[thirdparty/openssl.git] / test / ct_test.c

/*
 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <openssl/ct.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "testutil.h"
#include <openssl/crypto.h>

#ifndef OPENSSL_NO_CT

DEFINE_STACK_OF(SCT)

/* Used when declaring buffers to read text files into */
# define CT_TEST_MAX_FILE_SIZE 8096

static char *certs_dir = NULL;
static char *ct_dir = NULL;

typedef struct ct_test_fixture {
    const char *test_case_name;
    /* The current time in milliseconds */
    uint64_t epoch_time_in_ms;
    /* The CT log store to use during tests */
    CTLOG_STORE* ctlog_store;
    /* Set the following to test handling of SCTs in X509 certificates */
    const char *certs_dir;
    char *certificate_file;
    char *issuer_file;
    /* Expected number of SCTs */
    int expected_sct_count;
    /* Expected number of valid SCTS */
    int expected_valid_sct_count;
    /* Set the following to test handling of SCTs in TLS format */
    const unsigned char *tls_sct_list;
    size_t tls_sct_list_len;
    STACK_OF(SCT) *sct_list;
    /*
     * A file to load the expected SCT text from.
     * This text will be compared to the actual text output during the test.
     * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
     */
    const char *sct_dir;
    const char *sct_text_file;
    /* Whether to test the validity of the SCT(s) */
    int test_validity;
} CT_TEST_FIXTURE;

static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
{
    CT_TEST_FIXTURE *fixture = NULL;

    if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
        goto end;
    fixture->test_case_name = test_case_name;
    fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
    if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
            || !TEST_int_eq(
                    CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
        goto end;
    return fixture;

end:
    if (fixture != NULL)
        CTLOG_STORE_free(fixture->ctlog_store);
    OPENSSL_free(fixture);
    TEST_error("Failed to setup");
    return NULL;
}

static void tear_down(CT_TEST_FIXTURE *fixture)
{
    if (fixture != NULL) {
        CTLOG_STORE_free(fixture->ctlog_store);
        SCT_LIST_free(fixture->sct_list);
    }
    OPENSSL_free(fixture);
}

static X509 *load_pem_cert(const char *dir, const char *file)
{
    X509 *cert = NULL;
    char *file_path = test_mk_file_path(dir, file);

    if (file_path != NULL) {
        BIO *cert_io = BIO_new_file(file_path, "r");

        if (cert_io != NULL)
            cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
        BIO_free(cert_io);
    }

    OPENSSL_free(file_path);
    return cert;
}

static int read_text_file(const char *dir, const char *file,
                          char *buffer, int buffer_length)
{
    int len = -1;
    char *file_path = test_mk_file_path(dir, file);

    if (file_path != NULL) {
        BIO *file_io = BIO_new_file(file_path, "r");

        if (file_io != NULL)
            len = BIO_read(file_io, buffer, buffer_length);
        BIO_free(file_io);
    }

    OPENSSL_free(file_path);
    return len;
}

static int compare_sct_list_printout(STACK_OF(SCT) *sct,
                                     const char *expected_output)
{
    BIO *text_buffer = NULL;
    char *actual_output = NULL;
    int result = 0;

    if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())))
        goto end;

    SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);

    /* Append \0 because we're about to use the buffer contents as a string. */
    if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
        goto end;

    BIO_get_mem_data(text_buffer, &actual_output);
    if (!TEST_str_eq(actual_output, expected_output))
        goto end;
    result = 1;

end:
    BIO_free(text_buffer);
    return result;
}

static int compare_extension_printout(X509_EXTENSION *extension,
                                      const char *expected_output)
{
    BIO *text_buffer = NULL;
    char *actual_output = NULL;
    int result = 0;

    if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))
            || !TEST_true(X509V3_EXT_print(text_buffer, extension,
                                           X509V3_EXT_DEFAULT, 0)))
        goto end;

    /* Append \n because it's easier to create files that end with one. */
    if (!TEST_true(BIO_write(text_buffer, "\n", 1)))
        goto end;

    /* Append \0 because we're about to use the buffer contents as a string. */
    if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
        goto end;

