]>
Commit | Line | Data |
---|---|---|
31b28ad9 DDO |
1 | /* |
2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * Copyright Nokia 2007-2019 | |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | */ | |
11 | ||
12 | #include "cmp_testlib.h" | |
13 | #include "../crypto/crmf/crmf_local.h" /* for manipulating POPO signature */ | |
14 | ||
15 | static const char *server_f; | |
16 | static const char *client_f; | |
17 | static const char *endentity1_f; | |
18 | static const char *endentity2_f; | |
19 | static const char *root_f; | |
20 | static const char *intermediate_f; | |
21 | static const char *ir_protected_f; | |
22 | static const char *ir_unprotected_f; | |
23 | static const char *ir_rmprotection_f; | |
24 | static const char *ip_waiting_f; | |
25 | static const char *instacert_f; | |
26 | static const char *instaca_f; | |
27 | static const char *ir_protected_0_extracerts; | |
28 | static const char *ir_protected_2_extracerts; | |
29 | ||
30 | typedef struct test_fixture { | |
31 | const char *test_case_name; | |
32 | int expected; | |
33 | OSSL_CMP_CTX *cmp_ctx; | |
34 | OSSL_CMP_MSG *msg; | |
35 | X509 *cert; | |
36 | ossl_cmp_allow_unprotected_cb_t allow_unprotected_cb; | |
37 | int additional_arg; | |
38 | } CMP_VFY_TEST_FIXTURE; | |
39 | ||
40 | static void tear_down(CMP_VFY_TEST_FIXTURE *fixture) | |
41 | { | |
42 | OSSL_CMP_MSG_free(fixture->msg); | |
43 | OSSL_CMP_CTX_free(fixture->cmp_ctx); | |
44 | OPENSSL_free(fixture); | |
45 | } | |
46 | ||
31b28ad9 DDO |
47 | static time_t test_time_valid = 0, test_time_after_expiration = 0; |
48 | ||
49 | static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name) | |
50 | { | |
51 | X509_STORE *ts = X509_STORE_new(); | |
52 | CMP_VFY_TEST_FIXTURE *fixture; | |
53 | ||
54 | if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) | |
55 | return NULL; | |
56 | fixture->test_case_name = test_case_name; | |
57 | if (ts == NULL | |
58 | || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new()) | |
59 | || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts) | |
60 | || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) { | |
61 | tear_down(fixture); | |
62 | X509_STORE_free(ts); | |
63 | return NULL; | |
64 | } | |
65 | X509_VERIFY_PARAM_set_time(X509_STORE_get0_param(ts), test_time_valid); | |
62dcd2aa | 66 | X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb); |
31b28ad9 DDO |
67 | return fixture; |
68 | } | |
69 | ||
70 | static X509 *srvcert = NULL; | |
71 | static X509 *clcert = NULL; | |
72 | /* chain */ | |
73 | static X509 *endentity1 = NULL, *endentity2 = NULL, | |
74 | *intermediate = NULL, *root = NULL; | |
75 | /* INSTA chain */ | |
76 | static X509 *insta_cert = NULL, *instaca_cert = NULL; | |
77 | ||
78 | static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; | |
79 | static OSSL_CMP_MSG *ir_unprotected, *ir_rmprotection; | |
80 | ||
81 | static int flip_bit(ASN1_BIT_STRING *bitstr) | |
82 | { | |
83 | int bit_num = 7; | |
84 | int bit = ASN1_BIT_STRING_get_bit(bitstr, bit_num); | |
85 | ||
86 | return ASN1_BIT_STRING_set_bit(bitstr, bit_num, !bit); | |
87 | } | |
88 | ||
89 | static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture) | |
90 | { | |
91 | if ((fixture->msg = load_pkimsg(ir_protected_f)) == NULL) | |
92 | return 0; | |
93 | if (fixture->expected == 0) { | |
94 | const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir; | |
95 | const OSSL_CRMF_MSG *req = sk_OSSL_CRMF_MSG_value(reqs, 0); | |
96 | if (req == NULL || !flip_bit(req->popo->value.signature->signature)) | |
97 | return 0; | |
98 | } | |
99 | return TEST_int_eq(fixture->expected, | |
100 | ossl_cmp_verify_popo(fixture->msg, | |
101 | fixture->additional_arg)); | |
102 | } | |
103 | ||
104 | static int test_verify_popo(void) | |
105 | { | |
106 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
107 | fixture->expected = 1; | |
108 | EXECUTE_TEST(execute_verify_popo_test, tear_down); | |
109 | return result; | |
110 | } | |
111 | ||
112 | static int test_verify_popo_bad(void) | |
113 | { | |
114 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
