]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/cmp_protect_test.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fix various formatting nits in CMP contribution chunks 1-6 found by the new util...
[thirdparty/openssl.git] / test / cmp_protect_test.c
1 /*
2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include "cmp_testlib.h"
13
14 static const char *ir_protected_f;
15 static const char *ir_unprotected_f;
16 static const char *ip_PBM_f;
17
18 typedef struct test_fixture {
19 const char *test_case_name;
20 OSSL_CMP_CTX *cmp_ctx;
21 /* for protection tests */
22 OSSL_CMP_MSG *msg;
23 OSSL_CMP_PKISI *si; /* for error and response messages */
24 ASN1_OCTET_STRING *secret;
25 EVP_PKEY *privkey;
26 EVP_PKEY *pubkey;
27 unsigned char *mem;
28 int memlen;
29 X509 *cert;
30 STACK_OF(X509) *certs;
31 STACK_OF(X509) *chain;
32 int callback_arg;
33 int expected;
34 } CMP_PROTECT_TEST_FIXTURE;
35
36 static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture)
37 {
38 OSSL_CMP_CTX_free(fixture->cmp_ctx);
39 OSSL_CMP_MSG_free(fixture->msg);
40 ASN1_OCTET_STRING_free(fixture->secret);
41 OSSL_CMP_PKISI_free(fixture->si);
42
43 OPENSSL_free(fixture->mem);
44 sk_X509_free(fixture->certs);
45 sk_X509_free(fixture->chain);
46
47 OPENSSL_free(fixture);
48 }
49
50 static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name)
51 {
52 CMP_PROTECT_TEST_FIXTURE *fixture;
53
54 if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
55 return NULL;
56 fixture->test_case_name = test_case_name;
57 if (!TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new())) {
58 tear_down(fixture);
59 return NULL;
60 }
61 return fixture;
62 }
63
64 static EVP_PKEY *loadedprivkey = NULL;
65 static EVP_PKEY *loadedpubkey = NULL;
66 static EVP_PKEY *loadedkey = NULL;
67 static X509 *cert = NULL;
68 static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
69 static OSSL_CMP_MSG *ir_unprotected, *ir_protected;
70 static X509 *endentity1 = NULL, *endentity2 = NULL,
71 *root = NULL, *intermediate = NULL;
72
73 static int execute_calc_protection_fails_test(CMP_PROTECT_TEST_FIXTURE *fixture)
74 {
75 ASN1_BIT_STRING *protection =
76 ossl_cmp_calc_protection(fixture->msg, fixture->secret,
77 fixture->privkey);
78 int res = TEST_ptr_null(protection);
79
80 ASN1_BIT_STRING_free(protection);
81 return res;
82 }
83
84 static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture)
85 {
86 ASN1_BIT_STRING *protection =
87 ossl_cmp_calc_protection(fixture->msg, fixture->secret, NULL);
88 int res = TEST_ptr(protection)
89 && TEST_true(ASN1_STRING_cmp(protection,
90 fixture->msg->protection) == 0);
91
92 ASN1_BIT_STRING_free(protection);
93 return res;
94 }
95
96 /*
97 * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c,
98 * but without the need for a OSSL_CMP_CTX or a X509 certificate
99 */
100 static int verify_signature(OSSL_CMP_MSG *msg,
101 ASN1_BIT_STRING *protection,
102 EVP_PKEY *pkey, int digest_nid)
103 {
104 CMP_PROTECTEDPART prot_part;
105 unsigned char *prot_part_der = NULL;
106 int len;
107 EVP_MD_CTX *ctx = NULL;
108 const EVP_MD *digest = EVP_get_digestbynid(digest_nid);
109 int res;
110
111 prot_part.header = OSSL_CMP_MSG_get0_header(msg);
112 prot_part.body = msg->body;
113 res =
114 TEST_int_ge(len = i2d_CMP_PROTECTEDPART(&prot_part, &prot_part_der), 0)
115 && TEST_ptr(ctx = EVP_MD_CTX_new())
116 && TEST_true(EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey))
117 && TEST_int_eq(EVP_DigestVerify(ctx, protection->data,
118 protection->length,
119 prot_part_der, len), 1);
120 /* cleanup */
121 EVP_MD_CTX_free(ctx);
122 OPENSSL_free(prot_part_der);
123 return res;
124 }
125
126 /* Calls OSSL_CMP_calc_protection and compares and verifies signature */
127 static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE *
128 fixture)
129 {
130 ASN1_BIT_STRING *protection =
131 ossl_cmp_calc_protection(fixture->msg, NULL, fixture->privkey);
132 int ret = (TEST_ptr(protection)
133 && TEST_true(ASN1_STRING_cmp(protection,
134 fixture->msg->protection) == 0)
135 && TEST_true(verify_signature(fixture->msg, protection,
136 fixture->pubkey,
137 fixture->cmp_ctx->digest)));
138
139 ASN1_BIT_STRING_free(protection);
140 return ret;
141 }
142
143 static int test_cmp_calc_protection_no_key_no_secret(void)
144 {