    BIO_get_mem_data(text_buffer, &actual_output);
    if (!TEST_str_eq(actual_output, expected_output))
        goto end;

    result = 1;

end:
    BIO_free(text_buffer);
    return result;
}

static int assert_validity(CT_TEST_FIXTURE *fixture, STACK_OF(SCT) *scts,
                           CT_POLICY_EVAL_CTX *policy_ctx)
{
    int invalid_sct_count = 0;
    int valid_sct_count = 0;
    int i;

    if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0))
        return 0;

    for (i = 0; i < sk_SCT_num(scts); ++i) {
        SCT *sct_i = sk_SCT_value(scts, i);

        switch (SCT_get_validation_status(sct_i)) {
        case SCT_VALIDATION_STATUS_VALID:
            ++valid_sct_count;
            break;
        case SCT_VALIDATION_STATUS_INVALID:
            ++invalid_sct_count;
            break;
        case SCT_VALIDATION_STATUS_NOT_SET:
        case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
        case SCT_VALIDATION_STATUS_UNVERIFIED:
        case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
            /* Ignore other validation statuses. */
            break;
        }
    }

    if (!TEST_int_eq(valid_sct_count, fixture->expected_valid_sct_count)) {
        int unverified_sct_count = sk_SCT_num(scts) -
                                        invalid_sct_count - valid_sct_count;

        TEST_info("%d SCTs failed, %d SCTs unverified",
                  invalid_sct_count, unverified_sct_count);
        return 0;
    }

    return 1;
}

static int execute_cert_test(CT_TEST_FIXTURE *fixture)
{
    int success = 0;
    X509 *cert = NULL, *issuer = NULL;
    STACK_OF(SCT) *scts = NULL;
    SCT *sct = NULL;
    char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
    int sct_text_len = 0;
    unsigned char *tls_sct_list = NULL;
    size_t tls_sct_list_len = 0;
    CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();

    if (fixture->sct_text_file != NULL) {
        sct_text_len = read_text_file(fixture->sct_dir, fixture->sct_text_file,
                                      expected_sct_text,
                                      CT_TEST_MAX_FILE_SIZE - 1);

        if (!TEST_int_ge(sct_text_len, 0))
            goto end;
        expected_sct_text[sct_text_len] = '\0';
    }

    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
            ct_policy_ctx, fixture->ctlog_store);

    CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture->epoch_time_in_ms);

    if (fixture->certificate_file != NULL) {
        int sct_extension_index;
        int i;
        X509_EXTENSION *sct_extension = NULL;

        if (!TEST_ptr(cert = load_pem_cert(fixture->certs_dir,
                                           fixture->certificate_file)))
            goto end;

        CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);

        if (fixture->issuer_file != NULL) {
            if (!TEST_ptr(issuer = load_pem_cert(fixture->certs_dir,
                                                 fixture->issuer_file)))
                goto end;
            CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
        }

        sct_extension_index =
                X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
        sct_extension = X509_get_ext(cert, sct_extension_index);
        if (fixture->expected_sct_count > 0) {
            if (!TEST_ptr(sct_extension))
                goto end;

            if (fixture->sct_text_file
                && !compare_extension_printout(sct_extension,
                                               expected_sct_text))
                    goto end;

            scts = X509V3_EXT_d2i(sct_extension);
            for (i = 0; i < sk_SCT_num(scts); ++i) {
                SCT *sct_i = sk_SCT_value(scts, i);

                if (!TEST_int_eq(SCT_get_source(sct_i),
                                 SCT_SOURCE_X509V3_EXTENSION)) {
                    goto end;
                }
            }

            if (fixture->test_validity) {
                if (!assert_validity(fixture, scts, ct_policy_ctx))
                    goto end;
            }
        } else if (!TEST_ptr_null(sct_extension)) {
            goto end;
        }
    }

    if (fixture->tls_sct_list != NULL) {
        const unsigned char *p = fixture->tls_sct_list;

        if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture->tls_sct_list_len)))
            goto end;

