1b0d17251Schristos /*
24170684fSchristos * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
3b0d17251Schristos * Copyright Nokia 2007-2019
4b0d17251Schristos * Copyright Siemens AG 2015-2019
5b0d17251Schristos *
6b0d17251Schristos * Licensed under the Apache License 2.0 (the "License"). You may not use
7b0d17251Schristos * this file except in compliance with the License. You can obtain a copy
8b0d17251Schristos * in the file LICENSE in the source distribution or at
9b0d17251Schristos * https://www.openssl.org/source/license.html
10b0d17251Schristos */
11b0d17251Schristos
12b0d17251Schristos #include "helpers/cmp_testlib.h"
13b0d17251Schristos
14b0d17251Schristos static const char *ir_protected_f;
15b0d17251Schristos static const char *ir_unprotected_f;
16b0d17251Schristos static const char *ip_PBM_f;
17b0d17251Schristos
18b0d17251Schristos typedef struct test_fixture {
19b0d17251Schristos const char *test_case_name;
20b0d17251Schristos OSSL_CMP_CTX *cmp_ctx;
21b0d17251Schristos /* for protection tests */
22b0d17251Schristos OSSL_CMP_MSG *msg;
23b0d17251Schristos OSSL_CMP_PKISI *si; /* for error and response messages */
24b0d17251Schristos EVP_PKEY *pubkey;
25b0d17251Schristos unsigned char *mem;
26b0d17251Schristos int memlen;
27b0d17251Schristos X509 *cert;
28b0d17251Schristos STACK_OF(X509) *certs;
29b0d17251Schristos STACK_OF(X509) *chain;
30b0d17251Schristos int with_ss;
31b0d17251Schristos int callback_arg;
32b0d17251Schristos int expected;
33b0d17251Schristos } CMP_PROTECT_TEST_FIXTURE;
34b0d17251Schristos
35b0d17251Schristos static OSSL_LIB_CTX *libctx = NULL;
36b0d17251Schristos static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL;
37b0d17251Schristos
tear_down(CMP_PROTECT_TEST_FIXTURE * fixture)38b0d17251Schristos static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture)
39b0d17251Schristos {
40*4778aedeSchristos if (fixture != NULL) {
41b0d17251Schristos OSSL_CMP_CTX_free(fixture->cmp_ctx);
42b0d17251Schristos OSSL_CMP_MSG_free(fixture->msg);
43b0d17251Schristos OSSL_CMP_PKISI_free(fixture->si);
44b0d17251Schristos
45b0d17251Schristos OPENSSL_free(fixture->mem);
46b0d17251Schristos sk_X509_free(fixture->certs);
47b0d17251Schristos sk_X509_free(fixture->chain);
48b0d17251Schristos
49b0d17251Schristos OPENSSL_free(fixture);
50b0d17251Schristos }
51*4778aedeSchristos }
52b0d17251Schristos
set_up(const char * const test_case_name)53b0d17251Schristos static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name)
54b0d17251Schristos {
55b0d17251Schristos CMP_PROTECT_TEST_FIXTURE *fixture;
56b0d17251Schristos
57b0d17251Schristos if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
58b0d17251Schristos return NULL;
59b0d17251Schristos fixture->test_case_name = test_case_name;
60b0d17251Schristos if (!TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new(libctx, NULL))) {
61b0d17251Schristos tear_down(fixture);
62b0d17251Schristos return NULL;
63b0d17251Schristos }
64b0d17251Schristos return fixture;
65b0d17251Schristos }
66b0d17251Schristos
67b0d17251Schristos static EVP_PKEY *loadedprivkey = NULL;
68b0d17251Schristos static EVP_PKEY *loadedpubkey = NULL;
69b0d17251Schristos static EVP_PKEY *loadedkey = NULL;
70b0d17251Schristos static X509 *cert = NULL;
71b0d17251Schristos static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
72b0d17251Schristos static OSSL_CMP_MSG *ir_unprotected, *ir_protected;
73b0d17251Schristos static X509 *endentity1 = NULL, *endentity2 = NULL,
74b0d17251Schristos *root = NULL, *intermediate = NULL;
75b0d17251Schristos
execute_calc_protection_fails_test(CMP_PROTECT_TEST_FIXTURE * fixture)76b0d17251Schristos static int execute_calc_protection_fails_test(CMP_PROTECT_TEST_FIXTURE *fixture)
77b0d17251Schristos {
78b0d17251Schristos ASN1_BIT_STRING *protection =
79b0d17251Schristos ossl_cmp_calc_protection(fixture->cmp_ctx, fixture->msg);
80b0d17251Schristos int res = TEST_ptr_null(protection);
81b0d17251Schristos
82b0d17251Schristos ASN1_BIT_STRING_free(protection);
