summaryrefslogtreecommitdiff
path: root/test/cmp_client_test.c
diff options
context:
space:
mode:
Diffstat (limited to 'test/cmp_client_test.c')
-rw-r--r--test/cmp_client_test.c75
1 files changed, 54 insertions, 21 deletions
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index b0681e85876c..c2072c1be25c 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@@ -35,7 +35,7 @@ static EVP_PKEY *server_key = NULL;
static X509 *server_cert = NULL;
static EVP_PKEY *client_key = NULL;
static X509 *client_cert = NULL;
-static unsigned char ref[CMP_TEST_REFVALUE_LENGTH];
+static unsigned char ref[CMP_TEST_REFVALUE_LENGTH]; /* not actually used */
/*
* For these unit tests, the client abandons message protection, and for
@@ -51,6 +51,30 @@ static void tear_down(CMP_SES_TEST_FIXTURE *fixture)
OPENSSL_free(fixture);
}
+static int set_simple_trust(OSSL_CMP_CTX *ctx, X509 *trusted)
+{
+ X509_STORE *ts = X509_STORE_new();
+ X509_VERIFY_PARAM *vpm;
+
+ /*
+ * not simply using OSSL_CMP_CTX_set1_srvCert() (to pin the server cert)
+ * in order to make sure that validated server cert gets cached,
+ * which is needed for the negative test case test_exec_KUR_bad_pkiConf_protection
+ */
+ if (ts == NULL || !X509_STORE_add_cert(ts, trusted))
+ goto err;
+
+ vpm = X509_STORE_get0_param(ts);
+ if (!X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME | X509_V_FLAG_PARTIAL_CHAIN)
+ || !OSSL_CMP_CTX_set0_trusted(ctx, ts))
+ goto err;
+
+ return 1;
+err:
+ X509_STORE_free(ts);
+ return 0;
+}
+
static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
{
CMP_SES_TEST_FIXTURE *fixture;
@@ -70,15 +94,15 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
goto err;
if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new(libctx, NULL))
|| !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)
- || !OSSL_CMP_CTX_set_transfer_cb(ctx, OSSL_CMP_CTX_server_perform)
+ /* using default verbosity: OSSL_CMP_LOG_INFO */
+ || !OSSL_CMP_CTX_set_transfer_cb(ctx, ossl_cmp_mock_server_perform)
|| !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, fixture->srv_ctx)
|| !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)
- || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1)
|| !OSSL_CMP_CTX_set1_oldCert(ctx, client_cert)
|| !OSSL_CMP_CTX_set1_pkey(ctx, client_key)
/* client_key is by default used also for newPkey */
- || !OSSL_CMP_CTX_set1_srvCert(ctx, server_cert)
- || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref)))
+ || !set_simple_trust(ctx, server_cert)
+ || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref))) /* not actually needed */
goto err;
fixture->req_type = -1;
return fixture;
@@ -128,9 +152,7 @@ static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
int status = OSSL_CMP_CTX_get_status(ctx);
OSSL_CMP_CTX_print_errors(ctx);
- if (!TEST_int_eq(status, fixture->expected)
- && !(fixture->expected == OSSL_CMP_PKISTATUS_waiting
- && TEST_int_eq(status, OSSL_CMP_PKISTATUS_trans)))
+ if (!TEST_int_eq(status, fixture->expected))
return 0;
if (fixture->expected != OSSL_CMP_PKISTATUS_accepted)
return TEST_ptr_null(res);
@@ -234,9 +256,9 @@ static int test_exec_IR_ses_poll_no_timeout(void)
static int test_exec_IR_ses_poll_total_timeout(void)
{
- return !test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter + 1,
+ return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter + 1,
3 /* pollCount */, checkAfter + 6,
- OSSL_CMP_PKISTATUS_waiting);
+ OSSL_CMP_PKISTATUS_trans);
}
static int test_exec_CR_ses(int implicit_confirm, int granted, int reject)
@@ -266,7 +288,9 @@ static int test_exec_CR_ses_implicit_confirm(void)
&& test_exec_CR_ses(1, 1 /* granted */, 0);
}
-static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
+/* the KUR transactions include certConf/pkiConf */
