diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-02-15 14:57:32 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-02-17 07:43:58 +0100 |
commit | 31b28ad96aa841ae39d4009ebb15d90f2a2afdab (patch) | |
tree | 1c35d270dec05defdb07028911a67dbba82fe65c /test | |
parent | 235595c402bd7815f07f1f3f3babe9fcc247a206 (diff) |
chunk 7 of CMP contribution to OpenSSL
add CMP message validation and related tests; while doing so:
* add ERR_add_error_mem_bio() to crypto/err/err_prn.c
* move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c
* add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c,
adding internally x509_print_ex_brief(), print_certs(), and print_store_certs()
* move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10620)
Diffstat (limited to 'test')
23 files changed, 879 insertions, 5 deletions
diff --git a/test/build.info b/test/build.info index c35bed086c..f964dec4ba 100644 --- a/test/build.info +++ b/test/build.info @@ -455,7 +455,7 @@ IF[{- !$disabled{tests} -}] IF[{- !$disabled{cmp} -}] PROGRAMS{noinst}=cmp_asn_test cmp_ctx_test cmp_status_test cmp_hdr_test \ - cmp_protect_test cmp_msg_test + cmp_protect_test cmp_msg_test cmp_vfy_test ENDIF SOURCE[cmp_asn_test]=cmp_asn_test.c cmp_testlib.c @@ -482,6 +482,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[cmp_msg_test]=.. ../include ../apps/include DEPEND[cmp_msg_test]=../libcrypto.a libtestutil.a + SOURCE[cmp_vfy_test]=cmp_status_test.c cmp_testlib.c + INCLUDE[cmp_vfy_test]=.. ../include ../apps/include + DEPEND[cmp_vfy_test]=../libcrypto.a libtestutil.a + # Internal test programs. These are essentially a collection of internal # test routines. Some of them need to reach internal symbols that aren't # available through the shared library (at least on Linux, Solaris, Windows diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c index 5c637b0a3c..26c65778b9 100644 --- a/test/cmp_ctx_test.c +++ b/test/cmp_ctx_test.c @@ -169,7 +169,7 @@ static int execute_CTX_print_errors_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) base_err_msg_size = strlen("INVALID_ARGS") + strlen(" : "); expected_size = base_err_msg_size; while (expected_size < 4096) { /* force split */ - ossl_cmp_add_error_txt(STR_SEP, max_str_literal); + ERR_add_error_txt(STR_SEP, max_str_literal); expected_size += strlen(STR_SEP) + strlen(max_str_literal); } expected_size += base_err_msg_size - 2 * strlen(STR_SEP); @@ -794,8 +794,7 @@ int setup_tests(void) #if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_NO_AUTOERRINIT) /* * also tests OSSL_CMP_CTX_set_log_cb(), OSSL_CMP_print_errors_cb(), - * ossl_cmp_add_error_txt(), and the macros - * ossl_cmp_add_error_data and ossl_cmp_add_error_line: + * and the macros ossl_cmp_add_error_data and ossl_cmp_add_error_line: */ ADD_TEST(test_CTX_print_errors); #endif diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index 022dea6b7c..5d5df89abd 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -387,7 +387,7 @@ static int execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE *fixture) fixture->certs, fixture->callback_arg))) goto err; - sk = ossl_cmp_X509_STORE_get1_certs(store); + sk = X509_STORE_get1_all_certs(store); if (!TEST_int_eq(0, STACK_OF_X509_cmp(sk, fixture->chain))) goto err; res = 1; diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c new file mode 100644 index 0000000000..41ddad86ba --- /dev/null +++ b/test/cmp_vfy_test.c @@ -0,0 +1,636 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cmp_testlib.h" +#include "../crypto/crmf/crmf_local.h" /* for manipulating POPO signature */ + +static const char *server_f; +static const char *client_f; +static const char *endentity1_f; +static const char *endentity2_f; +static const char *root_f; +static const char *intermediate_f; +static const char *ir_protected_f; +static const char *ir_unprotected_f; +static