83b0d17251Schristos return res;
84b0d17251Schristos }
85b0d17251Schristos
execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE * fixture)86b0d17251Schristos static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture)
87b0d17251Schristos {
88b0d17251Schristos ASN1_BIT_STRING *protection =
89b0d17251Schristos ossl_cmp_calc_protection(fixture->cmp_ctx, fixture->msg);
90b0d17251Schristos int res = TEST_ptr(protection)
91b0d17251Schristos && TEST_true(ASN1_STRING_cmp(protection,
92b0d17251Schristos fixture->msg->protection) == 0);
93b0d17251Schristos
94b0d17251Schristos ASN1_BIT_STRING_free(protection);
95b0d17251Schristos return res;
96b0d17251Schristos }
97b0d17251Schristos
98b0d17251Schristos /*
99b0d17251Schristos * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c,
100b0d17251Schristos * but without the need for a OSSL_CMP_CTX or a X509 certificate
101b0d17251Schristos */
verify_signature(OSSL_CMP_MSG * msg,ASN1_BIT_STRING * protection,EVP_PKEY * pkey,EVP_MD * digest)102b0d17251Schristos static int verify_signature(OSSL_CMP_MSG *msg,
103b0d17251Schristos ASN1_BIT_STRING *protection,
104b0d17251Schristos EVP_PKEY *pkey, EVP_MD *digest)
105b0d17251Schristos {
106b0d17251Schristos OSSL_CMP_PROTECTEDPART prot_part;
107b0d17251Schristos unsigned char *prot_part_der = NULL;
108b0d17251Schristos int len;
109b0d17251Schristos EVP_MD_CTX *ctx = NULL;
110b0d17251Schristos int res;
111b0d17251Schristos
112b0d17251Schristos prot_part.header = OSSL_CMP_MSG_get0_header(msg);
113b0d17251Schristos prot_part.body = msg->body;
114b0d17251Schristos len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der);
115b0d17251Schristos res =
116b0d17251Schristos TEST_int_ge(len, 0)
117b0d17251Schristos && TEST_ptr(ctx = EVP_MD_CTX_new())
118b0d17251Schristos && TEST_true(EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey))
119b0d17251Schristos && TEST_int_eq(EVP_DigestVerify(ctx, protection->data,
120b0d17251Schristos protection->length,
121b0d17251Schristos prot_part_der, len), 1);
122b0d17251Schristos /* cleanup */
123b0d17251Schristos EVP_MD_CTX_free(ctx);
124b0d17251Schristos OPENSSL_free(prot_part_der);
125b0d17251Schristos return res;
126b0d17251Schristos }
127b0d17251Schristos
128b0d17251Schristos /* Calls OSSL_CMP_calc_protection and compares and verifies signature */
execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE * fixture)129b0d17251Schristos static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE *
130b0d17251Schristos fixture)
131b0d17251Schristos {
132b0d17251Schristos ASN1_BIT_STRING *protection =
133b0d17251Schristos ossl_cmp_calc_protection(fixture->cmp_ctx, fixture->msg);
134b0d17251Schristos int ret = (TEST_ptr(protection)
135b0d17251Schristos && TEST_true(ASN1_STRING_cmp(protection,
136b0d17251Schristos fixture->msg->protection) == 0)
137b0d17251Schristos && TEST_true(verify_signature(fixture->msg, protection,
138b0d17251Schristos fixture->pubkey,
139b0d17251Schristos fixture->cmp_ctx->digest)));
140b0d17251Schristos
141b0d17251Schristos ASN1_BIT_STRING_free(protection);
142b0d17251Schristos return ret;
143b0d17251Schristos }
144b0d17251Schristos
test_cmp_calc_protection_no_key_no_secret(void)145b0d17251Schristos static int test_cmp_calc_protection_no_key_no_secret(void)
146b0d17251Schristos {
147b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
148b0d17251Schristos if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f, libctx))
149b0d17251Schristos || !TEST_ptr(fixture->msg->header->protectionAlg =
150b0d17251Schristos X509_ALGOR_new() /* no specific alg needed here */)) {
151b0d17251Schristos tear_down(fixture);
152b0d17251Schristos fixture = NULL;
153b0d17251Schristos }
154b0d17251Schristos
155b0d17251Schristos EXECUTE_TEST(execute_calc_protection_fails_test, tear_down);
156b0d17251Schristos return result;
157b0d17251Schristos }
158b0d17251Schristos
test_cmp_calc_protection_pkey(void)159b0d17251Schristos static int test_cmp_calc_protection_pkey(void)
160b0d17251Schristos {