        if (fixture->test_validity && cert != NULL) {
            if (!assert_validity(fixture, scts, ct_policy_ctx))
                goto end;
        }

        if (fixture->sct_text_file
            && !compare_sct_list_printout(scts, expected_sct_text)) {
                goto end;
        }

        tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
        if (!TEST_mem_eq(fixture->tls_sct_list, fixture->tls_sct_list_len,
                         tls_sct_list, tls_sct_list_len))
            goto end;
    }
    success = 1;

end:
    X509_free(cert);
    X509_free(issuer);
    SCT_LIST_free(scts);
    SCT_free(sct);
    CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
    OPENSSL_free(tls_sct_list);
    return success;
}

# define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
# define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)

static int test_no_scts_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "leaf.pem";
    fixture->issuer_file = "subinterCA.pem";
    fixture->expected_sct_count = 0;
    EXECUTE_CT_TEST();
    return result;
}

static int test_one_sct_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "embeddedSCTs1.pem";
    fixture->issuer_file = "embeddedSCTs1_issuer.pem";
    fixture->expected_sct_count = 1;
    fixture->sct_dir = certs_dir;
    fixture->sct_text_file = "embeddedSCTs1.sct";
    EXECUTE_CT_TEST();
    return result;
}

static int test_multiple_scts_in_certificate(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "embeddedSCTs3.pem";
    fixture->issuer_file = "embeddedSCTs3_issuer.pem";
    fixture->expected_sct_count = 3;
    fixture->sct_dir = certs_dir;
    fixture->sct_text_file = "embeddedSCTs3.sct";
    EXECUTE_CT_TEST();
    return result;
}

static int test_verify_one_sct(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "embeddedSCTs1.pem";
    fixture->issuer_file = "embeddedSCTs1_issuer.pem";
    fixture->expected_sct_count = fixture->expected_valid_sct_count = 1;
    fixture->test_validity = 1;
    EXECUTE_CT_TEST();
    return result;
}

static int test_verify_multiple_scts(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "embeddedSCTs3.pem";
    fixture->issuer_file = "embeddedSCTs3_issuer.pem";
    fixture->expected_sct_count = fixture->expected_valid_sct_count = 3;
    fixture->test_validity = 1;
    EXECUTE_CT_TEST();
    return result;
}

static int test_verify_fails_for_future_sct(void)
{
    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->epoch_time_in_ms = 1365094800000ULL; /* Apr 4 17:00:00 2013 GMT */
    fixture->certs_dir = certs_dir;
    fixture->certificate_file = "embeddedSCTs1.pem";
    fixture->issuer_file = "embeddedSCTs1_issuer.pem";
    fixture->expected_sct_count = 1;
    fixture->expected_valid_sct_count = 0;
    fixture->test_validity = 1;
    EXECUTE_CT_TEST();
    return result;
}

static int test_decode_tls_sct(void)
{
    const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
        "\x00\x76"
        "\x00" /* version */
        /* log ID */
        "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
        "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
        "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
        "\x00\x00" /* extensions length */
        "" /* extensions */
        "\x04\x03" /* hash and signature algorithms */
        "\x00\x47" /* signature length */
        /* signature */
        "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
        "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
        "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
        "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
        "\xED\xBF\x08";

    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;
    fixture->tls_sct_list = tls_sct_list;
    fixture->tls_sct_list_len = 0x7a;
    fixture->sct_dir = ct_dir;
    fixture->sct_text_file = "tls1.sct";
    EXECUTE_CT_TEST();
    return result;
}

static int test_encode_tls_sct(void)
{
    const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
    const uint64_t timestamp = 1;
    const char extensions[] = "";
    const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
            "eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
    SCT *sct = NULL;

    SETUP_CT_TEST_FIXTURE();
    if (fixture == NULL)
        return 0;

    fixture->sct_list = sk_SCT_new_null();
    if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
                                            CT_LOG_ENTRY_TYPE_X509, timestamp,
                                            extensions, signature)))

        return 0;

    sk_SCT_push(fixture->sct_list, sct);
    fixture->sct_dir = ct_dir;
    fixture->sct_text_file = "tls1.sct";
    EXECUTE_CT_TEST();
    return result;
}

