]>
Commit | Line | Data |
---|---|---|
2b406990 | 1 | /* |
72a7a702 | 2 | * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. |
2b406990 RS |
3 | * |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
176db6dc | 10 | #include "internal/nelem.h" |
2b406990 RS |
11 | #include <string.h> |
12 | #include <openssl/bio.h> | |
13 | #include <openssl/crypto.h> | |
14 | #include <openssl/err.h> | |
15 | #include <openssl/pem.h> | |
16 | #include <openssl/x509.h> | |
17 | ||
18 | #include "testutil.h" | |
2b406990 | 19 | |
329f2f4a RS |
20 | #define PARAM_TIME 1474934400 /* Sep 27th, 2016 */ |
21 | ||
2b406990 RS |
22 | static const char *kCRLTestRoot[] = { |
23 | "-----BEGIN CERTIFICATE-----\n", | |
24 | "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n", | |
25 | "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n", | |
26 | "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n", | |
27 | "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n", | |
28 | "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n", | |
29 | "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n", | |
30 | "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n", | |
31 | "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n", | |
32 | "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n", | |
33 | "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n", | |
34 | "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n", | |
35 | "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n", | |
36 | "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n", | |
37 | "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n", | |
38 | "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n", | |
39 | "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n", | |
40 | "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n", | |
41 | "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n", | |
42 | "amd8GKMZQvP0ufGnUn7D7uartA==\n", | |
43 | "-----END CERTIFICATE-----\n", | |
44 | NULL | |
45 | }; | |
46 | ||
47 | static const char *kCRLTestLeaf[] = { | |
48 | "-----BEGIN CERTIFICATE-----\n", | |
49 | "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n", | |
50 | "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n", | |
51 | "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n", | |
52 | "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n", | |
53 | "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n", | |
54 | "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n", | |
55 | "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n", | |
56 | "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n", | |
57 | "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n", | |
58 | "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n", | |
59 | "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n", | |
60 | "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n", | |
61 | "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n", | |
62 | "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n", | |
63 | "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n", | |
64 | "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n", | |
65 | "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n", | |
66 | "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n", | |
67 | "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n", | |
68 | "tjJMFw==\n", | |
69 | "-----END CERTIFICATE-----\n", | |
70 | NULL | |
71 | }; | |
72 | ||
73 | static const char *kBasicCRL[] = { | |
74 | "-----BEGIN X509 CRL-----\n", | |
75 | "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
76 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", | |
77 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n", | |
78 | "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n", | |
79 | "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n", | |
80 | "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n", | |
81 | "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n", | |
82 | "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n", | |
83 | "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n", | |