161b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
162b0d17251Schristos fixture->pubkey = loadedpubkey;
163b0d17251Schristos if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedprivkey))
164b0d17251Schristos || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) {
165b0d17251Schristos tear_down(fixture);
166b0d17251Schristos fixture = NULL;
167b0d17251Schristos }
168b0d17251Schristos EXECUTE_TEST(execute_calc_protection_signature_test, tear_down);
169b0d17251Schristos return result;
170b0d17251Schristos }
171b0d17251Schristos
test_cmp_calc_protection_pbmac(void)172b0d17251Schristos static int test_cmp_calc_protection_pbmac(void)
173b0d17251Schristos {
174b0d17251Schristos unsigned char sec_insta[] = { 'i', 'n', 's', 't', 'a' };
175b0d17251Schristos
176b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
177b0d17251Schristos if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
178b0d17251Schristos sec_insta, sizeof(sec_insta)))
179b0d17251Schristos || !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f, libctx))) {
180b0d17251Schristos tear_down(fixture);
181b0d17251Schristos fixture = NULL;
182b0d17251Schristos }
183b0d17251Schristos EXECUTE_TEST(execute_calc_protection_pbmac_test, tear_down);
184b0d17251Schristos return result;
185b0d17251Schristos }
execute_MSG_protect_test(CMP_PROTECT_TEST_FIXTURE * fixture)186b0d17251Schristos static int execute_MSG_protect_test(CMP_PROTECT_TEST_FIXTURE *fixture)
187b0d17251Schristos {
188b0d17251Schristos return TEST_int_eq(fixture->expected,
189b0d17251Schristos ossl_cmp_msg_protect(fixture->cmp_ctx, fixture->msg));
190b0d17251Schristos }
191b0d17251Schristos
192b0d17251Schristos #define SET_OPT_UNPROTECTED_SEND(ctx, val) \
193b0d17251Schristos OSSL_CMP_CTX_set_option((ctx), OSSL_CMP_OPT_UNPROTECTED_SEND, (val))
test_MSG_protect_unprotected_request(void)194b0d17251Schristos static int test_MSG_protect_unprotected_request(void)
195b0d17251Schristos {
196b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
197b0d17251Schristos
198b0d17251Schristos fixture->expected = 1;
199b0d17251Schristos if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
200b0d17251Schristos || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 1))) {
201b0d17251Schristos tear_down(fixture);
202b0d17251Schristos fixture = NULL;
203b0d17251Schristos }
204b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
205b0d17251Schristos return result;
206b0d17251Schristos }
207b0d17251Schristos
test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key(void)208b0d17251Schristos static int test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key(void)
209b0d17251Schristos {
210b0d17251Schristos const size_t size = sizeof(rand_data) / 2;
211b0d17251Schristos
212b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
213b0d17251Schristos fixture->expected = 1;
214b0d17251Schristos
215b0d17251Schristos if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
216b0d17251Schristos || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
217b0d17251Schristos /*
218b0d17251Schristos * Use half of the 16 bytes of random input
219b0d17251Schristos * for each reference and secret value
220b0d17251Schristos */
221b0d17251Schristos || !TEST_true(OSSL_CMP_CTX_set1_referenceValue(fixture->cmp_ctx,
222b0d17251Schristos rand_data, size))
223b0d17251Schristos || !TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
224b0d17251Schristos rand_data + size,
225b0d17251Schristos size))) {
226b0d17251Schristos tear_down(fixture);
227b0d17251Schristos fixture = NULL;
228b0d17251Schristos }
229b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
230b0d17251Schristos return result;
231b0d17251Schristos }
232b0d17251Schristos
test_MSG_protect_with_certificate_and_key(void)233b0d17251Schristos static int test_MSG_protect_with_certificate_and_key(void)
234b0d17251Schristos {
235b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
236b0d17251Schristos fixture->expected = 1;
237b0d17251Schristos
238b0d17251Schristos if (!TEST_ptr(fixture->msg =