/*
 * Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
 * Allow +-10 minutes, as it may compensate for clock skew.
 */
static int test_default_ct_policy_eval_ctx_time_is_now(void)
{
    int success = 0;
    CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
    const time_t default_time =
        (time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000);
    const time_t time_tolerance = 600;  /* 10 minutes */

    if (!TEST_time_t_le(abs((int)difftime(time(NULL), default_time)),
                        time_tolerance))
        goto end;

    success = 1;
end:
    CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
    return success;
}

static int test_ctlog_from_base64(void)
{
    CTLOG *ctlogp = NULL;
    const char notb64[] = "\01\02\03\04";
    const char pad[] = "====";
    const char name[] = "name";

    /* We expect these to both fail! */
    if (!TEST_true(!CTLOG_new_from_base64(&ctlogp, notb64, name))
        || !TEST_true(!CTLOG_new_from_base64(&ctlogp, pad, name)))
        return 0;
    return 1;
}
#endif

int setup_tests(void)
{
#ifndef OPENSSL_NO_CT
    if ((ct_dir = getenv("CT_DIR")) == NULL)
        ct_dir = "ct";
    if ((certs_dir = getenv("CERTS_DIR")) == NULL)
        certs_dir = "certs";

    ADD_TEST(test_no_scts_in_certificate);
    ADD_TEST(test_one_sct_in_certificate);
    ADD_TEST(test_multiple_scts_in_certificate);
    ADD_TEST(test_verify_one_sct);
    ADD_TEST(test_verify_multiple_scts);
    ADD_TEST(test_verify_fails_for_future_sct);
    ADD_TEST(test_decode_tls_sct);
    ADD_TEST(test_encode_tls_sct);
    ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
    ADD_TEST(test_ctlog_from_base64);
#else
    printf("No CT support\n");
#endif
    return 1;
}
Commit	Line	Data
5dc31221	1	/*
33388b44	2	* Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
5dc31221	3	*
909f1a2e	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
440e5d80 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
5dc31221 RP	8	*/
	9
	10	#include <ctype.h>
	11	#include <stdio.h>
	12	#include <stdlib.h>
	13	#include <string.h>
	14
0cea8832	15	#include <openssl/ct.h>
17436ce5	16	#include <openssl/err.h>
2b2b9684	17	#include <openssl/pem.h>
17436ce5 RL	18	#include <openssl/x509.h>
17436ce5 RL	19	#include <openssl/x509v3.h>
5dc31221	20	#include "testutil.h"
2b1aa198	21	#include <openssl/crypto.h>
5dc31221	22
11c8bc42	23	#ifndef OPENSSL_NO_CT
852c2ed2 RS	24
	25	DEFINE_STACK_OF(SCT)
	26
5dc31221	27	/* Used when declaring buffers to read text files into */
9b579777	28	# define CT_TEST_MAX_FILE_SIZE 8096
5dc31221	29
67336ea4 RL	30	static char *certs_dir = NULL;
67336ea4 RL	31	static char *ct_dir = NULL;
c469a9a8	32
5dc31221 RP	33	typedef struct ct_test_fixture {
5dc31221 RP	34	const char *test_case_name;
1fa9ffd9 RP	35	/* The current time in milliseconds */
1fa9ffd9 RP	36	uint64_t epoch_time_in_ms;
7d054e5a RP	37	/* The CT log store to use during tests */
7d054e5a RP	38	CTLOG_STORE* ctlog_store;
5dc31221	39	/* Set the following to test handling of SCTs in X509 certificates */
c469a9a8 RL	40	const char *certs_dir;
	41	char *certificate_file;
	42	char *issuer_file;
1fa9ffd9	43	/* Expected number of SCTs */
7d054e5a	44	int expected_sct_count;
