyPath := filepath.Join("..", "test", "keys", "ed25519-public.pem")
+	priKeyPath := filepath.Join("..", "test", "keys", "ed25519-private.pem")
+
 	certPath := filepath.Join("..", "test", "certs", "leaf.pem")
 	intPath := filepath.Join("..", "test", "certs", "intermediate.pem")
 	rootPath := filepath.Join("..", "test", "certs", "root.pem")
 
+	c.startOCSPResponder(priKeyPath, rootPath)
+
 	tests := []struct {
 		name       string
 		envs       []string
@@ -113,19 +121,19 @@ func (c *ctx) verify(t *testing.T) {
 		},
 		{
 			name:      "KeyFlag",
-			flags:     []string{"--key", keyPath},
+			flags:     []string{"--key", pubKeyPath},
 			imagePath: filepath.Join("..", "test", "images", "one-group-signed-dsse.sif"),
 			expectOps: []e2e.SingularityCmdResultOp{
-				e2e.ExpectError(e2e.ContainMatch, "Verifying image with key material from '"+keyPath+"'"),
+				e2e.ExpectError(e2e.ContainMatch, "Verifying image with key material from '"+pubKeyPath+"'"),
 				e2e.ExpectError(e2e.ContainMatch, "Verified signature(s) from image"),
 			},
 		},
 		{
 			name:      "KeyEnvVar",
-			envs:      []string{"SINGULARITY_VERIFY_KEY=" + keyPath},
+			envs:      []string{"SINGULARITY_VERIFY_KEY=" + pubKeyPath},
 			imagePath: filepath.Join("..", "test", "images", "one-group-signed-dsse.sif"),
 			expectOps: []e2e.SingularityCmdResultOp{
-				e2e.ExpectError(e2e.ContainMatch, "Verifying image with key material from '"+keyPath+"'"),
+				e2e.ExpectError(e2e.ContainMatch, "Verifying image with key material from '"+pubKeyPath+"'"),
 				e2e.ExpectError(e2e.ContainMatch, "Verified signature(s) from image"),
 			},
 		},
@@ -155,6 +163,52 @@ func (c *ctx) verify(t *testing.T) {
 				e2e.ExpectError(e2e.ContainMatch, "Verified signature(s) from image"),
 			},
 		},
+		{
+			name: "OCSPFlags",
+			flags: []string{
+				"--certificate", certPath,
+				"--certificate-intermediates", intPath,
+				"--certificate-roots", rootPath,
+				"--ocsp-verify",
+			},
+			imagePath:  filepath.Join("..", "test", "images", "one-group-signed-dsse.sif"),
+			expectCode: 255,
+			expectOps: []e2e.SingularityCmdResultOp{
+				// Expect OCSP to fail due to https://github.com/sylabs/singularity/issues/1152
+				e2e.ExpectError(e2e.ContainMatch, "Failed to verify container: OCSP verification has failed"),
+			},
+		},
+		{
+			name: "OCSPEnvVars",
+			envs: []string{
+				"SINGULARITY_VERIFY_CERTIFICATE=" + certPath,
+				"SINGULARITY_VERIFY_INTERMEDIATES=" + intPath,
+				"SINGULARITY_VERIFY_ROOTS=" + rootPath,
+				"SINGULARITY_VERIFY_OCSP=true",
+			},
+			imagePath:  filepath.Join("..", "test", "images", "one-group-signed-dsse.sif"),
+			expectCode: 255,
+			expectOps: []e2e.SingularityCmdResultOp{
+				// Expect OCSP to fail due to https://github.com/sylabs/singularity/issues/1152
+				e2e.ExpectError(e2e.ContainMatch, "Failed to verify container: OCSP verification has failed"),
+			},
+		},
+		{
+			name: "OCSPThirdPartyChain",
+			flags: []string{
+				"--certificate", filepath.Join("./verify", "ocspcertificates", "leaf.pem"),
+				"--certificate-intermediates", filepath.Join("./verify", "ocspcertificates", "intermediate.pem"),
+				"--ocsp-verify",
+			},
+			imagePath:  filepath.Join("..", "test", "images", "one-group-signed-dsse.sif"),
+			expectCode: 255,
+			expectOps: []e2e.SingularityCmdResultOp{
+				e2e.ExpectError(e2e.ContainMatch, "Failed to verify container: x509: certificate specifies an incompatible key usage"),
+				// https://github.com/sylabs/singularity/pull/1213#pullrequestreview-1240524316
+				// Error Expect OCSP to succeed, but signature verification to fail.
+				// e2e.ExpectError(e2e.ContainMatch, "Failed to verify container: integrity: signature object 3 not valid: dsse: verify envelope failed: Accepted signatures do not match threshold, Found: 0, Expected 1"),
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -179,6 +233,25 @@ func (c *ctx) importPGPKeypairs(t *testing.T) {
 	)
 }
 
+func (c *ctx) startOCSPResponder(rootKeyPath string, rootCertPath string) {
+	// initiate OCSP responder to validate the singularity certificate chain
+	go func() {
+		args := ocspresponder.ResponderArgs{
+			IndexFile:    filepath.Join("./verify", "ocspresponder", "index.txt"),
+			ServerPort:   "9999",
+			OCSPKeyPath:  rootKeyPath,
+			OCSPCertPath: rootCertPath,
+			CACertPath:   rootCertPath,
+		}
+
+		if err := ocspresponder.StartOCSPResponder(args); err != nil {
+			panic(fmt.Errorf("responder initialization has failed due to '%s'", err))
+		}
+	}()
+
+	time.Sleep(5 * time.Second)
+}
+
 // E2ETests is the main func to trigger the test suite
 func E2ETests(env e2e.TestEnv) testhelper.Tests {
 	c := ctx{