239b0d17251Schristos OSSL_CMP_MSG_dup(ir_unprotected))
240b0d17251Schristos || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
241b0d17251Schristos || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey))
242b0d17251Schristos || !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, cert))) {
243b0d17251Schristos tear_down(fixture);
244b0d17251Schristos fixture = NULL;
245b0d17251Schristos }
246b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
247b0d17251Schristos return result;
248b0d17251Schristos }
249b0d17251Schristos
test_MSG_protect_certificate_based_without_cert(void)250b0d17251Schristos static int test_MSG_protect_certificate_based_without_cert(void)
251b0d17251Schristos {
252b0d17251Schristos OSSL_CMP_CTX *ctx;
253b0d17251Schristos
254b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
255b0d17251Schristos ctx = fixture->cmp_ctx;
256b0d17251Schristos fixture->expected = 0;
257b0d17251Schristos if (!TEST_ptr(fixture->msg =
258b0d17251Schristos OSSL_CMP_MSG_dup(ir_unprotected))
259b0d17251Schristos || !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0))
260b0d17251Schristos || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, loadedkey))) {
261b0d17251Schristos tear_down(fixture);
262b0d17251Schristos fixture = NULL;
263b0d17251Schristos }
264b0d17251Schristos EVP_PKEY_up_ref(loadedkey);
265b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
266b0d17251Schristos return result;
267b0d17251Schristos }
268b0d17251Schristos
test_MSG_protect_no_key_no_secret(void)269b0d17251Schristos static int test_MSG_protect_no_key_no_secret(void)
270b0d17251Schristos {
271b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
272b0d17251Schristos fixture->expected = 0;
273b0d17251Schristos if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
274b0d17251Schristos || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))) {
275b0d17251Schristos tear_down(fixture);
276b0d17251Schristos fixture = NULL;
277b0d17251Schristos }
278b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
279b0d17251Schristos return result;
280b0d17251Schristos }
281b0d17251Schristos
test_MSG_protect_pbmac_no_sender(int with_ref)282b0d17251Schristos static int test_MSG_protect_pbmac_no_sender(int with_ref)
283b0d17251Schristos {
284b0d17251Schristos static unsigned char secret[] = { 47, 11, 8, 15 };
285b0d17251Schristos static unsigned char ref[] = { 0xca, 0xfe, 0xba, 0xbe };
286b0d17251Schristos
287b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
288b0d17251Schristos fixture->expected = with_ref;
289b0d17251Schristos if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
290b0d17251Schristos || !SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0)
291b0d17251Schristos || !ossl_cmp_hdr_set1_sender(fixture->msg->header, NULL)
292b0d17251Schristos || !OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
293b0d17251Schristos secret, sizeof(secret))
294b0d17251Schristos || (!OSSL_CMP_CTX_set1_referenceValue(fixture->cmp_ctx,
295b0d17251Schristos with_ref ? ref : NULL,
296b0d17251Schristos sizeof(ref)))) {
297b0d17251Schristos tear_down(fixture);
298b0d17251Schristos fixture = NULL;
299b0d17251Schristos }
300b0d17251Schristos EXECUTE_TEST(execute_MSG_protect_test, tear_down);
301b0d17251Schristos return result;
302b0d17251Schristos }
303b0d17251Schristos
test_MSG_protect_pbmac_no_sender_with_ref(void)304b0d17251Schristos static int test_MSG_protect_pbmac_no_sender_with_ref(void)
305b0d17251Schristos {
306b0d17251Schristos return test_MSG_protect_pbmac_no_sender(1);
307b0d17251Schristos }
308b0d17251Schristos
test_MSG_protect_pbmac_no_sender_no_ref(void)309b0d17251Schristos static int test_MSG_protect_pbmac_no_sender_no_ref(void)
310b0d17251Schristos {
311b0d17251Schristos return test_MSG_protect_pbmac_no_sender(0);
312b0d17251Schristos }
313b0d17251Schristos
execute_MSG_add_extraCerts_test(CMP_PROTECT_TEST_FIXTURE * fixture)314b0d17251Schristos static int execute_MSG_add_extraCerts_test(CMP_PROTECT_TEST_FIXTURE *fixture)