+static int test_exec_KUR_ses(int transfer_error, int server_use_bad_protection,
+ int pubkey, int raverified)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->req_type = OSSL_CMP_PKIBODY_KUR;
@@ -274,6 +298,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
if (transfer_error)
OSSL_CMP_CTX_set_transfer_cb_arg(fixture->cmp_ctx, NULL);
+ (void)ossl_cmp_mock_srv_set_useBadProtection(fixture->srv_ctx, server_use_bad_protection);
+
if (pubkey) {
EVP_PKEY *key = raverified /* wrong key */ ? server_key : client_key;
@@ -286,7 +312,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
if (pubkey || raverified)
OSSL_CMP_CTX_set_option(fixture->cmp_ctx, OSSL_CMP_OPT_POPO_METHOD,
OSSL_CRMF_POPO_RAVERIFIED);
- fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? OSSL_CMP_PKISTATUS_rejection
+ fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? (pubkey ? OSSL_CMP_PKISTATUS_rejected_by_client : OSSL_CMP_PKISTATUS_rejection)
+ : server_use_bad_protection != -1 ? OSSL_CMP_PKISTATUS_checking_response
: OSSL_CMP_PKISTATUS_accepted;
EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
return result;
@@ -294,18 +321,23 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
static int test_exec_KUR_ses_ok(void)
{
- return test_exec_KUR_ses(0, 0, 0);
+ return test_exec_KUR_ses(0, -1, 0, 0);
}
static int test_exec_KUR_ses_transfer_error(void)
{
- return test_exec_KUR_ses(1, 0, 0);
+ return test_exec_KUR_ses(1, -1, 0, 0);
+}
+
+static int test_exec_KUR_bad_pkiConf_protection(void)
+{
+ return test_exec_KUR_ses(0, -1 /* disabled: OSSL_CMP_PKIBODY_PKICONF */, 0, 0);
}
static int test_exec_KUR_ses_wrong_popo(void)
{
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* cf ossl_cmp_verify_popo() */
- return test_exec_KUR_ses(0, 0, 1);
+ return test_exec_KUR_ses(0, -1, 0, 1);
#else
return 1;
#endif
@@ -313,12 +345,12 @@ static int test_exec_KUR_ses_wrong_popo(void)
static int test_exec_KUR_ses_pub(void)
{
- return test_exec_KUR_ses(0, 1, 0);
+ return test_exec_KUR_ses(0, -1, 1, 0);
}
static int test_exec_KUR_ses_wrong_pub(void)
{
- return test_exec_KUR_ses(0, 1, 1);
+ return test_exec_KUR_ses(0, -1, 1, 1);
}
static int test_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
@@ -340,7 +372,7 @@ static int test_exec_P10CR_ses(int reject)
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->req_type = OSSL_CMP_PKIBODY_P10CR;
- fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejection
+ fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejected_by_client
: OSSL_CMP_PKISTATUS_accepted;
ctx = fixture->cmp_ctx;
if (!TEST_ptr(csr = load_csr_der(pkcs10_f, libctx))
@@ -436,7 +468,7 @@ static int test_exec_GENM_ses_poll_total_timeout(void)
{
return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter + 1,
3 /* pollCount */, checkAfter + 2,
- OSSL_CMP_PKISTATUS_waiting);
+ OSSL_CMP_PKISTATUS_trans);
}
static int test_exec_GENM_ses(int transfer_error, int total_timeout, int expect)
@@ -546,7 +578,7 @@ int setup_tests(void)
|| !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx))
|| !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx))
|| !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx))
- || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) {
+ || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) { /* not actually used */
cleanup_tests();
return 0;
}
@@ -562,6 +594,7 @@ int setup_tests(void)
ADD_TEST(test_exec_IR_ses_poll_total_timeout);
ADD_TEST(test_exec_KUR_ses_ok);
ADD_TEST(test_exec_KUR_ses_transfer_error);
+ ADD_TEST(test_exec_KUR_bad_pkiConf_protection);
ADD_TEST(test_exec_KUR_ses_wrong_popo);
ADD_TEST(test_exec_KUR_ses_pub);
ADD_TEST(test_exec_KUR_ses_wrong_pub);
generated by cgit v1.3 (git 2.53.0) at 2026-05-13 01:40:13 +0000