115 | fixture->expected = 0; | |
116 | EXECUTE_TEST(execute_verify_popo_test, tear_down); | |
117 | return result; | |
118 | } | |
119 | ||
120 | static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture) | |
121 | { | |
122 | return TEST_int_eq(fixture->expected, | |
123 | OSSL_CMP_validate_msg(fixture->cmp_ctx, fixture->msg)); | |
124 | } | |
125 | ||
126 | static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) | |
127 | { | |
128 | X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); | |
129 | int res = TEST_int_eq(fixture->expected, | |
130 | OSSL_CMP_validate_cert_path(fixture->cmp_ctx, | |
131 | ts, fixture->cert)); | |
132 | ||
133 | OSSL_CMP_CTX_print_errors(fixture->cmp_ctx); | |
134 | return res; | |
135 | } | |
136 | ||
137 | static int test_validate_msg_mac_alg_protection(void) | |
138 | { | |
139 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
140 | /* secret value belonging to cmp-test/CMP_IP_waitingStatus_PBM.der */ | |
141 | const unsigned char sec_1[] = { | |
142 | '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', | |
143 | 'Q', '-', 'u', 'd', 'N', 'R' | |
144 | }; | |
145 | ||
146 | fixture->expected = 1; | |
147 | if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, | |
148 | sizeof(sec_1))) | |
149 | || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { | |
150 | tear_down(fixture); | |
151 | fixture = NULL; | |
152 | } | |
153 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
154 | return result; | |
155 | } | |
156 | ||
157 | static int test_validate_msg_mac_alg_protection_bad(void) | |
158 | { | |
159 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
160 | const unsigned char sec_bad[] = { | |
161 | '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', | |
162 | 'Q', '-', 'u', 'd', 'N', 'r' | |
163 | }; | |
164 | fixture->expected = 0; | |
165 | ||
166 | if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad, | |
167 | sizeof(sec_bad))) | |
168 | || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { | |
169 | tear_down(fixture); | |
170 | fixture = NULL; | |
171 | } | |
172 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
173 | return result; | |
174 | } | |
175 | ||
176 | static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert) | |
177 | { | |
178 | return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert); | |
179 | } | |
180 | ||
181 | static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert) | |
182 | { | |
183 | return ossl_cmp_sk_X509_add1_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx), | |
184 | cert, 0, 0); | |
185 | } | |
186 | ||
187 | static int test_validate_msg_signature_partial_chain(int expired) | |
188 | { | |
189 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
190 | X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); | |
191 | ||
192 | fixture->expected = !expired; | |
193 | if (ts == NULL | |
194 | || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) | |
195 | || !add_trusted(fixture->cmp_ctx, srvcert)) { | |
196 | tear_down(fixture); | |
197 | fixture = NULL; | |
198 | } else { | |
199 | X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); | |
200 | X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); | |
201 | if (expired) | |
202 | X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); | |
203 | } | |
204 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
205 | return result; | |
206 | } | |
207 | ||
208 | static int test_validate_msg_signature_trusted_ok(void) | |
209 | { | |
210 | return test_validate_msg_signature_partial_chain(0); | |
211 | } | |
212 | ||
213 | static int test_validate_msg_signature_trusted_expired(void) | |
214 | { | |
215 | return test_validate_msg_signature_partial_chain(1); | |
216 | } | |
217 | ||
218 | static int test_validate_msg_signature_srvcert_wrong(void) | |
219 | { | |
220 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
221 | fixture->expected = 0; | |
222 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) | |
223 | || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) { | |
224 | tear_down(fixture); | |
