xref: /netbsd-src/crypto/external/bsd/openssl/dist/test/ocspapitest.c (revision b0d1725196a7921d003d2c66a14f186abda4176b) 
153060421Schristos /*
2*b0d17251Schristos  * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
353060421Schristos  *
4*b0d17251Schristos  * Licensed under the Apache License 2.0 (the "License").  You may not use
553060421Schristos  * this file except in compliance with the License.  You can obtain a copy
653060421Schristos  * in the file LICENSE in the source distribution or at
753060421Schristos  * https://www.openssl.org/source/license.html
853060421Schristos  */
953060421Schristos 
1053060421Schristos #include <string.h>
1153060421Schristos 
1253060421Schristos #include <openssl/opensslconf.h>
1353060421Schristos #include <openssl/crypto.h>
1453060421Schristos #include <openssl/ocsp.h>
1553060421Schristos #include <openssl/x509.h>
1653060421Schristos #include <openssl/asn1.h>
1753060421Schristos #include <openssl/pem.h>
1853060421Schristos 
1953060421Schristos #include "testutil.h"
2053060421Schristos 
2153060421Schristos static const char *certstr;
2253060421Schristos static const char *privkeystr;
2353060421Schristos 
2453060421Schristos #ifndef OPENSSL_NO_OCSP
get_cert_and_key(X509 ** cert_out,EVP_PKEY ** key_out)2553060421Schristos static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
2653060421Schristos {
2753060421Schristos     BIO *certbio, *keybio;
2853060421Schristos     X509 *cert = NULL;
2953060421Schristos     EVP_PKEY *key = NULL;
3053060421Schristos 
3113d40330Schristos     if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
3253060421Schristos         return 0;
3353060421Schristos     cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
3453060421Schristos     BIO_free(certbio);
3513d40330Schristos     if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r")))
3653060421Schristos         goto end;
3753060421Schristos     key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
3853060421Schristos     BIO_free(keybio);
3913d40330Schristos     if (!TEST_ptr(cert) || !TEST_ptr(key))
4053060421Schristos         goto end;
4153060421Schristos     *cert_out = cert;
4253060421Schristos     *key_out = key;
4353060421Schristos     return 1;
4453060421Schristos  end:
4553060421Schristos     X509_free(cert);
4653060421Schristos     EVP_PKEY_free(key);
4753060421Schristos     return 0;
4853060421Schristos }
4953060421Schristos 
get_cert(X509 ** cert_out)50a3b08d93Schristos static int get_cert(X509 **cert_out)
51a3b08d93Schristos {
52a3b08d93Schristos     BIO *certbio;
53a3b08d93Schristos     X509 *cert = NULL;
54a3b08d93Schristos 
55a3b08d93Schristos     if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
56a3b08d93Schristos         return 0;
57a3b08d93Schristos     cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
58a3b08d93Schristos     BIO_free(certbio);
59a3b08d93Schristos     if (!TEST_ptr(cert))
60a3b08d93Schristos         goto end;
61a3b08d93Schristos     *cert_out = cert;
62a3b08d93Schristos     return 1;
63a3b08d93Schristos  end:
64a3b08d93Schristos     X509_free(cert);
65a3b08d93Schristos     return 0;
66a3b08d93Schristos }
67a3b08d93Schristos 
make_dummy_resp(void)6853060421Schristos static OCSP_BASICRESP *make_dummy_resp(void)
6953060421Schristos {
7053060421Schristos     const unsigned char namestr[] = "openssl.example.com";
7153060421Schristos     unsigned char keybytes[128] = {7};
7253060421Schristos     OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
7353060421Schristos     OCSP_BASICRESP *bs_out = NULL;
7453060421Schristos     OCSP_CERTID *cid = NULL;
7553060421Schristos     ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
7653060421Schristos     ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
7753060421Schristos     X509_NAME *name = X509_NAME_new();
7853060421Schristos     ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
