1 /* $OpenBSD: callback.c,v 1.3 2021/10/31 08:27:15 tb Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <err.h> 20 #include <string.h> 21 22 #include <openssl/bio.h> 23 #include <openssl/err.h> 24 #include <openssl/pem.h> 25 #include <openssl/x509.h> 26 #include <openssl/x509v3.h> 27 #include <openssl/x509_verify.h> 28 29 #define MODE_MODERN_VFY 0 30 #define MODE_MODERN_VFY_DIR 1 31 #define MODE_LEGACY_VFY 2 32 #define MODE_VERIFY 3 33 34 static int verbose = 1; 35 FILE *output; 36 37 static int 38 passwd_cb(char *buf, int size, int rwflag, void *u) 39 { 40 memset(buf, 0, size); 41 return (0); 42 } 43 44 static int 45 certs_from_file(const char *filename, STACK_OF(X509) **certs) 46 { 47 STACK_OF(X509_INFO) *xis = NULL; 48 STACK_OF(X509) *xs = NULL; 49 BIO *bio = NULL; 50 X509 *x; 51 int i; 52 53 if ((xs = sk_X509_new_null()) == NULL) 54 errx(1, "failed to create X509 stack"); 55 if ((bio = BIO_new_file(filename, "r")) == NULL) { 56 ERR_print_errors_fp(stderr); 57 errx(1, "failed to create bio"); 58 } 59 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, passwd_cb, NULL)) == NULL) 60 errx(1, "failed to read PEM"); 61 62 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 63 if ((x = sk_X509_INFO_value(xis, i)->x509) == NULL) 64 continue; 65 if (!sk_X509_push(xs, x)) 66 errx(1, "failed to push X509"); 67 X509_up_ref(x); 68 } 69 70 *certs = xs; 71 xs = NULL; 72 73 sk_X509_INFO_pop_free(xis, X509_INFO_free); 74 sk_X509_pop_free(xs, X509_free); 75 BIO_free(bio); 76 77 return 1; 78 } 79 80 static int 81 verify_cert_cb(int ok, X509_STORE_CTX *xsc) 82 { 83 X509 *current_cert, *issuer_cert; 84 int verify_err, verify_depth; 85 86 current_cert = X509_STORE_CTX_get_current_cert(xsc); 87 issuer_cert = X509_STORE_CTX_get0_current_issuer(xsc); 88 verify_depth = X509_STORE_CTX_get_error_depth(xsc); 89 verify_err = X509_STORE_CTX_get_error(xsc); 90 fprintf(output, "depth %d error %d", verify_depth, verify_err); 91 fprintf(output, " cert: "); 92 if (current_cert != NULL) { 93 X509_NAME_print_ex_fp(output, 94 X509_get_subject_name(current_cert), 0, 95 XN_FLAG_ONELINE); 96 } else 97 fprintf(output, "NULL"); 98 fprintf(output, " issuer: "); 99 if (issuer_cert != NULL) { 100 X509_NAME_print_ex_fp(output, 101 X509_get_subject_name(issuer_cert), 0, 102 XN_FLAG_ONELINE); 103 } else 104 fprintf(output, "NULL"); 105 fprintf(output, "\n"); 106 107 return ok; 108 } 109 110 static void 111 verify_cert(const char *roots_dir, const char *roots_file, 112 const char *bundle_file, int *chains, int mode) 113 { 114 STACK_OF(X509) *roots = NULL, *bundle = NULL; 115 X509_STORE_CTX *xsc = NULL; 116 X509_STORE *store = NULL; 117 int verify_err, use_dir; 118 X509 *leaf = NULL; 119 120 *chains = 0; 121 use_dir = (mode == MODE_MODERN_VFY_DIR); 122 123 if (!use_dir && !certs_from_file(roots_file, &roots)) 124 errx(1, "failed to load roots from '%s'", roots_file); 125 if (!certs_from_file(bundle_file, &bundle)) 126 errx(1, "failed to load bundle from '%s'", bundle_file); 127 if (sk_X509_num(bundle) < 1) 128 errx(1, "not enough certs in bundle"); 129 leaf = sk_X509_shift(bundle); 