225 | fixture = NULL; | |
226 | } | |
227 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
228 | return result; | |
229 | } | |
230 | ||
231 | static int test_validate_msg_signature_srvcert(int bad_sig) | |
232 | { | |
233 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
234 | fixture->expected = !bad_sig; | |
235 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) | |
236 | || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert)) | |
237 | || (bad_sig && !flip_bit(fixture->msg->protection))) { | |
238 | tear_down(fixture); | |
239 | fixture = NULL; | |
240 | } | |
241 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
242 | return result; | |
243 | } | |
244 | ||
245 | static int test_validate_msg_signature_bad(void) | |
246 | { | |
247 | return test_validate_msg_signature_srvcert(1); | |
248 | } | |
249 | ||
250 | static int test_validate_msg_signature_sender_cert_srvcert(void) | |
251 | { | |
252 | return test_validate_msg_signature_srvcert(0); | |
253 | } | |
254 | ||
255 | static int test_validate_msg_signature_sender_cert_untrusted(void) | |
256 | { | |
257 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
258 | fixture->expected = 1; | |
259 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) | |
260 | || !add_trusted(fixture->cmp_ctx, instaca_cert) | |
261 | || !add_untrusted(fixture->cmp_ctx, insta_cert)) { | |
262 | tear_down(fixture); | |
263 | fixture = NULL; | |
264 | } | |
265 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
266 | return result; | |
267 | } | |
268 | ||
269 | static int test_validate_msg_signature_sender_cert_trusted(void) | |
270 | { | |
271 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
272 | fixture->expected = 1; | |
273 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) | |
274 | || !add_trusted(fixture->cmp_ctx, instaca_cert) | |
275 | || !add_trusted(fixture->cmp_ctx, insta_cert)) { | |
276 | tear_down(fixture); | |
277 | fixture = NULL; | |
278 | } | |
279 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
280 | return result; | |
281 | } | |
282 | ||
283 | static int test_validate_msg_signature_sender_cert_extracert(void) | |
284 | { | |
285 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
286 | fixture->expected = 1; | |
287 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts)) | |
288 | || !add_trusted(fixture->cmp_ctx, instaca_cert)) { | |
289 | tear_down(fixture); | |
290 | fixture = NULL; | |
291 | } | |
292 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
293 | return result; | |
294 | } | |
295 | ||
296 | ||
297 | static int test_validate_msg_signature_sender_cert_absent(void) | |
298 | { | |
299 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
300 | fixture->expected = 0; | |
301 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))) { | |
302 | tear_down(fixture); | |
303 | fixture = NULL; | |
304 | } | |
305 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
306 | return result; | |
307 | } | |
308 | ||
309 | ||
8cc86b81 | 310 | static int test_validate_with_sender(const X509_NAME *name, int expected) |
31b28ad9 DDO |
311 | { |
312 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
313 | fixture->expected = expected; | |
314 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) | |
315 | || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name)) | |
316 | || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))) { | |
317 | tear_down(fixture); | |
318 | fixture = NULL; | |
319 | } | |
320 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
321 | return result; | |
322 | } | |
323 | ||
324 | static int test_validate_msg_signature_expected_sender(void) | |
325 | { | |
326 | return test_validate_with_sender(X509_get_subject_name(srvcert), 1); | |
327 | } | |
328 | ||
329 | static int test_validate_msg_signature_unexpected_sender(void) | |
330 | { | |
331 | return test_validate_with_sender(X509_get_subject_name(root), 0); | |
332 | } | |
333 | ||
334 | static int test_validate_msg_unprotected_request(void) | |
335 | { | |
336 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
337 | fixture->expected = 0; | |