84 | "-----END X509 CRL-----\n", | |
85 | NULL | |
86 | }; | |
87 | ||
88 | static const char *kRevokedCRL[] = { | |
89 | "-----BEGIN X509 CRL-----\n", | |
90 | "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
91 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", | |
92 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n", | |
93 | "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n", | |
94 | "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n", | |
95 | "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n", | |
96 | "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n", | |
97 | "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n", | |
98 | "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n", | |
99 | "xzfKY2TzxLiOmctG0hXFkH5J\n", | |
100 | "-----END X509 CRL-----\n", | |
101 | NULL | |
102 | }; | |
103 | ||
104 | static const char *kBadIssuerCRL[] = { | |
105 | "-----BEGIN X509 CRL-----\n", | |
106 | "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
107 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n", | |
108 | "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n", | |
109 | "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n", | |
110 | "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n", | |
111 | "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n", | |
112 | "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n", | |
113 | "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n", | |
114 | "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n", | |
115 | "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n", | |
116 | "-----END X509 CRL-----\n", | |
117 | NULL | |
118 | }; | |
119 | ||
120 | /* | |
121 | * This is kBasicCRL but with a critical issuing distribution point | |
122 | * extension. | |
123 | */ | |
124 | static const char *kKnownCriticalCRL[] = { | |
125 | "-----BEGIN X509 CRL-----\n", | |
126 | "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
127 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", | |
128 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n", | |
129 | "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n", | |
130 | "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n", | |
131 | "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n", | |
132 | "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n", | |
133 | "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n", | |
134 | "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n", | |
135 | "o/1TpfOMSGhMyMoyPrk=\n", | |
136 | "-----END X509 CRL-----\n", | |
137 | NULL | |
138 | }; | |
139 | ||
140 | /* | |
141 | * kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension. | |
142 | */ | |
143 | static const char *kUnknownCriticalCRL[] = { | |
144 | "-----BEGIN X509 CRL-----\n", | |
145 | "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
146 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", | |
147 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n", | |
148 | "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n", | |
149 | "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n", | |
150 | "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n", | |
151 | "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n", | |
152 | "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n", | |
153 | "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n", | |
154 | "kwzzU2rL3G65CrZ7H0SZsQ==\n", | |
155 | "-----END X509 CRL-----\n", | |
156 | NULL | |
157 | }; | |
158 | ||
159 | /* | |
160 | * kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution | |
161 | * point extension followed by an unknown critical extension | |
162 | */ | |
163 | static const char *kUnknownCriticalCRL2[] = { | |
164 | "-----BEGIN X509 CRL-----\n", | |
165 | "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", | |
166 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", | |
167 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n", | |
168 | "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n", | |
169 | "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n", | |