315b0d17251Schristos {
316b0d17251Schristos return TEST_true(ossl_cmp_msg_add_extraCerts(fixture->cmp_ctx,
317b0d17251Schristos fixture->msg));
318b0d17251Schristos }
319b0d17251Schristos
test_MSG_add_extraCerts(void)320b0d17251Schristos static int test_MSG_add_extraCerts(void)
321b0d17251Schristos {
322b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
323b0d17251Schristos if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_protected))) {
324b0d17251Schristos tear_down(fixture);
325b0d17251Schristos fixture = NULL;
326b0d17251Schristos }
327b0d17251Schristos EXECUTE_TEST(execute_MSG_add_extraCerts_test, tear_down);
328b0d17251Schristos return result;
329b0d17251Schristos }
330b0d17251Schristos
331b0d17251Schristos #ifndef OPENSSL_NO_EC
332b0d17251Schristos /* The cert chain tests use EC certs so we skip them in no-ec builds */
execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE * fixture)333b0d17251Schristos static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture)
334b0d17251Schristos {
335b0d17251Schristos int ret = 0;
336b0d17251Schristos OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
337b0d17251Schristos X509_STORE *store;
338b0d17251Schristos STACK_OF(X509) *chain =
339b0d17251Schristos X509_build_chain(fixture->cert, fixture->certs, NULL,
340b0d17251Schristos fixture->with_ss, ctx->libctx, ctx->propq);
341b0d17251Schristos
342b0d17251Schristos if (TEST_ptr(chain)) {
343b0d17251Schristos /* Check whether chain built is equal to the expected one */
344b0d17251Schristos ret = TEST_int_eq(0, STACK_OF_X509_cmp(chain, fixture->chain));
345b0d17251Schristos sk_X509_pop_free(chain, X509_free);
346b0d17251Schristos }
347b0d17251Schristos if (!ret)
348b0d17251Schristos return 0;
349b0d17251Schristos
350b0d17251Schristos if (TEST_ptr(store = X509_STORE_new())
351b0d17251Schristos && TEST_true(X509_STORE_add_cert(store, root))) {
352b0d17251Schristos X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store),
353b0d17251Schristos X509_V_FLAG_NO_CHECK_TIME);
354b0d17251Schristos chain = X509_build_chain(fixture->cert, fixture->certs, store,
355b0d17251Schristos fixture->with_ss, ctx->libctx, ctx->propq);
356b0d17251Schristos ret = TEST_int_eq(fixture->expected, chain != NULL);
357b0d17251Schristos if (ret && chain != NULL) {
358b0d17251Schristos /* Check whether chain built is equal to the expected one */
359b0d17251Schristos ret = TEST_int_eq(0, STACK_OF_X509_cmp(chain, fixture->chain));
360b0d17251Schristos sk_X509_pop_free(chain, X509_free);
361b0d17251Schristos }
362b0d17251Schristos }
363b0d17251Schristos X509_STORE_free(store);
364b0d17251Schristos return ret;
365b0d17251Schristos }
366b0d17251Schristos
test_cmp_build_cert_chain(void)367b0d17251Schristos static int test_cmp_build_cert_chain(void)
368b0d17251Schristos {
369b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
370b0d17251Schristos fixture->expected = 1;
371b0d17251Schristos fixture->with_ss = 0;
372b0d17251Schristos fixture->cert = endentity2;
373b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
374b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_new_null())
375b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, endentity1))
376b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, root))
377b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, intermediate))
378b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, endentity2))
379b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, intermediate))) {
380b0d17251Schristos tear_down(fixture);
381b0d17251Schristos fixture = NULL;
382b0d17251Schristos }
383b0d17251Schristos if (fixture != NULL) {
384b0d17251Schristos result = execute_cmp_build_cert_chain_test(fixture);
385b0d17251Schristos fixture->with_ss = 1;
386b0d17251Schristos if (result && TEST_true(sk_X509_push(fixture->chain, root)))
387b0d17251Schristos result = execute_cmp_build_cert_chain_test(fixture);
388b0d17251Schristos }
389b0d17251Schristos tear_down(fixture);
390b0d17251Schristos return result;