7953060421Schristos     ASN1_INTEGER *serial = ASN1_INTEGER_new();
8053060421Schristos 
81*b0d17251Schristos     if (!TEST_ptr(name)
82*b0d17251Schristos         || !TEST_ptr(key)
83*b0d17251Schristos         || !TEST_ptr(serial)
84*b0d17251Schristos         || !TEST_true(X509_NAME_add_entry_by_NID(name, NID_commonName,
85*b0d17251Schristos                                                  MBSTRING_ASC,
86*b0d17251Schristos                                                  namestr, -1, -1, 1))
87*b0d17251Schristos         || !TEST_true(ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)))
88*b0d17251Schristos         || !TEST_true(ASN1_INTEGER_set_uint64(serial, (uint64_t)1)))
8953060421Schristos         goto err;
9053060421Schristos     cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
9113d40330Schristos     if (!TEST_ptr(bs)
9213d40330Schristos         || !TEST_ptr(thisupd)
9313d40330Schristos         || !TEST_ptr(nextupd)
9413d40330Schristos         || !TEST_ptr(cid)
9513d40330Schristos         || !TEST_true(OCSP_basic_add1_status(bs, cid,
9653060421Schristos                                              V_OCSP_CERTSTATUS_UNKNOWN,
9713d40330Schristos                                              0, NULL, thisupd, nextupd)))
9853060421Schristos         goto err;
9953060421Schristos     bs_out = bs;
10053060421Schristos     bs = NULL;
10153060421Schristos  err:
10253060421Schristos     ASN1_TIME_free(thisupd);
10353060421Schristos     ASN1_TIME_free(nextupd);
10453060421Schristos     ASN1_BIT_STRING_free(key);
10553060421Schristos     ASN1_INTEGER_free(serial);
10653060421Schristos     OCSP_CERTID_free(cid);
10753060421Schristos     OCSP_BASICRESP_free(bs);
10853060421Schristos     X509_NAME_free(name);
10953060421Schristos     return bs_out;
11053060421Schristos }
11153060421Schristos 
test_resp_signer(void)11253060421Schristos static int test_resp_signer(void)
11353060421Schristos {
11453060421Schristos     OCSP_BASICRESP *bs = NULL;
11553060421Schristos     X509 *signer = NULL, *tmp;
11653060421Schristos     EVP_PKEY *key = NULL;
11753060421Schristos     STACK_OF(X509) *extra_certs = NULL;
11853060421Schristos     int ret = 0;
11953060421Schristos 
12053060421Schristos     /*
12153060421Schristos      * Test a response with no certs at all; get the signer from the
12253060421Schristos      * extra certs given to OCSP_resp_get0_signer().
12353060421Schristos      */
12453060421Schristos     bs = make_dummy_resp();
12553060421Schristos     extra_certs = sk_X509_new_null();
12613d40330Schristos     if (!TEST_ptr(bs)
12713d40330Schristos         || !TEST_ptr(extra_certs)
12813d40330Schristos         || !TEST_true(get_cert_and_key(&signer, &key))
12913d40330Schristos         || !TEST_true(sk_X509_push(extra_certs, signer))
13013d40330Schristos         || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
13113d40330Schristos                                       NULL, OCSP_NOCERTS)))
13253060421Schristos         goto err;
13313d40330Schristos     if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
13413d40330Schristos         || !TEST_int_eq(X509_cmp(tmp, signer), 0))
13553060421Schristos         goto err;
13653060421Schristos     OCSP_BASICRESP_free(bs);
13753060421Schristos 
13853060421Schristos     /* Do it again but include the signer cert */
13953060421Schristos     bs = make_dummy_resp();
14053060421Schristos     tmp = NULL;
14113d40330Schristos     if (!TEST_ptr(bs)
14213d40330Schristos         || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
14313d40330Schristos                                       NULL, 0)))
14453060421Schristos         goto err;
14513d40330Schristos     if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
14613d40330Schristos         || !TEST_int_eq(X509_cmp(tmp, signer), 0))
14753060421Schristos         goto err;
14853060421Schristos     ret = 1;