1fa9ffd9 RP	45	/* Expected number of valid SCTS */
1fa9ffd9 RP	46	int expected_valid_sct_count;
5dc31221	47	/* Set the following to test handling of SCTs in TLS format */
4fc31f75 RP	48	const unsigned char *tls_sct_list;
	49	size_t tls_sct_list_len;
	50	STACK_OF(SCT) *sct_list;
5dc31221 RP	51	/*
	52	* A file to load the expected SCT text from.
	53	* This text will be compared to the actual text output during the test.
	54	* A maximum of \|CT_TEST_MAX_FILE_SIZE\| bytes will be read of this file.
	55	*/
c469a9a8 RL	56	const char *sct_dir;
c469a9a8 RL	57	const char *sct_text_file;
7d054e5a RP	58	/* Whether to test the validity of the SCT(s) */
7d054e5a RP	59	int test_validity;
5dc31221 RP	60	} CT_TEST_FIXTURE;
5dc31221 RP	61
2326bba0	62	static CT_TEST_FIXTURE set_up(const char const test_case_name)
5dc31221	63	{
2326bba0	64	CT_TEST_FIXTURE *fixture = NULL;
50eadf2a	65
2326bba0 P	66	if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
	67	goto end;
	68	fixture->test_case_name = test_case_name;
4d9e8c95	69	fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
2326bba0	70	if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
adcd8e37	71	\|\| !TEST_int_eq(
2326bba0	72	CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
7d054e5a	73	goto end;
2326bba0	74	return fixture;
5dc31221	75
7d054e5a	76	end:
2326bba0 P	77	if (fixture != NULL)
	78	CTLOG_STORE_free(fixture->ctlog_store);
	79	OPENSSL_free(fixture);
	80	TEST_error("Failed to setup");
	81	return NULL;
5dc31221 RP	82	}
5dc31221 RP	83
2326bba0	84	static void tear_down(CT_TEST_FIXTURE *fixture)
5dc31221	85	{
2326bba0 P	86	if (fixture != NULL) {
	87	CTLOG_STORE_free(fixture->ctlog_store);
	88	SCT_LIST_free(fixture->sct_list);
	89	}
	90	OPENSSL_free(fixture);
5dc31221 RP	91	}
5dc31221 RP	92
c469a9a8	93	static X509 load_pem_cert(const char dir, const char *file)
5dc31221	94	{
5dc31221	95	X509 *cert = NULL;
1a2a3a42	96	char *file_path = test_mk_file_path(dir, file);
5dc31221	97
c469a9a8 RL	98	if (file_path != NULL) {
c469a9a8 RL	99	BIO *cert_io = BIO_new_file(file_path, "r");
5dc31221	100
c469a9a8 RL	101	if (cert_io != NULL)
c469a9a8 RL	102	cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
c469a9a8 RL	103	BIO_free(cert_io);
c469a9a8 RL	104	}
adcd8e37 RS	105
adcd8e37 RS	106	OPENSSL_free(file_path);
5dc31221 RP	107	return cert;
	108	}
	109
c469a9a8 RL	110	static int read_text_file(const char dir, const char file,
c469a9a8 RL	111	char *buffer, int buffer_length)
5dc31221	112	{
adcd8e37	113	int len = -1;
1a2a3a42	114	char *file_path = test_mk_file_path(dir, file);
c469a9a8 RL	115
	116	if (file_path != NULL) {
	117	BIO *file_io = BIO_new_file(file_path, "r");
5dc31221	118
adcd8e37 RS	119	if (file_io != NULL)
	120	len = BIO_read(file_io, buffer, buffer_length);
	121	BIO_free(file_io);
5dc31221 RP	122	}
5dc31221 RP	123
adcd8e37 RS	124	OPENSSL_free(file_path);
adcd8e37 RS	125	return len;
5dc31221 RP	126	}
5dc31221 RP	127
4fc31f75	128	static int compare_sct_list_printout(STACK_OF(SCT) *sct,
adcd8e37	129	const char *expected_output)
5dc31221 RP	130	{
	131	BIO *text_buffer = NULL;
	132	char *actual_output = NULL;
adcd8e37	133	int result = 0;
5dc31221	134
adcd8e37	135	if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())))