const char *ir_rmprotection_f; +static const char *ip_waiting_f; +static const char *instacert_f; +static const char *instaca_f; +static const char *ir_protected_0_extracerts; +static const char *ir_protected_2_extracerts; + +typedef struct test_fixture { + const char *test_case_name; + int expected; + OSSL_CMP_CTX *cmp_ctx; + OSSL_CMP_MSG *msg; + X509 *cert; + ossl_cmp_allow_unprotected_cb_t allow_unprotected_cb; + int additional_arg; +} CMP_VFY_TEST_FIXTURE; + +static void tear_down(CMP_VFY_TEST_FIXTURE *fixture) +{ + OSSL_CMP_MSG_free(fixture->msg); + OSSL_CMP_CTX_free(fixture->cmp_ctx); + OPENSSL_free(fixture); +} + +static int print_to_bio_out(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg) +{ + return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg); +} + +static time_t test_time_valid = 0, test_time_after_expiration = 0; + +static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name) +{ + X509_STORE *ts = X509_STORE_new(); + CMP_VFY_TEST_FIXTURE *fixture; + + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) + return NULL; + fixture->test_case_name = test_case_name; + if (ts == NULL + || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new()) + || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts) + || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) { + tear_down(fixture); + X509_STORE_free(ts); + return NULL; + } + X509_VERIFY_PARAM_set_time(X509_STORE_get0_param(ts), test_time_valid); + X509_STORE_set_verify_cb(ts, OSSL_CMP_print_cert_verify_cb); + return fixture; +} + +static X509 *srvcert = NULL; +static X509 *clcert = NULL; +/* chain */ +static X509 *endentity1 = NULL, *endentity2 = NULL, + *intermediate = NULL, *root = NULL; +/* INSTA chain */ +static X509 *insta_cert = NULL, *instaca_cert = NULL; + +static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; +static OSSL_CMP_MSG *ir_unprotected, *ir_rmprotection; + +static int flip_bit(ASN1_BIT_STRING *bitstr) +{ + int bit_num = 7; + int bit = ASN1_BIT_STRING_get_bit(bitstr, bit_num); + + return ASN1_BIT_STRING_set_bit(bitstr, bit_num, !bit); +} + +static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture) +{ + if ((fixture->msg = load_pkimsg(ir_protected_f)) == NULL) + return 0; + if (fixture->expected == 0) { + const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir; + const OSSL_CRMF_MSG *req = sk_OSSL_CRMF_MSG_value(reqs, 0); + if (req == NULL || !flip_bit(req->popo->value.signature->signature)) + return 0; + } + return TEST_int_eq(fixture->expected, + ossl_cmp_verify_popo(fixture->msg, + fixture->additional_arg)); +} + +static int test_verify_popo(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 1; + EXECUTE_TEST(execute_verify_popo_test, tear_down); + return result; +} + +static int test_verify_popo_bad(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 0; + EXECUTE_TEST(execute_verify_popo_test, tear_down); + return result; +} + +static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture) +{ + return TEST_int_eq(fixture->expected, + OSSL_CMP_validate_msg(fixture->cmp_ctx, fixture->msg)); +} + +static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) +{ + X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + int res = TEST_int_eq(fixture->expected, + OSSL_CMP_validate_cert_path(fixture->cmp_ctx, + ts, fixture->cert)); + + OSSL_CMP_CTX_print_errors(fixture->cmp_ctx); + return res; +} + +static int test_validate_msg_mac_alg_protection(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + /* secret value belonging to cmp-test/CMP_IP_waitingStatus_PBM.der */ + const unsigned char sec_1[] = { + '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', + 'Q', '-', 'u', 'd', 'N', 'R' + }; + + fixture->expected = 1; + if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, + sizeof(sec_1))) + || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_mac_alg_protection_bad(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + const unsigned char sec_bad[] = { + '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', + 'Q', '-', 'u', 'd', 'N', 'r' + }; + fixture->expected = 0; + + if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad, + sizeof(sec_bad))) + || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert) +{ + return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert); +} + +static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert) +{ + return ossl_cmp_sk_X509_add1_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx), + cert, 0, 0); +} + +static int test_validate_msg_signature_partial_chain(int expired) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + + fixture->expected = !expired; + if (ts == NULL + || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + || !add_trusted(fixture->cmp_ctx, srvcert)) { + tear_down(fixture); + fixture = NULL; + } else { + X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + if (expired) + X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_trusted_ok(void) +{ + return test_validate_msg_signature_partial_chain(0); +} + +static int test_validate_msg_signature_trusted_expired(void) +{ + return test_validate_msg_signature_partial_chain(1); +} + +static int test_validate_msg_signature_srvcert_wrong(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 0; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_srvcert(int bad_sig) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = !bad_sig; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert)) + || (bad_sig && !flip_bit(fixture->msg->protection))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_bad(void) +{ + return test_validate_msg_signature_srvcert(1); +} + +static int test_validate_msg_signature_sender_cert_srvcert(void) +{ + return test_validate_msg_signature_srvcert(0); +} + +static int test_validate_msg_signature_sender_cert_untrusted(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 1; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) + || !add_trusted(fixture->cmp_ctx, instaca_cert) + || !add_untrusted(fixture->cmp_ctx, insta_cert)) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_sender_cert_trusted(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 1; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) + || !add_trusted(fixture->cmp_ctx, instaca_cert) + || !add_trusted(fixture->cmp_ctx, insta_cert)) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_sender_cert_extracert(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 1; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts)) + || !add_trusted(fixture->cmp_ctx, instaca_cert)) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + + +static int test_validate_msg_signature_sender_cert_absent(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 0; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + + +static int test_validate_with_sender(X509_NAME *name, int expected) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = expected; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name)) + || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static int test_validate_msg_signature_expected_sender(void) +{ + return test_validate_with_sender(X509_get_subject_name(srvcert), 1); +} + +static int test_validate_msg_signature_unexpected_sender(void) +{ + return test_validate_with_sender(X509_get_subject_name(root), 0); +} + +static int test_validate_msg_unprotected_request(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->expected = 0; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_validate_msg_test, tear_down); + return result; +} + +static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired) +{ + (*fixture)->cert = endentity2; + (*fixture)->expected = wrong == NULL && !expired; + if (expired) { + X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx); + X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); + } + if (!add_trusted((*fixture)->cmp_ctx, wrong == NULL ? root : wrong) + || !add_untrusted((*fixture)->cmp_ctx, endentity1) + || !add_untrusted((*fixture)->cmp_ctx, intermediate)) { + tear_down((*fixture)); + (*fixture) = NULL; + } +} + +static int test_validate_cert_path_ok(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_path(&fixture, NULL, 0); + EXECUTE_TEST(execute_validate_cert_path_test, tear_down); + return result; +} + +static int test_validate_cert_path_wrong_anchor(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_path(&fixture, srvcert /* wrong/non-root cert */, 0); + EXECUTE_TEST(execute_validate_cert_path_test, tear_down); + return result; +} + +static int test_validate_cert_path_expired(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_path(&fixture, NULL, 1); + EXECUTE_TEST(execute_validate_cert_path_test, tear_down); + return result; +} + +static int execute_MSG_check_received_test(CMP_VFY_TEST_FIXTURE *fixture) +{ + const OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(fixture->msg); + const ASN1_OCTET_STRING *tid = OSSL_CMP_HDR_get0_transactionID(hdr); + + if (!TEST_int_eq(fixture->expected, + ossl_cmp_msg_check_received(fixture->cmp_ctx, + fixture->msg, + fixture->allow_unprotected_cb, + fixture->additional_arg))) + return 0; + + if (fixture->expected < 0) /* error expected aready during above check */ + return 1; + return + TEST_int_eq(0, + ASN1_OCTET_STRING_cmp(ossl_cmp_hdr_get0_senderNonce(hdr), + fixture->cmp_ctx->recipNonce)) + && TEST_int_eq(0, + ASN1_OCTET_STRING_cmp(tid, + fixture->cmp_ctx->transactionID)); +} + +static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, + int invalid_protection, int allow) +{ + return allow; +} + +static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected, + ossl_cmp_allow_unprotected_cb_t cb, int arg, + const unsigned char *trid_data, + const unsigned char *nonce_data) +{ + OSSL_CMP_CTX *ctx = (*fixture)->cmp_ctx; + int nonce_len = OSSL_CMP_SENDERNONCE_LENGTH; + + (*fixture)->expected = expected; + (*fixture)->allow_unprotected_cb = cb; + (*fixture)->additional_arg = arg; + (*fixture)->msg = OSSL_CMP_MSG_dup(ir_rmprotection); + if ((*fixture)->msg == NULL + || (nonce_data != NULL + && !ossl_cmp_asn1_octet_string_set1_bytes(&ctx->senderNonce, + nonce_data, nonce_len))) { + tear_down((*fixture)); + (*fixture) = NULL; + } + else if (trid_data != NULL) { + ASN1_OCTET_STRING *trid = ASN1_OCTET_STRING_new(); + if (trid == NULL + || !ASN1_OCTET_STRING_set(trid, trid_data, + OSSL_CMP_TRANSACTIONID_LENGTH) + || !OSSL_CMP_CTX_set1_transactionID(ctx, trid)) { + tear_down((*fixture)); + (*fixture) = NULL; + } + ASN1_OCTET_STRING_free(trid); + } +} + +static int test_MSG_check_received_no_protection_no_cb(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, -1, NULL, 0, NULL, NULL); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_no_protection_restrictive_cb(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, -1, allow_unprotected, 0, NULL, NULL); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_no_protection_permissive_cb(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, + NULL, NULL); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_check_transaction_id(void) +{ + /* Transaction id belonging to CMP_IR_rmprotection.der */ + const unsigned char trans_id[OSSL_CMP_TRANSACTIONID_LENGTH] = { + 0x39, 0xB6, 0x90, 0x28, 0xC4, 0xBC, 0x7A, 0xF6, + 0xBE, 0xC6, 0x4A, 0x88, 0x97, 0xA6, 0x95, 0x0B + }; + + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, + trans_id, NULL); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_check_transaction_id_bad(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, -1, allow_unprotected, 