14953060421Schristos  err:
15053060421Schristos     OCSP_BASICRESP_free(bs);
15153060421Schristos     sk_X509_free(extra_certs);
15253060421Schristos     X509_free(signer);
15353060421Schristos     EVP_PKEY_free(key);
15453060421Schristos     return ret;
15553060421Schristos }
156a3b08d93Schristos 
test_access_description(int testcase)157a3b08d93Schristos static int test_access_description(int testcase)
158a3b08d93Schristos {
159a3b08d93Schristos     ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new();
160a3b08d93Schristos     int ret = 0;
161a3b08d93Schristos 
162a3b08d93Schristos     if (!TEST_ptr(ad))
163a3b08d93Schristos         goto err;
164a3b08d93Schristos 
165a3b08d93Schristos     switch (testcase) {
166a3b08d93Schristos     case 0:     /* no change */
167a3b08d93Schristos         break;
168a3b08d93Schristos     case 1:     /* check and release current location */
169a3b08d93Schristos         if (!TEST_ptr(ad->location))
170a3b08d93Schristos             goto err;
171a3b08d93Schristos         GENERAL_NAME_free(ad->location);
172a3b08d93Schristos         ad->location = NULL;
173a3b08d93Schristos         break;
174a3b08d93Schristos     case 2:     /* replace current location */
175a3b08d93Schristos         GENERAL_NAME_free(ad->location);
176a3b08d93Schristos         ad->location = GENERAL_NAME_new();
177a3b08d93Schristos         if (!TEST_ptr(ad->location))
178a3b08d93Schristos             goto err;
179a3b08d93Schristos         break;
180a3b08d93Schristos     }
181a3b08d93Schristos     ACCESS_DESCRIPTION_free(ad);
182a3b08d93Schristos     ret = 1;
183a3b08d93Schristos err:
184a3b08d93Schristos     return ret;
185a3b08d93Schristos }
186a3b08d93Schristos 
test_ocsp_url_svcloc_new(void)187a3b08d93Schristos static int test_ocsp_url_svcloc_new(void)
188a3b08d93Schristos {
189a3b08d93Schristos     static const char *urls[] = {
190a3b08d93Schristos         "www.openssl.org",
191a3b08d93Schristos         "www.openssl.net",
192a3b08d93Schristos         NULL
193a3b08d93Schristos     };
194a3b08d93Schristos 
195a3b08d93Schristos     X509 *issuer = NULL;
196a3b08d93Schristos     X509_EXTENSION * ext = NULL;
197a3b08d93Schristos     int ret = 0;
198a3b08d93Schristos 
199a3b08d93Schristos     if (!TEST_true(get_cert(&issuer)))
200a3b08d93Schristos         goto err;
201a3b08d93Schristos 
202a3b08d93Schristos     /*
203a3b08d93Schristos      * Test calling this ocsp method to catch any memory leak
204a3b08d93Schristos      */
205a3b08d93Schristos     ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls);
206a3b08d93Schristos     if (!TEST_ptr(ext))
207a3b08d93Schristos         goto err;
208a3b08d93Schristos 
209a3b08d93Schristos     X509_EXTENSION_free(ext);
210a3b08d93Schristos     ret = 1;
211a3b08d93Schristos err:
212a3b08d93Schristos     X509_free(issuer);
213a3b08d93Schristos     return ret;
214a3b08d93Schristos }
215a3b08d93Schristos 
216a3b08d93Schristos #endif /* OPENSSL_NO_OCSP */
21753060421Schristos 
218*b0d17251Schristos OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n")
219*b0d17251Schristos 
setup_tests(void)22013d40330Schristos int setup_tests(void)
22153060421Schristos {
222*b0d17251Schristos     if (!test_skip_common_options()) {
223*b0d17251Schristos         TEST_error("Error parsing test options\n");
224*b0d17251Schristos         return 0;
225*b0d17251Schristos     }
226*b0d17251Schristos 
22713d40330Schristos     if (!TEST_ptr(certstr = test_get_argument(0))
22813d40330Schristos         || !TEST_ptr(privkeystr = test_get_argument(1)))
22913d40330Schristos         return 0;
23053060421Schristos #ifndef OPENSSL_NO_OCSP
23153060421Schristos     ADD_TEST(test_resp_signer);
232a3b08d93Schristos     ADD_ALL_TESTS(test_access_description, 3);
233a3b08d93Schristos     ADD_TEST(test_ocsp_url_svcloc_new);
23453060421Schristos #endif
23513d40330Schristos     return 1;
23653060421Schristos }
237