diff options
Diffstat (limited to 'test/cmp_vfy_test.c')
| -rw-r--r-- | test/cmp_vfy_test.c | 48 |
1 files changed, 33 insertions, 15 deletions
diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index b82ae142c24d..114b1044975f 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -61,7 +61,7 @@ static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name) fixture->test_case_name = test_case_name; if (ts == NULL || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new(libctx, NULL)) - || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts) + || !OSSL_CMP_CTX_set0_trusted(fixture->cmp_ctx, ts) || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) { tear_down(fixture); X509_STORE_free(ts); @@ -104,6 +104,7 @@ static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture) if (fixture->expected == 0) { const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir; const OSSL_CRMF_MSG *req = sk_OSSL_CRMF_MSG_value(reqs, 0); + if (req == NULL || !flip_bit(req->popo->value.signature->signature)) return 0; } @@ -130,16 +131,20 @@ static int test_verify_popo_bad(void) } #endif +/* indirectly checks also OSSL_CMP_validate_msg() */ static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture) { - return TEST_int_eq(fixture->expected, - ossl_cmp_msg_check_update(fixture->cmp_ctx, fixture->msg, - NULL, 0)); + int res = TEST_int_eq(fixture->expected, + ossl_cmp_msg_check_update(fixture->cmp_ctx, + fixture->msg, NULL, 0)); + X509 *validated = OSSL_CMP_CTX_get0_validatedSrvCert(fixture->cmp_ctx); + + return res && (!fixture->expected || TEST_ptr_eq(validated, fixture->cert)); } static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) { - X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + X509_STORE *ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx); int res = TEST_int_eq(fixture->expected, OSSL_CMP_validate_cert_path(fixture->cmp_ctx, ts, fixture->cert)); @@ -151,9 +156,10 @@ static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) static int test_validate_msg_mac_alg_protection(int miss, int wrong) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = NULL; fixture->expected = !miss && !wrong; - if (!TEST_true(miss ? OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, NULL) + if (!TEST_true(miss ? OSSL_CMP_CTX_set0_trusted(fixture->cmp_ctx, NULL) : OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, wrong ? 4 : sizeof(sec_1))) || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) { @@ -169,6 +175,7 @@ static int test_validate_msg_mac_alg_protection_ok(void) return test_validate_msg_mac_alg_protection(0, 0); } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_mac_alg_protection_missing(void) { return test_validate_msg_mac_alg_protection(1, 0); @@ -179,7 +186,6 @@ static int test_validate_msg_mac_alg_protection_wrong(void) return test_validate_msg_mac_alg_protection(0, 1); } -#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_mac_alg_protection_bad(void) { const unsigned char sec_bad[] = { @@ -188,6 +194,7 @@ static int test_validate_msg_mac_alg_protection_bad(void) }; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = NULL; fixture->expected = 0; if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad, @@ -203,7 +210,7 @@ static int test_validate_msg_mac_alg_protection_bad(void) static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert) { - return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert); + return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trusted(ctx), cert); } static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert) @@ -217,8 +224,9 @@ static int test_validate_msg_signature_partial_chain(int expired) X509_STORE *ts; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; - ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx); fixture->expected = !expired; if (ts == NULL || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) @@ -227,6 +235,7 @@ static int test_validate_msg_signature_partial_chain(int expired) fixture = NULL; } else { X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); if (expired) X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); @@ -265,10 +274,12 @@ static int test_validate_msg_signature_srvcert(int bad_sig, int miss, int wrong) return result; } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_srvcert_missing(void) { return test_validate_msg_signature_srvcert(0, 1, 0); } +#endif static int test_validate_msg_signature_srvcert_wrong(void) { @@ -290,6 +301,7 @@ static int test_validate_msg_signature_sender_cert_srvcert(void) static int test_validate_msg_signature_sender_cert_untrusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) @@ -304,6 +316,7 @@ static int test_validate_msg_signature_sender_cert_untrusted(void) static int test_validate_msg_signature_sender_cert_trusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) @@ -323,18 +336,20 @@ static int test_validate_msg_signature_sender_cert_extracert(void) || !add_trusted(fixture->cmp_ctx, instaca_cert)) { tear_down(fixture); fixture = NULL; + } else { + fixture->cert = sk_X509_value(fixture->msg->extraCerts, 1); /* Insta CA */ } EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } - #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_sender_cert_absent(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); fixture->expected = 0; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))) { + if (!TEST_ptr(fixture->msg = + load_pkimsg(ir_protected_0_extracerts, libctx))) { tear_down(fixture); fixture = NULL; } @@ -346,6 +361,7 @@ static int test_validate_msg_signature_sender_cert_absent(void) static int test_validate_with_sender(const X509_NAME *name, int expected) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; fixture->expected = expected; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name)) @@ -386,8 +402,9 @@ static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired) (*fixture)->cert = endentity2; (*fixture)->expected = wrong == NULL && !expired; if (expired) { - X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx); + X509_STORE *ts = OSSL_CMP_CTX_get0_trusted((*fixture)->cmp_ctx); X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); } if (!add_trusted((*fixture)->cmp_ctx, wrong == NULL ? root : wrong) @@ -434,7 +451,7 @@ static int execute_msg_check_test(CMP_VFY_TEST_FIXTURE *fixture) fixture->additional_arg))) return 0; - if (fixture->expected == 0) /* error expected aready during above check */ + if (fixture->expected == 0) /* error expected already during above check */ return 1; return TEST_int_eq(0, @@ -471,6 +488,7 @@ static void setup_check_update(CMP_VFY_TEST_FIXTURE **fixture, int expected, (*fixture) = NULL; } else if (trid_data != NULL) { ASN1_OCTET_STRING *trid = ASN1_OCTET_STRING_new(); + if (trid == NULL || !ASN1_OCTET_STRING_set(trid, trid_data, OSSL_CMP_TRANSACTIONID_LENGTH) @@ -574,7 +592,6 @@ void cleanup_tests(void) return; } - #define USAGE "server.crt client.crt " \ "EndEntity1.crt EndEntity2.crt " \ "Root_CA.crt Intermediate_CA.crt " \ @@ -642,7 +659,8 @@ int setup_tests(void) if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) goto err; if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)) - || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f, libctx))) + || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f, + libctx))) goto err; /* Message validation tests */ |