170 | "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n", | |
171 | "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n", | |
172 | "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n", | |
173 | "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n", | |
174 | "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n", | |
175 | "-----END X509 CRL-----\n", | |
176 | NULL | |
177 | }; | |
178 | ||
f5a140f7 P |
179 | static const char **unknown_critical_crls[] = { |
180 | kUnknownCriticalCRL, kUnknownCriticalCRL2 | |
181 | }; | |
182 | ||
183 | static X509 *test_root = NULL; | |
184 | static X509 *test_leaf = NULL; | |
2b406990 RS |
185 | |
186 | /* | |
187 | * Glue an array of strings together. Return a BIO and put the string | |
188 | * into |*out| so we can free it. | |
189 | */ | |
4483fbae | 190 | static BIO *glue2bio(const char **pem, char **out) |
2b406990 | 191 | { |
2b406990 RS |
192 | size_t s = 0; |
193 | ||
4483fbae | 194 | *out = glue_strings(pem, &s); |
2b406990 RS |
195 | return BIO_new_mem_buf(*out, s); |
196 | } | |
197 | ||
198 | /* | |
199 | * Create a CRL from an array of strings. | |
200 | */ | |
201 | static X509_CRL *CRL_from_strings(const char **pem) | |
202 | { | |
203 | char *p; | |
4483fbae | 204 | BIO *b = glue2bio(pem, &p); |
2b406990 RS |
205 | X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); |
206 | ||
207 | OPENSSL_free(p); | |
208 | BIO_free(b); | |
209 | return crl; | |
210 | } | |
211 | ||
212 | /* | |
213 | * Create an X509 from an array of strings. | |
214 | */ | |
215 | static X509 *X509_from_strings(const char **pem) | |
216 | { | |
217 | char *p; | |
4483fbae | 218 | BIO *b = glue2bio(pem, &p); |
2b406990 RS |
219 | X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); |
220 | ||
221 | OPENSSL_free(p); | |
222 | BIO_free(b); | |
223 | return x; | |
224 | } | |
225 | ||
226 | /* | |
227 | * Verify |leaf| certificate (chained up to |root|). |crls| if | |
228 | * not NULL, is a list of CRLs to include in the verification. It is | |
229 | * also free'd before returning, which is kinda yucky but convenient. | |
230 | * Returns a value from X509_V_ERR_xxx or X509_V_OK. | |
231 | */ | |
232 | static int verify(X509 *leaf, X509 *root, STACK_OF(X509_CRL) *crls, | |
233 | unsigned long flags) | |
234 | { | |
235 | X509_STORE_CTX *ctx = X509_STORE_CTX_new(); | |
236 | X509_STORE *store = X509_STORE_new(); | |
237 | X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); | |
238 | STACK_OF(X509) *roots = sk_X509_new_null(); | |
239 | int status = X509_V_ERR_UNSPECIFIED; | |
240 | ||
f5a140f7 P |
241 | if (!TEST_ptr(ctx) |
242 | || !TEST_ptr(store) | |
243 | || !TEST_ptr(param) | |
244 | || !TEST_ptr(roots)) | |
2b406990 RS |
245 | goto err; |
246 | ||
247 | /* Create a stack; upref the cert because we free it below. */ | |
248 | X509_up_ref(root); | |
f5a140f7 P |
249 | if (!TEST_true(sk_X509_push(roots, root)) |
250 | || !TEST_true(X509_STORE_CTX_init(ctx, store, leaf, NULL))) | |
2b406990 RS |
251 | goto err; |
252 | X509_STORE_CTX_set0_trusted_stack(ctx, roots); | |
253 | X509_STORE_CTX_set0_crls(ctx, crls); | |
329f2f4a | 254 | X509_VERIFY_PARAM_set_time(param, PARAM_TIME); |
3a63c0ed | 255 | if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), PARAM_TIME)) |
329f2f4a | 256 | goto err; |
2b406990 RS |
257 | X509_VERIFY_PARAM_set_depth(param, 16); |
258 | if (flags) | |
259 | X509_VERIFY_PARAM_set_flags(param, flags); | |
260 | X509_STORE_CTX_set0_param(ctx, param); | |
85155346 | 261 | param = NULL; |
2b406990 RS |
262 | |
263 | ERR_clear_error(); | |
264 | status = X509_verify_cert(ctx) == 1 ? X509_V_OK | |
265 | : X509_STORE_CTX_get_error(ctx); | |
266 | err: | |
267 | sk_X509_pop_free(roots, X509_free); | |
268 | sk_X509_CRL_pop_free(crls, X509_CRL_free); | |
85155346 | 269 | X509_VERIFY_PARAM_free(param); |
2b406990 RS |
270 | X509_STORE_CTX_free(ctx); |
271 | X509_STORE_free(store); | |
272 | return status; | |
273 | } | |
274 | ||
275 | /* | |
276 | * Create a stack of CRL's. Upref each one because we call pop_free on | |
277 | * the stack and need to keep the CRL's around until the test exits. | |