1, rand_data, NULL); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_check_recipient_nonce(void) +{ + /* Recipient nonce belonging to CMP_IP_ir_rmprotection.der */ + const unsigned char rec_nonce[OSSL_CMP_SENDERNONCE_LENGTH] = { + 0x48, 0xF1, 0x71, 0x1F, 0xE5, 0xAF, 0x1C, 0x8B, + 0x21, 0x97, 0x5C, 0x84, 0x74, 0x49, 0xBA, 0x32 + }; + + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, + NULL, rec_nonce); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +static int test_MSG_check_received_check_recipient_nonce_bad(void) +{ + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + setup_check_received(&fixture, -1, allow_unprotected, 1, NULL, rand_data); + EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + return result; +} + +void cleanup_tests(void) +{ + X509_free(srvcert); + X509_free(clcert); + X509_free(endentity1); + X509_free(endentity2); + X509_free(intermediate); + X509_free(root); + X509_free(insta_cert); + X509_free(instaca_cert); + OSSL_CMP_MSG_free(ir_unprotected); + OSSL_CMP_MSG_free(ir_rmprotection); + return; +} + +int setup_tests(void) +{ + /* Set test time stamps */ + struct tm ts = { 0 }; + + ts.tm_year = 2018 - 1900; /* 2018 */ + ts.tm_mon = 1; /* February */ + ts.tm_mday = 18; /* 18th */ + test_time_valid = mktime(&ts); /* February 18th 2018 */ + ts.tm_year += 10; /* February 18th 2028 */ + test_time_after_expiration = mktime(&ts); + + RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH); + if (!TEST_ptr(server_f = test_get_argument(0)) + || !TEST_ptr(client_f = test_get_argument(1)) + || !TEST_ptr(endentity1_f = test_get_argument(2)) + || !TEST_ptr(endentity2_f = test_get_argument(3)) + || !TEST_ptr(root_f = test_get_argument(4)) + || !TEST_ptr(intermediate_f = test_get_argument(5)) + || !TEST_ptr(ir_protected_f = test_get_argument(6)) + || !TEST_ptr(ir_unprotected_f = test_get_argument(7)) + || !TEST_ptr(ip_waiting_f = test_get_argument(8)) + || !TEST_ptr(ir_rmprotection_f = test_get_argument(9)) + || !TEST_ptr(instacert_f = test_get_argument(10)) + || !TEST_ptr(instaca_f = test_get_argument(11)) + || !TEST_ptr(ir_protected_0_extracerts = test_get_argument(12)) + || !TEST_ptr(ir_protected_2_extracerts = test_get_argument(13))) { + TEST_error("usage: cmp_vfy_test server.crt client.crt " + "EndEntity1.crt EndEntity2.crt " + "Root_CA.crt Intermediate_CA.crt " + "CMP_IR_protected.der CMP_IR_unprotected.der " + "IP_waitingStatus_PBM.der IR_rmprotection.der " + "insta.cert.pem insta_ca.cert.pem " + "IR_protected_0_extraCerts.der " + "IR_protected_2_extraCerts.der\n"); + return 0; + } + + /* Load certificates for cert chain */ + if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f)) + || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f)) + || !TEST_ptr(root = load_pem_cert(root_f)) + || !TEST_ptr(intermediate = load_pem_cert(intermediate_f))) + goto err; + + if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f)) + || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f))) + goto err; + + /* Load certificates for message validation */ + if (!TEST_ptr(srvcert = load_pem_cert(server_f)) + || !TEST_ptr(clcert = load_pem_cert(client_f))) + goto err; + if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) + goto err; + if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)) + || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f))) + goto err; + + /* Message validation tests */ + ADD_TEST(test_verify_popo); + ADD_TEST(test_verify_popo_bad); + ADD_TEST(test_validate_msg_signature_trusted_ok); + ADD_TEST(test_validate_msg_signature_trusted_expired); + ADD_TEST(test_validate_msg_signature_srvcert_wrong); + ADD_TEST(test_validate_msg_signature_bad); + ADD_TEST(test_validate_msg_signature_sender_cert_srvcert); + ADD_TEST(test_validate_msg_signature_sender_cert_untrusted); + ADD_TEST(test_validate_msg_signature_sender_cert_trusted); + ADD_TEST(test_validate_msg_signature_sender_cert_extracert); + ADD_TEST(test_validate_msg_signature_sender_cert_absent); + ADD_TEST(test_validate_msg_signature_expected_sender); + ADD_TEST(test_validate_msg_signature_unexpected_sender); + ADD_TEST(test_validate_msg_unprotected_request); + ADD_TEST(test_validate_msg_mac_alg_protection); + ADD_TEST(test_validate_msg_mac_alg_protection_bad); + + /* Cert