391b0d17251Schristos }
392b0d17251Schristos
test_cmp_build_cert_chain_missing_intermediate(void)393b0d17251Schristos static int test_cmp_build_cert_chain_missing_intermediate(void)
394b0d17251Schristos {
395b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
396b0d17251Schristos fixture->expected = 0;
397b0d17251Schristos fixture->with_ss = 0;
398b0d17251Schristos fixture->cert = endentity2;
399b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
400b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_new_null())
401b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, endentity1))
402b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, root))
403b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, endentity2))) {
404b0d17251Schristos tear_down(fixture);
405b0d17251Schristos fixture = NULL;
406b0d17251Schristos }
407b0d17251Schristos EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
408b0d17251Schristos return result;
409b0d17251Schristos }
410b0d17251Schristos
test_cmp_build_cert_chain_no_root(void)411b0d17251Schristos static int test_cmp_build_cert_chain_no_root(void)
412b0d17251Schristos {
413b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
414b0d17251Schristos fixture->expected = 1;
415b0d17251Schristos fixture->with_ss = 0;
416b0d17251Schristos fixture->cert = endentity2;
417b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
418b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_new_null())
419b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, endentity1))
420b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, intermediate))
421b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, endentity2))
422b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, intermediate))) {
423b0d17251Schristos tear_down(fixture);
424b0d17251Schristos fixture = NULL;
425b0d17251Schristos }
426b0d17251Schristos EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
427b0d17251Schristos return result;
428b0d17251Schristos }
429b0d17251Schristos
test_cmp_build_cert_chain_only_root(void)430b0d17251Schristos static int test_cmp_build_cert_chain_only_root(void)
431b0d17251Schristos {
432b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
433b0d17251Schristos fixture->expected = 1;
434b0d17251Schristos fixture->with_ss = 0; /* still chain must include the only cert (root) */
435b0d17251Schristos fixture->cert = root;
436b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
437b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_new_null())
438b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, root))
439b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, root))) {
440b0d17251Schristos tear_down(fixture);
441b0d17251Schristos fixture = NULL;
442b0d17251Schristos }
443b0d17251Schristos EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
444b0d17251Schristos return result;
445b0d17251Schristos }
446b0d17251Schristos
test_cmp_build_cert_chain_no_certs(void)447b0d17251Schristos static int test_cmp_build_cert_chain_no_certs(void)
448b0d17251Schristos {
449b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
450b0d17251Schristos fixture->expected = 0;
451b0d17251Schristos fixture->with_ss = 0;
452b0d17251Schristos fixture->cert = endentity2;
453b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
454b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_new_null())
455b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, endentity2))) {
456b0d17251Schristos tear_down(fixture);
457b0d17251Schristos fixture = NULL;
458b0d17251Schristos }
459b0d17251Schristos EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
460b0d17251Schristos return result;
461b0d17251Schristos }
462b0d17251Schristos #endif /* OPENSSL_NO_EC */
463b0d17251Schristos
execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE * fixture)464b0d17251Schristos static int execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE *fixture)
465b0d17251Schristos {
466b0d17251Schristos X509_STORE *store = X509_STORE_new();