278 | * Yes this crashes on malloc failure; it forces us to debug. | |
279 | */ | |
280 | static STACK_OF(X509_CRL) *make_CRL_stack(X509_CRL *x1, X509_CRL *x2) | |
281 | { | |
282 | STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); | |
283 | ||
284 | sk_X509_CRL_push(sk, x1); | |
285 | X509_CRL_up_ref(x1); | |
286 | if (x2 != NULL) { | |
287 | sk_X509_CRL_push(sk, x2); | |
288 | X509_CRL_up_ref(x2); | |
289 | } | |
290 | return sk; | |
291 | } | |
292 | ||
f5a140f7 | 293 | static int test_basic_crl(void) |
2b406990 | 294 | { |
2b406990 RS |
295 | X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); |
296 | X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); | |
f5a140f7 P |
297 | int r; |
298 | ||
299 | r = TEST_ptr(basic_crl) | |
300 | && TEST_ptr(revoked_crl) | |
301 | && TEST_int_eq(verify(test_leaf, test_root, | |
302 | make_CRL_stack(basic_crl, NULL), | |
303 | X509_V_FLAG_CRL_CHECK), X509_V_OK) | |
304 | && TEST_int_eq(verify(test_leaf, test_root, | |
305 | make_CRL_stack(basic_crl, revoked_crl), | |
306 | X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); | |
307 | X509_CRL_free(basic_crl); | |
308 | X509_CRL_free(revoked_crl); | |
309 | return r; | |
310 | } | |
2b406990 | 311 | |
f5a140f7 P |
312 | static int test_no_crl(void) |
313 | { | |
314 | return TEST_int_eq(verify(test_leaf, test_root, NULL, | |
315 | X509_V_FLAG_CRL_CHECK), | |
316 | X509_V_ERR_UNABLE_TO_GET_CRL); | |
317 | } | |
2b406990 | 318 | |
f5a140f7 P |
319 | static int test_bad_issuer_crl(void) |
320 | { | |
321 | X509_CRL *bad_issuer_crl = CRL_from_strings(kBadIssuerCRL); | |
322 | int r; | |
2b406990 | 323 | |
f5a140f7 P |
324 | r = TEST_ptr(bad_issuer_crl) |
325 | && TEST_int_eq(verify(test_leaf, test_root, | |
326 | make_CRL_stack(bad_issuer_crl, NULL), | |
327 | X509_V_FLAG_CRL_CHECK), | |
328 | X509_V_ERR_UNABLE_TO_GET_CRL); | |
329 | X509_CRL_free(bad_issuer_crl); | |
330 | return r; | |
331 | } | |
2b406990 | 332 | |
f5a140f7 P |
333 | static int test_known_critical_crl(void) |
334 | { | |
335 | X509_CRL *known_critical_crl = CRL_from_strings(kKnownCriticalCRL); | |
336 | int r; | |
2b406990 | 337 | |
f5a140f7 P |
338 | r = TEST_ptr(known_critical_crl) |
339 | && TEST_int_eq(verify(test_leaf, test_root, | |
340 | make_CRL_stack(known_critical_crl, NULL), | |
341 | X509_V_FLAG_CRL_CHECK), X509_V_OK); | |
342 | X509_CRL_free(known_critical_crl); | |
343 | return r; | |
344 | } | |
2b406990 | 345 | |
f5a140f7 P |
346 | static int test_unknown_critical_crl(int n) |
347 | { | |
348 | X509_CRL *unknown_critical_crl = CRL_from_strings(unknown_critical_crls[n]); | |
349 | int r; | |
350 | ||
351 | r = TEST_ptr(unknown_critical_crl) | |
352 | && TEST_int_eq(verify(test_leaf, test_root, | |
353 | make_CRL_stack(unknown_critical_crl, NULL), | |
354 | X509_V_FLAG_CRL_CHECK), | |
355 | X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION); | |
356 | X509_CRL_free(unknown_critical_crl); | |
357 | return r; | |
358 | } | |
2b406990 | 359 | |
7193394a BE |
360 | static int test_reuse_crl(void) |
361 | { | |
362 | X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); | |
363 | char *p; | |
364 | BIO *b = glue2bio(kRevokedCRL, &p); | |
365 | ||
366 | reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); | |
367 | ||
368 | OPENSSL_free(p); | |
369 | BIO_free(b); | |
370 | X509_CRL_free(reused_crl); | |
371 | return 1; | |
372 | } | |
373 | ||
ad887416 | 374 | int setup_tests(void) |
f5a140f7 | 375 | { |
f5a140f7 P |
376 | if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) |
377 | || !TEST_ptr(test_leaf = X509_from_strings(kCRLTestLeaf))) | |
ad887416 | 378 | return 0; |
2b406990 | 379 | |
f5a140f7 P |
380 | ADD_TEST(test_no_crl); |
381 | ADD_TEST(test_basic_crl); | |
382 | ADD_TEST(test_bad_issuer_crl); | |
383 | ADD_TEST(test_known_critical_crl); | |
384 | ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); | |
7193394a | 385 | ADD_TEST(test_reuse_crl); |
ad887416 P |
386 | return 1; |
387 | } | |
2b406990 | 388 | |
ad887416 P |
389 | void cleanup_tests(void) |
390 | { | |
f5a140f7 P |
391 | X509_free(test_root); |
392 | X509_free(test_leaf); | |
2b406990 | 393 | } |