5dc31221	136	goto end;
5dc31221	137
4fc31f75	138	SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);
5dc31221	139
adcd8e37 RS	140	/* Append \0 because we're about to use the buffer contents as a string. */
adcd8e37 RS	141	if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
5dc31221	142	goto end;
5dc31221 RP	143
5dc31221 RP	144	BIO_get_mem_data(text_buffer, &actual_output);
adcd8e37 RS	145	if (!TEST_str_eq(actual_output, expected_output))
	146	goto end;
	147	result = 1;
5dc31221 RP	148
	149	end:
	150	BIO_free(text_buffer);
	151	return result;
	152	}
	153
	154	static int compare_extension_printout(X509_EXTENSION *extension,
	155	const char *expected_output)
	156	{
	157	BIO *text_buffer = NULL;
	158	char *actual_output = NULL;
adcd8e37	159	int result = 0;
5dc31221	160
adcd8e37 RS	161	if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))
	162	\|\| !TEST_true(X509V3_EXT_print(text_buffer, extension,
	163	X509V3_EXT_DEFAULT, 0)))
5dc31221	164	goto end;
5dc31221	165
4d9e8c95 KR	166	/* Append \n because it's easier to create files that end with one. */
	167	if (!TEST_true(BIO_write(text_buffer, "\n", 1)))
	168	goto end;
	169
adcd8e37 RS	170	/* Append \0 because we're about to use the buffer contents as a string. */
adcd8e37 RS	171	if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
5dc31221	172	goto end;
5dc31221 RP	173
5dc31221 RP	174	BIO_get_mem_data(text_buffer, &actual_output);
adcd8e37 RS	175	if (!TEST_str_eq(actual_output, expected_output))
adcd8e37 RS	176	goto end;
5dc31221	177
adcd8e37	178	result = 1;
5dc31221 RP	179
	180	end:
	181	BIO_free(text_buffer);
	182	return result;
	183	}
	184
2326bba0	185	static int assert_validity(CT_TEST_FIXTURE fixture, STACK_OF(SCT) scts,
adcd8e37 RS	186	CT_POLICY_EVAL_CTX *policy_ctx)
adcd8e37 RS	187	{
876a1a83 RP	188	int invalid_sct_count = 0;
	189	int valid_sct_count = 0;
	190	int i;
	191
adcd8e37	192	if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0))
876a1a83	193	return 0;
876a1a83 RP	194
	195	for (i = 0; i < sk_SCT_num(scts); ++i) {
	196	SCT *sct_i = sk_SCT_value(scts, i);
adcd8e37	197
876a1a83 RP	198	switch (SCT_get_validation_status(sct_i)) {
	199	case SCT_VALIDATION_STATUS_VALID:
	200	++valid_sct_count;
	201	break;
	202	case SCT_VALIDATION_STATUS_INVALID:
	203	++invalid_sct_count;
	204	break;
f3b3d7f0 RS	205	case SCT_VALIDATION_STATUS_NOT_SET:
	206	case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
	207	case SCT_VALIDATION_STATUS_UNVERIFIED:
	208	case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
876a1a83 RP	209	/* Ignore other validation statuses. */
	210	break;
	211	}
	212	}
	213
2326bba0	214	if (!TEST_int_eq(valid_sct_count, fixture->expected_valid_sct_count)) {
876a1a83	215	int unverified_sct_count = sk_SCT_num(scts) -
adcd8e37 RS	216	invalid_sct_count - valid_sct_count;
	217
	218	TEST_info("%d SCTs failed, %d SCTs unverified",
	219	invalid_sct_count, unverified_sct_count);
876a1a83 RP	220	return 0;
	221	}
	222
	223	return 1;
	224	}
	225
2326bba0	226	static int execute_cert_test(CT_TEST_FIXTURE *fixture)
5dc31221	227	{
ababe86b	228	int success = 0;
7d054e5a RP	229	X509 cert = NULL, issuer = NULL;
7d054e5a RP	230	STACK_OF(SCT) *scts = NULL;