467b0d17251Schristos STACK_OF(X509) *sk = NULL;
468b0d17251Schristos int res = 0;
469b0d17251Schristos
470b0d17251Schristos if (!TEST_true(ossl_cmp_X509_STORE_add1_certs(store,
471b0d17251Schristos fixture->certs,
472b0d17251Schristos fixture->callback_arg)))
473b0d17251Schristos goto err;
474b0d17251Schristos sk = X509_STORE_get1_all_certs(store);
475b0d17251Schristos if (!TEST_int_eq(0, STACK_OF_X509_cmp(sk, fixture->chain)))
476b0d17251Schristos goto err;
477b0d17251Schristos res = 1;
478b0d17251Schristos err:
479b0d17251Schristos X509_STORE_free(store);
480b0d17251Schristos sk_X509_pop_free(sk, X509_free);
481b0d17251Schristos return res;
482b0d17251Schristos
483b0d17251Schristos }
484b0d17251Schristos
test_X509_STORE(void)485b0d17251Schristos static int test_X509_STORE(void)
486b0d17251Schristos {
487b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
488b0d17251Schristos fixture->callback_arg = 0; /* self-issued allowed */
489b0d17251Schristos if (!TEST_ptr(fixture->certs = sk_X509_new_null())
490b0d17251Schristos || !sk_X509_push(fixture->certs, endentity1)
491b0d17251Schristos || !sk_X509_push(fixture->certs, endentity2)
492b0d17251Schristos || !sk_X509_push(fixture->certs, root)
493b0d17251Schristos || !sk_X509_push(fixture->certs, intermediate)
494b0d17251Schristos || !TEST_ptr(fixture->chain = sk_X509_dup(fixture->certs))) {
495b0d17251Schristos tear_down(fixture);
496b0d17251Schristos fixture = NULL;
497b0d17251Schristos }
498b0d17251Schristos EXECUTE_TEST(execute_X509_STORE_test, tear_down);
499b0d17251Schristos return result;
500b0d17251Schristos }
501b0d17251Schristos
test_X509_STORE_only_self_issued(void)502b0d17251Schristos static int test_X509_STORE_only_self_issued(void)
503b0d17251Schristos {
504b0d17251Schristos SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
505b0d17251Schristos fixture->certs = sk_X509_new_null();
506b0d17251Schristos fixture->chain = sk_X509_new_null();
507b0d17251Schristos fixture->callback_arg = 1; /* only self-issued */
508b0d17251Schristos if (!TEST_true(sk_X509_push(fixture->certs, endentity1))
509b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, endentity2))
510b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, root))
511b0d17251Schristos || !TEST_true(sk_X509_push(fixture->certs, intermediate))
512b0d17251Schristos || !TEST_true(sk_X509_push(fixture->chain, root))) {
513b0d17251Schristos tear_down(fixture);
514b0d17251Schristos fixture = NULL;
515b0d17251Schristos }
516b0d17251Schristos EXECUTE_TEST(execute_X509_STORE_test, tear_down);
517b0d17251Schristos return result;
518b0d17251Schristos }
519b0d17251Schristos
520b0d17251Schristos
cleanup_tests(void)521b0d17251Schristos void cleanup_tests(void)
522b0d17251Schristos {
523b0d17251Schristos EVP_PKEY_free(loadedprivkey);
524b0d17251Schristos EVP_PKEY_free(loadedpubkey);
525b0d17251Schristos EVP_PKEY_free(loadedkey);
526b0d17251Schristos X509_free(cert);
527b0d17251Schristos X509_free(endentity1);
528b0d17251Schristos X509_free(endentity2);
529b0d17251Schristos X509_free(root);
530b0d17251Schristos X509_free(intermediate);
531b0d17251Schristos OSSL_CMP_MSG_free(ir_protected);
532b0d17251Schristos OSSL_CMP_MSG_free(ir_unprotected);
5334170684fSchristos OSSL_PROVIDER_unload(default_null_provider);
5344170684fSchristos OSSL_PROVIDER_unload(provider);
535b0d17251Schristos OSSL_LIB_CTX_free(libctx);
536b0d17251Schristos }
537b0d17251Schristos
538b0d17251Schristos #define USAGE "server.pem IR_protected.der IR_unprotected.der IP_PBM.der " \
539b0d17251Schristos "server.crt server.pem EndEntity1.crt EndEntity2.crt Root_CA.crt " \
540b0d17251Schristos "Intermediate_CA.crt module_name [module_conf_file]\n"
OPT_TEST_DECLARE_USAGE(USAGE)541b0d17251Schristos OPT_TEST_DECLARE_USAGE(USAGE)
542b0d17251Schristos
543b0d17251Schristos int setup_tests(void)
544b0d17251Schristos {
545b0d17251Schristos char *server_f;
546b0d17251Schristos char *server_key_f;
547b0d17251Schristos char *server_cert_f;
548b0d17251Schristos char *endentity1_f;