338 | if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))) { | |
339 | tear_down(fixture); | |
340 | fixture = NULL; | |
341 | } | |
342 | EXECUTE_TEST(execute_validate_msg_test, tear_down); | |
343 | return result; | |
344 | } | |
345 | ||
346 | static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired) | |
347 | { | |
348 | (*fixture)->cert = endentity2; | |
349 | (*fixture)->expected = wrong == NULL && !expired; | |
350 | if (expired) { | |
351 | X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx); | |
352 | X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); | |
353 | X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); | |
354 | } | |
355 | if (!add_trusted((*fixture)->cmp_ctx, wrong == NULL ? root : wrong) | |
356 | || !add_untrusted((*fixture)->cmp_ctx, endentity1) | |
357 | || !add_untrusted((*fixture)->cmp_ctx, intermediate)) { | |
358 | tear_down((*fixture)); | |
359 | (*fixture) = NULL; | |
360 | } | |
361 | } | |
362 | ||
363 | static int test_validate_cert_path_ok(void) | |
364 | { | |
365 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
366 | setup_path(&fixture, NULL, 0); | |
367 | EXECUTE_TEST(execute_validate_cert_path_test, tear_down); | |
368 | return result; | |
369 | } | |
370 | ||
371 | static int test_validate_cert_path_wrong_anchor(void) | |
372 | { | |
373 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
374 | setup_path(&fixture, srvcert /* wrong/non-root cert */, 0); | |
375 | EXECUTE_TEST(execute_validate_cert_path_test, tear_down); | |
376 | return result; | |
377 | } | |
378 | ||
379 | static int test_validate_cert_path_expired(void) | |
380 | { | |
381 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
382 | setup_path(&fixture, NULL, 1); | |
383 | EXECUTE_TEST(execute_validate_cert_path_test, tear_down); | |
384 | return result; | |
385 | } | |
386 | ||
387 | static int execute_MSG_check_received_test(CMP_VFY_TEST_FIXTURE *fixture) | |
388 | { | |
389 | const OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(fixture->msg); | |
390 | const ASN1_OCTET_STRING *tid = OSSL_CMP_HDR_get0_transactionID(hdr); | |
391 | ||
392 | if (!TEST_int_eq(fixture->expected, | |
393 | ossl_cmp_msg_check_received(fixture->cmp_ctx, | |
394 | fixture->msg, | |
395 | fixture->allow_unprotected_cb, | |
396 | fixture->additional_arg))) | |
397 | return 0; | |
398 | ||
399 | if (fixture->expected < 0) /* error expected aready during above check */ | |
400 | return 1; | |
401 | return | |
402 | TEST_int_eq(0, | |
403 | ASN1_OCTET_STRING_cmp(ossl_cmp_hdr_get0_senderNonce(hdr), | |
404 | fixture->cmp_ctx->recipNonce)) | |
405 | && TEST_int_eq(0, | |
406 | ASN1_OCTET_STRING_cmp(tid, | |
407 | fixture->cmp_ctx->transactionID)); | |
408 | } | |
409 | ||
410 | static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, | |
411 | int invalid_protection, int allow) | |
412 | { | |
413 | return allow; | |
414 | } | |
415 | ||
416 | static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected, | |
417 | ossl_cmp_allow_unprotected_cb_t cb, int arg, | |
418 | const unsigned char *trid_data, | |
419 | const unsigned char *nonce_data) | |
420 | { | |
421 | OSSL_CMP_CTX *ctx = (*fixture)->cmp_ctx; | |
422 | int nonce_len = OSSL_CMP_SENDERNONCE_LENGTH; | |
423 | ||
424 | (*fixture)->expected = expected; | |
425 | (*fixture)->allow_unprotected_cb = cb; | |
426 | (*fixture)->additional_arg = arg; | |
427 | (*fixture)->msg = OSSL_CMP_MSG_dup(ir_rmprotection); | |
428 | if ((*fixture)->msg == NULL | |
429 | || (nonce_data != NULL | |
430 | && !ossl_cmp_asn1_octet_string_set1_bytes(&ctx->senderNonce, | |
431 | nonce_data, nonce_len))) { | |
432 | tear_down((*fixture)); | |
433 | (*fixture) = NULL; | |
62dcd2aa | 434 | } else if (trid_data != NULL) { |
31b28ad9 DDO |
435 | ASN1_OCTET_STRING *trid = ASN1_OCTET_STRING_new(); |
436 | if (trid == NULL | |
437 | || !ASN1_OCTET_STRING_set(trid, trid_data, | |
438 | OSSL_CMP_TRANSACTIONID_LENGTH) | |
439 | || !OSSL_CMP_CTX_set1_transactionID(ctx, trid)) { | |
440 | tear_down((*fixture)); | |
441 | (*fixture) = NULL; | |
442 | } | |