145 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
146 if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))
147 || !TEST_ptr(fixture->msg->header->protectionAlg =
148 X509_ALGOR_new() /* no specific alg needed here */)) {
149 tear_down(fixture);
150 fixture = NULL;
151 }
152
153 EXECUTE_TEST(execute_calc_protection_fails_test, tear_down);
154 return result;
155 }
156
157 static int test_cmp_calc_protection_pkey(void)
158 {
159 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
160 fixture->pubkey = loadedpubkey;
161 fixture->privkey = loadedprivkey;
162 if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))) {
163 tear_down(fixture);
164 fixture = NULL;
165 }
166 EXECUTE_TEST(execute_calc_protection_signature_test, tear_down);
167 return result;
168 }
169
170 static int test_cmp_calc_protection_pbmac(void)
171 {
172 unsigned char sec_insta[] = { 'i', 'n', 's', 't', 'a' };
173
174 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
175 if (!TEST_ptr(fixture->secret = ASN1_OCTET_STRING_new())
176 || !TEST_true(ASN1_OCTET_STRING_set
177 (fixture->secret, sec_insta, sizeof(sec_insta)))
178 || !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f))) {
179 tear_down(fixture);
180 fixture = NULL;
181 }
182 EXECUTE_TEST(execute_calc_protection_pbmac_test, tear_down);
183 return result;
184 }
185 static int execute_MSG_protect_test(CMP_PROTECT_TEST_FIXTURE *fixture)
186 {
187 return TEST_int_eq(fixture->expected,
188 ossl_cmp_msg_protect(fixture->cmp_ctx, fixture->msg));
189 }
190
191 #define SET_OPT_UNPROTECTED_SEND(ctx, val) \
192 OSSL_CMP_CTX_set_option((ctx), OSSL_CMP_OPT_UNPROTECTED_SEND, (val))
193 static int test_MSG_protect_unprotected_request(void)
194 {
195 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
196
197 fixture->expected = 1;
198 if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
199 || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 1))) {
200 tear_down(fixture);
201 fixture = NULL;
202 }
203 EXECUTE_TEST(execute_MSG_protect_test, tear_down);
204 return result;
205 }
206
207 static int test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key(void)
208 {
209 const size_t size = sizeof(rand_data) / 2;
210
211 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
212 fixture->expected = 1;
213
214 if (!TEST_ptr(fixture->msg =
215 OSSL_CMP_MSG_dup(ir_unprotected))
216 || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
217 /*
218 * Use half of the 16 bytes of random input
219 * for each reference and secret value
220 */
221 || !TEST_true(OSSL_CMP_CTX_set1_referenceValue(fixture->cmp_ctx,
222 rand_data, size))
223 || !TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
224 rand_data + size,
225 size))) {
226 tear_down(fixture);
227 fixture = NULL;
228 }
229 EXECUTE_TEST(execute_MSG_protect_test, tear_down);
230 return result;
231 }
232
233 static int test_MSG_protect_with_certificate_and_key(void)
234 {
235 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
236 fixture->expected = 1;
237
238 if (!TEST_ptr(fixture->msg =
239 OSSL_CMP_MSG_dup(ir_unprotected))
240 || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
241 || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey))
242 || !TEST_true(OSSL_CMP_CTX_set1_clCert(fixture->cmp_ctx, cert))) {
243 tear_down(fixture);
244 fixture = NULL;
245 }
246 EXECUTE_TEST(execute_MSG_protect_test, tear_down);
247 return result;
248 }
249
250 static int test_MSG_protect_certificate_based_without_cert(void)
251 {
252 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
253 OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
254
255 fixture->expected = 0;
256 if (!TEST_ptr(fixture->msg =
257 OSSL_CMP_MSG_dup(ir_unprotected))
258 || !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0))
259 || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, loadedkey))) {
260 tear_down(fixture);
261 fixture = NULL;
262 }
263 EVP_PKEY_up_ref(loadedkey);
264 EXECUTE_TEST(execute_MSG_protect_test, tear_down);
265 return result;
266 }
267
268 static int test_MSG_protect_no_key_no_secret(void)
269 {
270 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
271 fixture->expected = 0;
272 if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected))
273 || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))) {
274 tear_down(fixture);