549b0d17251Schristos char *endentity2_f;
550b0d17251Schristos char *root_f;
551b0d17251Schristos char *intermediate_f;
552b0d17251Schristos
553b0d17251Schristos if (!test_skip_common_options()) {
554b0d17251Schristos TEST_error("Error parsing test options\n");
555b0d17251Schristos return 0;
556b0d17251Schristos }
557b0d17251Schristos
558b0d17251Schristos RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH);
559b0d17251Schristos if (!TEST_ptr(server_f = test_get_argument(0))
560b0d17251Schristos || !TEST_ptr(ir_protected_f = test_get_argument(1))
561b0d17251Schristos || !TEST_ptr(ir_unprotected_f = test_get_argument(2))
562b0d17251Schristos || !TEST_ptr(ip_PBM_f = test_get_argument(3))
563b0d17251Schristos || !TEST_ptr(server_cert_f = test_get_argument(4))
564b0d17251Schristos || !TEST_ptr(server_key_f = test_get_argument(5))
565b0d17251Schristos || !TEST_ptr(endentity1_f = test_get_argument(6))
566b0d17251Schristos || !TEST_ptr(endentity2_f = test_get_argument(7))
567b0d17251Schristos || !TEST_ptr(root_f = test_get_argument(8))
568b0d17251Schristos || !TEST_ptr(intermediate_f = test_get_argument(9))) {
569b0d17251Schristos TEST_error("usage: cmp_protect_test %s", USAGE);
570b0d17251Schristos return 0;
571b0d17251Schristos }
572b0d17251Schristos
573b0d17251Schristos if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE))
574b0d17251Schristos return 0;
575b0d17251Schristos
576b0d17251Schristos if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx))
577b0d17251Schristos || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)))
578b0d17251Schristos return 0;
579b0d17251Schristos
580b0d17251Schristos if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx)))
581b0d17251Schristos return 0;
582b0d17251Schristos if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
583b0d17251Schristos loadedpubkey = loadedprivkey;
584b0d17251Schristos if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f, libctx))
585b0d17251Schristos || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)))
586b0d17251Schristos return 0;
587b0d17251Schristos if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
588b0d17251Schristos || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx))
589b0d17251Schristos || !TEST_ptr(root = load_cert_pem(root_f, libctx))
590b0d17251Schristos || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx)))
591b0d17251Schristos return 0;
592b0d17251Schristos if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
593b0d17251Schristos return 0;
594b0d17251Schristos
595b0d17251Schristos /* Message protection tests */
596b0d17251Schristos ADD_TEST(test_cmp_calc_protection_no_key_no_secret);
597b0d17251Schristos ADD_TEST(test_cmp_calc_protection_pkey);
598b0d17251Schristos ADD_TEST(test_cmp_calc_protection_pbmac);
599b0d17251Schristos
600b0d17251Schristos ADD_TEST(test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key);
601b0d17251Schristos ADD_TEST(test_MSG_protect_with_certificate_and_key);
602b0d17251Schristos ADD_TEST(test_MSG_protect_certificate_based_without_cert);
603b0d17251Schristos ADD_TEST(test_MSG_protect_unprotected_request);
604b0d17251Schristos ADD_TEST(test_MSG_protect_no_key_no_secret);
605b0d17251Schristos ADD_TEST(test_MSG_protect_pbmac_no_sender_with_ref);
606b0d17251Schristos ADD_TEST(test_MSG_protect_pbmac_no_sender_no_ref);
607b0d17251Schristos ADD_TEST(test_MSG_add_extraCerts);
608b0d17251Schristos
609b0d17251Schristos #ifndef OPENSSL_NO_EC
610b0d17251Schristos ADD_TEST(test_cmp_build_cert_chain);
611b0d17251Schristos ADD_TEST(test_cmp_build_cert_chain_only_root);
612b0d17251Schristos ADD_TEST(test_cmp_build_cert_chain_no_root);
613b0d17251Schristos ADD_TEST(test_cmp_build_cert_chain_missing_intermediate);
614b0d17251Schristos ADD_TEST(test_cmp_build_cert_chain_no_certs);
615b0d17251Schristos #endif
616b0d17251Schristos
617b0d17251Schristos ADD_TEST(test_X509_STORE);
618b0d17251Schristos ADD_TEST(test_X509_STORE_only_self_issued);
619b0d17251Schristos
620b0d17251Schristos return 1;
621b0d17251Schristos }
622