diff options
| author | Matt Caswell <matt@openssl.org> | 2021-12-30 16:38:28 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-01-27 15:30:04 +0000 |
| commit | 8447f2e3912c810a02ed1c8641db27ff70ded5ba (patch) | |
| tree | a7a07ca1b0af8c8e9d9f83562576cdd5b69622d9 /test | |
| parent | 4aa82850267defd772ddf74a88d515ef4fb566b8 (diff) | |
Add a test for X509_STORE_CTX_set_purpose()
This function was previously incorrectly failing if it is called with
X509_PURPOSE_ANY. Add a test to catch this.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17382)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/70-test_verify_extra.t | 8 | ||||
| -rw-r--r-- | test/verify_extra_test.c | 121 |
2 files changed, 111 insertions, 18 deletions
diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t index b4bd013f36..27bd8a58f3 100644 --- a/test/recipes/70-test_verify_extra.t +++ b/test/recipes/70-test_verify_extra.t @@ -7,15 +7,11 @@ # https://www.openssl.org/source/license.html -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir/; setup("test_verify_extra"); plan tests => 1; ok(run(test(["verify_extra_test", - srctop_file("test", "certs", "rootCA.pem"), - srctop_file("test", "certs", "roots.pem"), - srctop_file("test", "certs", "untrusted.pem"), - srctop_file("test", "certs", "bad.pem"), - srctop_file("test", "certs", "sm2-csr.pem")]))); + srctop_dir("test", "certs")]))); diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index d03dc0c71d..4ccf8f0a7f 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -12,15 +12,20 @@ #include <openssl/crypto.h> #include <openssl/bio.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> #include <openssl/pem.h> #include <openssl/err.h> #include "testutil.h" -static const char *root_f; -static const char *roots_f; -static const char *untrusted_f; -static const char *bad_f; -static const char *req_f; +static const char *certs_dir; +static char *root_f = NULL; +static char *roots_f = NULL; +static char *untrusted_f = NULL; +static char *bad_f = NULL; +static char *req_f = NULL; +static char *sroot_cert = NULL; +static char *ca_cert = NULL; +static char *ee_cert = NULL; #define load_cert_from_file(file) load_cert_pem(file, NULL) @@ -99,8 +104,6 @@ static int test_alt_chains_cert_forgery(void) return ret; } -OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n") - static int test_distinguishing_id(void) { X509 *x = NULL; @@ -219,6 +222,76 @@ static int test_store_ctx(void) return test_self_signed(bad_f, 0, 0); } +static int do_test_purpose(int purpose, int expected) +{ + X509 *eecert = load_cert_from_file(ee_cert); /* may result in NULL */ + X509 *untrcert = load_cert_from_file(ca_cert); + X509 *trcert = load_cert_from_file(sroot_cert); + STACK_OF(X509) *trusted = sk_X509_new_null(); + STACK_OF(X509) *untrusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + int testresult = 0; + + if (!TEST_ptr(eecert) + || !TEST_ptr(untrcert) + || !TEST_ptr(trcert) + || !TEST_ptr(trusted) + || !TEST_ptr(untrusted) + || !TEST_ptr(ctx)) + goto err; + + + if (!TEST_true(sk_X509_push(trusted, trcert))) + goto err; + trcert = NULL; + if (!TEST_true(sk_X509_push(untrusted, untrcert))) + goto err; + untrcert = NULL; + + if (!TEST_true(X509_STORE_CTX_init(ctx, NULL, eecert, untrusted))) + goto err; + + if (!TEST_true(X509_STORE_CTX_set_purpose(ctx, purpose))) + goto err; + + /* + * X509_STORE_CTX_set0_trusted_stack() is bady named. Despite the set0 name + * we are still responsible for freeing trusted after we have finished with + * it. + */ + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); + + if (!TEST_int_eq(X509_verify_cert(ctx), expected)) + goto err; + + testresult = 1; + err: + OSSL_STACK_OF_X509_free(trusted); + OSSL_STACK_OF_X509_free(untrusted); + X509_STORE_CTX_free(ctx); + X509_free(eecert); + X509_free(untrcert); + X509_free(trcert); + return testresult; +} + +static int test_purpose_ssl_client(void) +{ + return do_test_purpose(X509_PURPOSE_SSL_CLIENT, 0); +} + +static int test_purpose_ssl_server(void) +{ + return do_test_purpose(X509_PURPOSE_SSL_SERVER, 1); +} + +static int test_purpose_any(void) +{ + return do_test_purpose(X509_PURPOSE_ANY, 1); +} + +OPT_TEST_DECLARE_USAGE("certs-dir\n") + int setup_tests(void) { if (!test_skip_common_options()) { @@ -226,13 +299,19 @@ int setup_tests(void) return 0; } - if (!TEST_ptr(root_f = test_get_argument(0)) - || !TEST_ptr(roots_f = test_get_argument(1)) - || !TEST_ptr(untrusted_f = test_get_argument(2)) - || !TEST_ptr(bad_f = test_get_argument(3)) - || !TEST_ptr(req_f = test_get_argument(4))) + if (!TEST_ptr(certs_dir = test_get_argument(0))) return 0; + if (!TEST_ptr(root_f = test_mk_file_path(certs_dir, "rootCA.pem")) + || !TEST_ptr(roots_f = test_mk_file_path(certs_dir, "roots.pem")) + || !TEST_ptr(untrusted_f = test_mk_file_path(certs_dir, "untrusted.pem")) + || !TEST_ptr(bad_f = test_mk_file_path(certs_dir, "bad.pem")) + || !TEST_ptr(req_f = test_mk_file_path(certs_dir, "sm2-csr.pem")) + || !TEST_ptr(sroot_cert = test_mk_file_path(certs_dir, "sroot-cert.pem")) + || !TEST_ptr(ca_cert = test_mk_file_path(certs_dir, "ca-cert.pem")) + || !TEST_ptr(ee_cert = test_mk_file_path(certs_dir, "ee-cert.pem"))) + goto err; + ADD_TEST(test_alt_chains_cert_forgery); ADD_TEST(test_store_ctx); ADD_TEST(test_distinguishing_id); @@ -240,5 +319,23 @@ int setup_tests(void) ADD_TEST(test_self_signed_good); ADD_TEST(test_self_signed_bad); ADD_TEST(test_self_signed_error); + ADD_TEST(test_purpose_ssl_client); + ADD_TEST(test_purpose_ssl_server); + ADD_TEST(test_purpose_any); return 1; + err: + cleanup_tests(); + return 0; +} + +void cleanup_tests(void) +{ + OPENSSL_free(root_f); + OPENSSL_free(roots_f); + OPENSSL_free(untrusted_f); + OPENSSL_free(bad_f); + OPENSSL_free(req_f); + OPENSSL_free(sroot_cert); + OPENSSL_free(ca_cert); + OPENSSL_free(ee_cert); } |