275 fixture = NULL;
276 }
277 EXECUTE_TEST(execute_MSG_protect_test, tear_down);
278 return result;
279 }
280
281 static int execute_MSG_add_extraCerts_test(CMP_PROTECT_TEST_FIXTURE *fixture)
282 {
283 return TEST_true(ossl_cmp_msg_add_extraCerts(fixture->cmp_ctx,
284 fixture->msg));
285 }
286
287 static int test_MSG_add_extraCerts(void)
288 {
289 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
290 if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_protected))) {
291 tear_down(fixture);
292 fixture = NULL;
293 }
294 EXECUTE_TEST(execute_MSG_add_extraCerts_test, tear_down);
295 return result;
296 }
297
298 #ifndef OPENSSL_NO_EC
299 /* The cert chain tests use EC certs so we skip them in no-ec builds */
300 static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture)
301 {
302 STACK_OF(X509) *result = NULL;
303 int ret = 0;
304
305 if (TEST_ptr(result = ossl_cmp_build_cert_chain(fixture->certs,
306 fixture->cert))) {
307 /* Check whether chain built is equal to the expected one */
308 ret = TEST_int_eq(0, STACK_OF_X509_cmp(result, fixture->chain));
309 sk_X509_pop_free(result, X509_free);
310 }
311 return ret;
312 }
313
314 static int test_cmp_build_cert_chain(void)
315 {
316 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
317 fixture->cert = endentity2;
318 if (!TEST_ptr(fixture->certs = sk_X509_new_null())
319 || !TEST_ptr(fixture->chain = sk_X509_new_null())
320 || !TEST_true(sk_X509_push(fixture->certs, endentity1))
321 || !TEST_true(sk_X509_push(fixture->certs, root))
322 || !TEST_true(sk_X509_push(fixture->certs, intermediate))
323 || !TEST_true(sk_X509_push(fixture->chain, endentity2))
324 || !TEST_true(sk_X509_push(fixture->chain, intermediate))) {
325 tear_down(fixture);
326 fixture = NULL;
327 }
328 EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
329 return result;
330 }
331
332 static int test_cmp_build_cert_chain_missing_intermediate(void)
333 {
334 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
335 fixture->cert = endentity2;
336 if (!TEST_ptr(fixture->certs = sk_X509_new_null())
337 || !TEST_ptr(fixture->chain = sk_X509_new_null())
338 || !TEST_true(sk_X509_push(fixture->certs, endentity1))
339 || !TEST_true(sk_X509_push(fixture->certs, root))
340 || !TEST_true(sk_X509_push(fixture->chain, endentity2))) {
341 tear_down(fixture);
342 fixture = NULL;
343 }
344 EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
345 return result;
346 }
347
348 static int test_cmp_build_cert_chain_missing_root(void)
349 {
350 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
351 fixture->cert = endentity2;
352 if (!TEST_ptr(fixture->certs = sk_X509_new_null())
353 || !TEST_ptr(fixture->chain = sk_X509_new_null())
354 || !TEST_true(sk_X509_push(fixture->certs, endentity1))
355 || !TEST_true(sk_X509_push(fixture->certs, intermediate))
356 || !TEST_true(sk_X509_push(fixture->chain, endentity2))
357 || !TEST_true(sk_X509_push(fixture->chain, intermediate))) {
358 tear_down(fixture);
359 fixture = NULL;
360 }
361 EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
362 return result;
363 }
364
365 static int test_cmp_build_cert_chain_no_certs(void)
366 {
367 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
368 fixture->cert = endentity2;
369 if (!TEST_ptr(fixture->certs = sk_X509_new_null())
370 || !TEST_ptr(fixture->chain = sk_X509_new_null())
371 || !TEST_true(sk_X509_push(fixture->chain, endentity2))) {
372 tear_down(fixture);
373 fixture = NULL;
374 }
375 EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
376 return result;
377 }
378 #endif /* OPENSSL_NO_EC */
379
380 static int execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE *fixture)
381 {
382 X509_STORE *store = X509_STORE_new();
383 STACK_OF(X509) *sk = NULL;
384 int res = 0;
385
386 if (!TEST_true(ossl_cmp_X509_STORE_add1_certs(store,
387 fixture->certs,
388 fixture->callback_arg)))
389 goto err;
390 sk = ossl_cmp_X509_STORE_get1_certs(store);
391 if (!TEST_int_eq(0, STACK_OF_X509_cmp(sk, fixture->chain)))
392 goto err;
393 res = 1;
394 err:
395 X509_STORE_free(store);
396 sk_X509_pop_free(sk, X509_free);
397 return res;
398
399 }
400
401 static int test_X509_STORE(void)
402 {
403 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
404 fixture->callback_arg = 0; /* self-issued allowed */