443 | ASN1_OCTET_STRING_free(trid); | |
444 | } | |
445 | } | |
446 | ||
447 | static int test_MSG_check_received_no_protection_no_cb(void) | |
448 | { | |
449 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
450 | setup_check_received(&fixture, -1, NULL, 0, NULL, NULL); | |
451 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
452 | return result; | |
453 | } | |
454 | ||
455 | static int test_MSG_check_received_no_protection_restrictive_cb(void) | |
456 | { | |
457 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
458 | setup_check_received(&fixture, -1, allow_unprotected, 0, NULL, NULL); | |
459 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
460 | return result; | |
461 | } | |
462 | ||
463 | static int test_MSG_check_received_no_protection_permissive_cb(void) | |
464 | { | |
465 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
466 | setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, | |
467 | NULL, NULL); | |
468 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
469 | return result; | |
470 | } | |
471 | ||
472 | static int test_MSG_check_received_check_transaction_id(void) | |
473 | { | |
474 | /* Transaction id belonging to CMP_IR_rmprotection.der */ | |
475 | const unsigned char trans_id[OSSL_CMP_TRANSACTIONID_LENGTH] = { | |
476 | 0x39, 0xB6, 0x90, 0x28, 0xC4, 0xBC, 0x7A, 0xF6, | |
477 | 0xBE, 0xC6, 0x4A, 0x88, 0x97, 0xA6, 0x95, 0x0B | |
478 | }; | |
479 | ||
480 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
481 | setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, | |
482 | trans_id, NULL); | |
483 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
484 | return result; | |
485 | } | |
486 | ||
487 | static int test_MSG_check_received_check_transaction_id_bad(void) | |
488 | { | |
489 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
490 | setup_check_received(&fixture, -1, allow_unprotected, 1, rand_data, NULL); | |
491 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
492 | return result; | |
493 | } | |
494 | ||
495 | static int test_MSG_check_received_check_recipient_nonce(void) | |
496 | { | |
497 | /* Recipient nonce belonging to CMP_IP_ir_rmprotection.der */ | |
498 | const unsigned char rec_nonce[OSSL_CMP_SENDERNONCE_LENGTH] = { | |
499 | 0x48, 0xF1, 0x71, 0x1F, 0xE5, 0xAF, 0x1C, 0x8B, | |
500 | 0x21, 0x97, 0x5C, 0x84, 0x74, 0x49, 0xBA, 0x32 | |
501 | }; | |
502 | ||
503 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
504 | setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, | |
505 | NULL, rec_nonce); | |
506 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
507 | return result; | |
508 | } | |
509 | ||
510 | static int test_MSG_check_received_check_recipient_nonce_bad(void) | |
511 | { | |
512 | SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); | |
513 | setup_check_received(&fixture, -1, allow_unprotected, 1, NULL, rand_data); | |
514 | EXECUTE_TEST(execute_MSG_check_received_test, tear_down); | |
515 | return result; | |
516 | } | |
517 | ||
518 | void cleanup_tests(void) | |
519 | { | |
520 | X509_free(srvcert); | |
521 | X509_free(clcert); | |
522 | X509_free(endentity1); | |
523 | X509_free(endentity2); | |
524 | X509_free(intermediate); | |
525 | X509_free(root); | |
526 | X509_free(insta_cert); | |
527 | X509_free(instaca_cert); | |
528 | OSSL_CMP_MSG_free(ir_unprotected); | |
529 | OSSL_CMP_MSG_free(ir_rmprotection); | |
530 | return; | |
531 | } | |
532 | ||
533 | int setup_tests(void) | |
534 | { | |
535 | /* Set test time stamps */ | |
536 | struct tm ts = { 0 }; | |
537 | ||
538 | ts.tm_year = 2018 - 1900; /* 2018 */ | |
539 | ts.tm_mon = 1; /* February */ | |
540 | ts.tm_mday = 18; /* 18th */ | |
541 | test_time_valid = mktime(&ts); /* February 18th 2018 */ | |
542 | ts.tm_year += 10; /* February 18th 2028 */ | |
543 | test_time_after_expiration = mktime(&ts); | |
544 | ||
62dcd2aa DDO |
545 | if (!test_skip_common_options()) { |
546 | TEST_error("Error parsing test options\n"); | |
547 | return 0; | |
548 | } | |
549 | ||
31b28ad9 DDO |
550 | RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH); |