130 131 if ((xsc = X509_STORE_CTX_new()) == NULL) 132 errx(1, "X509_STORE_CTX"); 133 if (use_dir && (store = X509_STORE_new()) == NULL) 134 errx(1, "X509_STORE"); 135 if (!X509_STORE_CTX_init(xsc, store, leaf, bundle)) { 136 ERR_print_errors_fp(stderr); 137 errx(1, "failed to init store context"); 138 } 139 if (use_dir) { 140 if (!X509_STORE_load_locations(store, NULL, roots_dir)) 141 errx(1, "failed to set by_dir directory of %s", roots_dir); 142 } 143 if (mode == MODE_LEGACY_VFY) 144 X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_LEGACY_VERIFY); 145 else 146 X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(xsc), 147 X509_V_FLAG_LEGACY_VERIFY); 148 149 if (verbose) 150 X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb); 151 if (!use_dir) 152 X509_STORE_CTX_set0_trusted_stack(xsc, roots); 153 if (X509_verify_cert(xsc) == 1) { 154 *chains = 1; /* XXX */ 155 goto done; 156 } 157 158 verify_err = X509_STORE_CTX_get_error(xsc); 159 if (verify_err == 0) 160 errx(1, "Error unset on failure!\n"); 161 162 fprintf(stderr, "failed to verify at %d: %s\n", 163 X509_STORE_CTX_get_error_depth(xsc), 164 X509_verify_cert_error_string(verify_err)); 165 166 done: 167 sk_X509_pop_free(roots, X509_free); 168 sk_X509_pop_free(bundle, X509_free); 169 X509_STORE_free(store); 170 X509_STORE_CTX_free(xsc); 171 X509_free(leaf); 172 } 173 174 struct verify_cert_test { 175 const char *id; 176 int want_chains; 177 int failing; 178 }; 179 180 struct verify_cert_test verify_cert_tests[] = { 181 { 182 .id = "1a", 183 .want_chains = 1, 184 }, 185 { 186 .id = "2a", 187 .want_chains = 1, 188 }, 189 { 190 .id = "2b", 191 .want_chains = 0, 192 }, 193 { 194 .id = "2c", 195 .want_chains = 1, 196 }, 197 { 198 .id = "3a", 199 .want_chains = 1, 200 }, 201 { 202 .id = "3b", 203 .want_chains = 0, 204 }, 205 { 206 .id = "3c", 207 .want_chains = 0, 208 }, 209 { 210 .id = "3d", 211 .want_chains = 0, 212 }, 213 { 214 .id = "3e", 215 .want_chains = 1, 216 }, 217 { 218 .id = "4a", 219 .want_chains = 2, 220 }, 221 { 222 .id = "4b", 223 .want_chains = 1, 224 }, 225 { 226 .id = "4c", 227 .want_chains = 1, 228 .failing = 1, 229 }, 230 { 231 .id = "4d", 232 .want_chains = 1, 233 }, 234 { 235 .id = "4e", 236 .want_chains = 1, 237 }, 238 { 239 .id = "4f", 240 .want_chains = 2, 241 }, 242 { 243 .id = "4g", 244 .want_chains = 1, 245 .failing = 1, 246 }, 247 { 248 .id = "4h", 249 .want_chains = 1, 250 }, 251 { 252 .id = "5a", 253 .want_chains = 2, 254 }, 255 { 256 .id = "5b", 257 .want_chains = 1, 258 .failing = 1, 259 }, 260 { 261 .id = "5c", 262 .want_chains = 1, 263 }, 264 { 265 .id = "5d", 266 .want_chains = 1, 267 }, 268 { 269 .id = "5e", 270 .want_chains = 1, 271 .failing = 1, 272 }, 273 { 274 .id = "5f", 275 .want_chains = 1, 276 }, 277 { 278 .id = "5g", 279 .want_chains = 2, 280 }, 281 { 282 .id = "5h", 283 .want_chains = 1, 284 }, 285 { 286 .id = "5i", 287 .want_chains = 1, 288 .failing = 1, 289 }, 290 { 291 .id = "6a", 292 .want_chains = 1, 293 }, 294 { 295 .id = "6b", 296 .want_chains = 1, 297 .failing = 1, 298 }, 299 { 300 .id = "7a", 301 .want_chains = 1, 