path validation tests */ + ADD_TEST(test_validate_cert_path_ok); + ADD_TEST(test_validate_cert_path_expired); + ADD_TEST(test_validate_cert_path_wrong_anchor); + + ADD_TEST(test_MSG_check_received_no_protection_no_cb); + ADD_TEST(test_MSG_check_received_no_protection_restrictive_cb); + ADD_TEST(test_MSG_check_received_no_protection_permissive_cb); + ADD_TEST(test_MSG_check_received_check_transaction_id); + ADD_TEST(test_MSG_check_received_check_transaction_id_bad); + ADD_TEST(test_MSG_check_received_check_recipient_nonce); + ADD_TEST(test_MSG_check_received_check_recipient_nonce_bad); + + return 1; + + err: + cleanup_tests(); + return 0; + +} diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t new file mode 100644 index 0000000000..c07e693f8a --- /dev/null +++ b/test/recipes/65-test_cmp_vfy.t @@ -0,0 +1,36 @@ +#! /usr/bin/env perl +# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright Nokia 2007-2019 +# Copyright Siemens AG 2015-2019 +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +setup("test_cmp_vfy"); + +plan skip_all => "This test is not supported in a no-cmp build" + if disabled("cmp"); + +plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +plan tests => 1; + +ok(run(test(["cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), + data_file("EndEntity1.crt"), data_file("EndEntity2.crt"), + data_file("Root_CA.crt"), data_file("Intermediate_CA.crt"), + data_file("IR_protected.der"), + data_file("IR_unprotected.der"), + data_file("IP_waitingStatus_PBM.der"), + data_file("IR_rmprotection.der"), + data_file("insta.cert.pem"), + data_file("insta_ca.cert.pem"), + data_file("IR_protected_0_extraCerts.der"), + data_file("IR_protected_2_extraCerts.der")]))); diff --git a/test/recipes/65-test_cmp_vfy_data/EndEntity1.crt b/test/recipes/65-test_cmp_vfy_data/EndEntity1.crt new file mode 100644 index 0000000000..4e05449889 --- /dev/null +++ b/test/recipes/65-test_cmp_vfy_data/EndEntity1.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICnDCCAYSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdSb290 +IENBMB4XDTE3MTEwODE1NDgwMFoXDTE4MTEwODExMTkwMFowETEPMA0GA1UEAxMG +Q2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtNiWJufEotHe +p6E/4b0laX7K1NRamNoUokLIsq78RoBieBXaGxIdbT6zmhLnLmZdb0UN3v7FUP75 +rqPN2yyj3TbS4o5ilh5El8bDDAPhW5lthCddvH/uBziRAM5oIB4xxOumNbgHpLUT +Clh49sdXd4ydYpCTWld5emRouBmMUeP/0EkyWMBIrHGSBxrqtFVRXhxvVHImQv6Z +hIKql7dCVCZbhUtxw6sLxIGL4xlhKoM2o31k4I/9tjZrWSZZ7KAIOlOLrjxZc/bQ +MwvxVUgS+C+iXzhCY8v+N/K37jwtAAk4C1aOGv/VygNcN0C/ynfKSzFmtnfei4+3 +6GC7HtFzewIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQB3GYpPSCCYsJM5owKcODr/ +I1aJ8jQ+u5jCKjvYLp6Cnbr4AbRXzvKuMyV6UfIAQbrGOxAClvX++5/ZQbhY+TxN +iiUM3yr5yYCLqj4MeYHhJ3gOzcppAO9LQ9V7eA8C830giZMm3cpApFSLP8CpwNUD +W/fgoQfaOae5IYPZdea88Gmt5RVNbtHgVqtm4ifTQo577kfxTeh20s+M6pgYW3/R +vftXy2ITEtk/j3NcRvOyZ7Bu1mAg7wNeUjL+gDWAaxs16LsWsCsUGwfr/Z2Rq1CF +zB0XwIyigkVLDLqDzUShcw0Eb/zYy2KXsxNWA2tb27mw+T+tmmOszpn7JjLrlVks +-----END CERTIFICATE----- diff --git a/test/recipes/65-test_cmp_vfy_data/EndEntity2.crt b/test/recipes/65-test_cmp_vfy_data/EndEntity2.crt new file mode 100644 index 0000000000..ba06210794 --- /dev/null +++ b/test/recipes/65-test_cmp_vfy_data/EndEntity2.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB3zCCAZSgAwIBAgIBBjAKBggqhkjOPQQDAzAVMRMwEQYDVQQDEwpad2lzY2hl +bkNBMB4XDTE3MTEwODE2MDUwMFoXDTE4MTEwODExMTkwMFowEjEQMA4GA1UEAxMH +Q2xpZW50MjCCASIwDQYJKoZIhvcNAQEBB |