551 | if (!TEST_ptr(server_f = test_get_argument(0)) | |
552 | || !TEST_ptr(client_f = test_get_argument(1)) | |
553 | || !TEST_ptr(endentity1_f = test_get_argument(2)) | |
554 | || !TEST_ptr(endentity2_f = test_get_argument(3)) | |
555 | || !TEST_ptr(root_f = test_get_argument(4)) | |
556 | || !TEST_ptr(intermediate_f = test_get_argument(5)) | |
557 | || !TEST_ptr(ir_protected_f = test_get_argument(6)) | |
558 | || !TEST_ptr(ir_unprotected_f = test_get_argument(7)) | |
559 | || !TEST_ptr(ip_waiting_f = test_get_argument(8)) | |
560 | || !TEST_ptr(ir_rmprotection_f = test_get_argument(9)) | |
561 | || !TEST_ptr(instacert_f = test_get_argument(10)) | |
562 | || !TEST_ptr(instaca_f = test_get_argument(11)) | |
563 | || !TEST_ptr(ir_protected_0_extracerts = test_get_argument(12)) | |
564 | || !TEST_ptr(ir_protected_2_extracerts = test_get_argument(13))) { | |
565 | TEST_error("usage: cmp_vfy_test server.crt client.crt " | |
566 | "EndEntity1.crt EndEntity2.crt " | |
567 | "Root_CA.crt Intermediate_CA.crt " | |
568 | "CMP_IR_protected.der CMP_IR_unprotected.der " | |
569 | "IP_waitingStatus_PBM.der IR_rmprotection.der " | |
570 | "insta.cert.pem insta_ca.cert.pem " | |
571 | "IR_protected_0_extraCerts.der " | |
572 | "IR_protected_2_extraCerts.der\n"); | |
573 | return 0; | |
574 | } | |
575 | ||
576 | /* Load certificates for cert chain */ | |
577 | if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f)) | |
578 | || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f)) | |
579 | || !TEST_ptr(root = load_pem_cert(root_f)) | |
580 | || !TEST_ptr(intermediate = load_pem_cert(intermediate_f))) | |
581 | goto err; | |
582 | ||
583 | if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f)) | |
584 | || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f))) | |
585 | goto err; | |
586 | ||
587 | /* Load certificates for message validation */ | |
588 | if (!TEST_ptr(srvcert = load_pem_cert(server_f)) | |
589 | || !TEST_ptr(clcert = load_pem_cert(client_f))) | |
590 | goto err; | |
591 | if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) | |
592 | goto err; | |
593 | if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)) | |
594 | || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f))) | |
595 | goto err; | |
596 | ||
597 | /* Message validation tests */ | |
598 | ADD_TEST(test_verify_popo); | |
599 | ADD_TEST(test_verify_popo_bad); | |
600 | ADD_TEST(test_validate_msg_signature_trusted_ok); | |
601 | ADD_TEST(test_validate_msg_signature_trusted_expired); | |
602 | ADD_TEST(test_validate_msg_signature_srvcert_wrong); | |
603 | ADD_TEST(test_validate_msg_signature_bad); | |
604 | ADD_TEST(test_validate_msg_signature_sender_cert_srvcert); | |
605 | ADD_TEST(test_validate_msg_signature_sender_cert_untrusted); | |
606 | ADD_TEST(test_validate_msg_signature_sender_cert_trusted); | |
607 | ADD_TEST(test_validate_msg_signature_sender_cert_extracert); | |
608 | ADD_TEST(test_validate_msg_signature_sender_cert_absent); | |
609 | ADD_TEST(test_validate_msg_signature_expected_sender); | |
610 | ADD_TEST(test_validate_msg_signature_unexpected_sender); | |
611 | ADD_TEST(test_validate_msg_unprotected_request); | |
612 | ADD_TEST(test_validate_msg_mac_alg_protection); | |
613 | ADD_TEST(test_validate_msg_mac_alg_protection_bad); | |
614 | ||
615 | /* Cert path validation tests */ | |
616 | ADD_TEST(test_validate_cert_path_ok); | |
617 | ADD_TEST(test_validate_cert_path_expired); | |
618 | ADD_TEST(test_validate_cert_path_wrong_anchor); | |
619 | ||
620 | ADD_TEST(test_MSG_check_received_no_protection_no_cb); | |
621 | ADD_TEST(test_MSG_check_received_no_protection_restrictive_cb); | |
622 | ADD_TEST(test_MSG_check_received_no_protection_permissive_cb); | |
623 | ADD_TEST(test_MSG_check_received_check_transaction_id); | |
624 | ADD_TEST(test_MSG_check_received_check_transaction_id_bad); | |
625 | ADD_TEST(test_MSG_check_received_check_recipient_nonce); | |
626 | ADD_TEST(test_MSG_check_received_check_recipient_nonce_bad); | |
627 | ||
628 | return 1; | |
629 | ||
630 | err: | |
631 | cleanup_tests(); | |
632 | return 0; | |
633 | ||
634 | } |