302 .failing = 1, 303 }, 304 { 305 .id = "7b", 306 .want_chains = 1, 307 }, 308 { 309 .id = "8a", 310 .want_chains = 0, 311 }, 312 { 313 .id = "9a", 314 .want_chains = 0, 315 }, 316 { 317 .id = "10a", 318 .want_chains = 1, 319 }, 320 { 321 .id = "10b", 322 .want_chains = 1, 323 }, 324 { 325 .id = "11a", 326 .want_chains = 1, 327 .failing = 1, 328 }, 329 { 330 .id = "11b", 331 .want_chains = 1, 332 }, 333 { 334 .id = "12a", 335 .want_chains = 1, 336 }, 337 { 338 .id = "13a", 339 .want_chains = 1, 340 .failing = 1, 341 }, 342 }; 343 344 #define N_VERIFY_CERT_TESTS \ 345 (sizeof(verify_cert_tests) / sizeof(*verify_cert_tests)) 346 347 static int 348 verify_cert_test(const char *certs_path, int mode) 349 { 350 char *roots_file, *bundle_file, *roots_dir; 351 struct verify_cert_test *vct; 352 int failed = 0; 353 int chains; 354 size_t i; 355 356 for (i = 0; i < N_VERIFY_CERT_TESTS; i++) { 357 vct = &verify_cert_tests[i]; 358 359 if (asprintf(&roots_file, "%s/%s/roots.pem", certs_path, 360 vct->id) == -1) 361 errx(1, "asprintf"); 362 if (asprintf(&bundle_file, "%s/%s/bundle.pem", certs_path, 363 vct->id) == -1) 364 errx(1, "asprintf"); 365 if (asprintf(&roots_dir, "./%s/roots", vct->id) == -1) 366 errx(1, "asprintf"); 367 368 fprintf(output, "== Test %zu (%s)\n", i, vct->id); 369 fprintf(output, "== Legacy:\n"); 370 mode = MODE_LEGACY_VFY; 371 verify_cert(roots_dir, roots_file, bundle_file, &chains, mode); 372 if ((mode == MODE_VERIFY && chains == vct->want_chains) || 373 (chains == 0 && vct->want_chains == 0) || 374 (chains == 1 && vct->want_chains > 0)) { 375 fprintf(output, "INFO: Succeeded with %d chains%s\n", 376 chains, vct->failing ? " (legacy failure)" : ""); 377 if (mode == MODE_LEGACY_VFY && vct->failing) 378 failed |= 1; 379 } else { 380 fprintf(output, "FAIL: Failed with %d chains%s\n", 381 chains, vct->failing ? " (legacy failure)" : ""); 382 if (!vct->failing) 383 failed |= 1; 384 } 385 fprintf(output, "\n"); 386 fprintf(output, "== Modern:\n"); 387 mode = MODE_MODERN_VFY; 388 verify_cert(roots_dir, roots_file, bundle_file, &chains, mode); 389 if ((mode == MODE_VERIFY && chains == vct->want_chains) || 390 (chains == 0 && vct->want_chains == 0) || 391 (chains == 1 && vct->want_chains > 0)) { 392 fprintf(output, "INFO: Succeeded with %d chains%s\n", 393 chains, vct->failing ? " (legacy failure)" : ""); 394 if (mode == MODE_LEGACY_VFY && vct->failing) 395 failed |= 1; 396 } else { 397 fprintf(output, "FAIL: Failed with %d chains%s\n", 398 chains, vct->failing ? " (legacy failure)" : ""); 399 if (!vct->failing) 400 failed |= 1; 401 } 402 fprintf(output, "\n"); 403 404 free(roots_file); 405 free(bundle_file); 406 free(roots_dir); 407 } 408 409 return failed; 410 } 411 412 int 413 main(int argc, char **argv) 414 { 415 int failed = 0; 416 417 if (argc != 2) { 418 fprintf(stderr, "usage: %s <certs_path>\n", argv[0]); 419 exit(1); 420 } 421 422 output = fopen("callback.out", "w+"); 423 424 fprintf(stderr, "\n\nTesting legacy and modern X509_vfy\n"); 425 failed |= verify_cert_test(argv[1], MODE_LEGACY_VFY); 426 return (failed); 427 } 428