405 if (!TEST_ptr(fixture->certs = sk_X509_new_null())
406 || !sk_X509_push(fixture->certs, endentity1)
407 || !sk_X509_push(fixture->certs, endentity2)
408 || !sk_X509_push(fixture->certs, root)
409 || !sk_X509_push(fixture->certs, intermediate)
410 || !TEST_ptr(fixture->chain = sk_X509_dup(fixture->certs))) {
411 tear_down(fixture);
412 fixture = NULL;
413 }
414 EXECUTE_TEST(execute_X509_STORE_test, tear_down);
415 return result;
416 }
417
418 static int test_X509_STORE_only_self_issued(void)
419 {
420 SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
421 fixture->certs = sk_X509_new_null();
422 fixture->chain = sk_X509_new_null();
423 fixture->callback_arg = 1; /* only self-issued */
424 if (!TEST_true(sk_X509_push(fixture->certs, endentity1))
425 || !TEST_true(sk_X509_push(fixture->certs, endentity2))
426 || !TEST_true(sk_X509_push(fixture->certs, root))
427 || !TEST_true(sk_X509_push(fixture->certs, intermediate))
428 || !TEST_true(sk_X509_push(fixture->chain, root))) {
429 tear_down(fixture);
430 fixture = NULL;
431 }
432 EXECUTE_TEST(execute_X509_STORE_test, tear_down);
433 return result;
434 }
435
436
437 void cleanup_tests(void)
438 {
439 EVP_PKEY_free(loadedprivkey);
440 EVP_PKEY_free(loadedpubkey);
441 EVP_PKEY_free(loadedkey);
442 X509_free(cert);
443 X509_free(endentity1);
444 X509_free(endentity2);
445 X509_free(root);
446 X509_free(intermediate);
447 OSSL_CMP_MSG_free(ir_protected);
448 OSSL_CMP_MSG_free(ir_unprotected);
449
450 }
451
452 int setup_tests(void)
453 {
454 char *server_f;
455 char *server_key_f;
456 char *server_cert_f;
457 char *endentity1_f;
458 char *endentity2_f;
459 char *root_f;
460 char *intermediate_f;
461
462 if (!test_skip_common_options()) {
463 TEST_error("Error parsing test options\n");
464 return 0;
465 }
466
467 RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH);
468 if (!TEST_ptr(server_f = test_get_argument(0))
469 || !TEST_ptr(ir_protected_f = test_get_argument(1))
470 || !TEST_ptr(ir_unprotected_f = test_get_argument(2))
471 || !TEST_ptr(ip_PBM_f = test_get_argument(3))
472 || !TEST_ptr(server_cert_f = test_get_argument(4))
473 || !TEST_ptr(server_key_f = test_get_argument(5))
474 || !TEST_ptr(endentity1_f = test_get_argument(6))
475 || !TEST_ptr(endentity2_f = test_get_argument(7))
476 || !TEST_ptr(root_f = test_get_argument(8))
477 || !TEST_ptr(intermediate_f = test_get_argument(9))) {
478 TEST_error("usage: cmp_protect_test server.pem "
479 "IR_protected.der IR_unprotected.der IP_PBM.der "
480 "server.crt server.pem"
481 "EndEntity1.crt EndEntity2.crt "
482 "Root_CA.crt Intermediate_CA.crt\n");
483 return 0;
484 }
485 if (!TEST_ptr(loadedkey = load_pem_key(server_key_f))
486 || !TEST_ptr(cert = load_pem_cert(server_cert_f)))
487 return 0;
488
489 if (!TEST_ptr(loadedprivkey = load_pem_key(server_f)))
490 return 0;
491 if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
492 loadedpubkey = loadedprivkey;
493 if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f))
494 || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)))
495 return 0;
496 if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f))
497 || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f))
498 || !TEST_ptr(root = load_pem_cert(root_f))
499 || !TEST_ptr(intermediate = load_pem_cert(intermediate_f)))
500 return 0;
501 if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
502 return 0;
503
504 /* Message protection tests */
505 ADD_TEST(test_cmp_calc_protection_no_key_no_secret);
506 ADD_TEST(test_cmp_calc_protection_pkey);
507 ADD_TEST(test_cmp_calc_protection_pbmac);
508
509 ADD_TEST(test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key);
510 ADD_TEST(test_MSG_protect_with_certificate_and_key);
511 ADD_TEST(test_MSG_protect_certificate_based_without_cert);
512 ADD_TEST(test_MSG_protect_unprotected_request);
513 ADD_TEST(test_MSG_protect_no_key_no_secret);
514
515 ADD_TEST(test_MSG_add_extraCerts);
516
517 #ifndef OPENSSL_NO_EC
518 ADD_TEST(test_cmp_build_cert_chain);
519 ADD_TEST(test_cmp_build_cert_chain_missing_root);
520 ADD_TEST(test_cmp_build_cert_chain_missing_intermediate);
521 ADD_TEST(test_cmp_build_cert_chain_no_certs);
522 #endif
523
524 ADD_TEST(test_X509_STORE);
525 ADD_TEST(test_X509_STORE_only_self_issued);
526
527 return 1;
528 }
A mirror of the official openssl repository