5dc31221 RP	231	SCT *sct = NULL;
	232	char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
	233	int sct_text_len = 0;
4fc31f75 RP	234	unsigned char *tls_sct_list = NULL;
4fc31f75 RP	235	size_t tls_sct_list_len = 0;
7d054e5a	236	CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
5dc31221	237
2326bba0 P	238	if (fixture->sct_text_file != NULL) {
2326bba0 P	239	sct_text_len = read_text_file(fixture->sct_dir, fixture->sct_text_file,
c469a9a8 RL	240	expected_sct_text,
c469a9a8 RL	241	CT_TEST_MAX_FILE_SIZE - 1);
5dc31221	242
adcd8e37	243	if (!TEST_int_ge(sct_text_len, 0))
5dc31221	244	goto end;
5dc31221 RP	245	expected_sct_text[sct_text_len] = '\0';
	246	}
	247
a1bb7708	248	CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
2326bba0	249	ct_policy_ctx, fixture->ctlog_store);
7d054e5a	250
2326bba0	251	CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture->epoch_time_in_ms);
1fa9ffd9	252
2326bba0	253	if (fixture->certificate_file != NULL) {
5dc31221	254	int sct_extension_index;
c9cf4bc8	255	int i;
5dc31221	256	X509_EXTENSION *sct_extension = NULL;
5dc31221	257
2326bba0 P	258	if (!TEST_ptr(cert = load_pem_cert(fixture->certs_dir,
2326bba0 P	259	fixture->certificate_file)))
5dc31221	260	goto end;
5dc31221	261
a1bb7708	262	CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);
7d054e5a	263
2326bba0 P	264	if (fixture->issuer_file != NULL) {
	265	if (!TEST_ptr(issuer = load_pem_cert(fixture->certs_dir,
	266	fixture->issuer_file)))
7d054e5a	267	goto end;
a1bb7708	268	CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
7d054e5a RP	269	}
	270
	271	sct_extension_index =
	272	X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
5dc31221	273	sct_extension = X509_get_ext(cert, sct_extension_index);
2326bba0	274	if (fixture->expected_sct_count > 0) {
adcd8e37	275	if (!TEST_ptr(sct_extension))
5dc31221	276	goto end;
5dc31221	277
2326bba0	278	if (fixture->sct_text_file
adcd8e37 RS	279	&& !compare_extension_printout(sct_extension,
adcd8e37 RS	280	expected_sct_text))
7d054e5a	281	goto end;
7d054e5a	282
c9cf4bc8 AG	283	scts = X509V3_EXT_d2i(sct_extension);
	284	for (i = 0; i < sk_SCT_num(scts); ++i) {
	285	SCT *sct_i = sk_SCT_value(scts, i);
14db9bbd	286
b9d1ad32 AP	287	if (!TEST_int_eq(SCT_get_source(sct_i),
b9d1ad32 AP	288	SCT_SOURCE_X509V3_EXTENSION)) {
c9cf4bc8	289	goto end;
5da65ef2	290	}
c9cf4bc8	291	}
7d054e5a	292
2326bba0	293	if (fixture->test_validity) {
876a1a83	294	if (!assert_validity(fixture, scts, ct_policy_ctx))
5dc31221 RP	295	goto end;
5dc31221 RP	296	}
adcd8e37	297	} else if (!TEST_ptr_null(sct_extension)) {
5dc31221 RP	298	goto end;
	299	}
	300	}
	301
2326bba0 P	302	if (fixture->tls_sct_list != NULL) {
2326bba0 P	303	const unsigned char *p = fixture->tls_sct_list;
adcd8e37	304
2326bba0	305	if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture->tls_sct_list_len)))
5dc31221	306	goto end;
5dc31221	307
2326bba0	308	if (fixture->test_validity && cert != NULL) {
876a1a83	309	if (!assert_validity(fixture, scts, ct_policy_ctx))
43341433	310	goto end;
43341433 VD	311	}
43341433 VD	312
2326bba0	313	if (fixture->sct_text_file
adcd8e37	314	&& !compare_sct_list_printout(scts, expected_sct_text)) {
5dc31221 RP	315	goto end;
	316	}
	317
4fc31f75	318	tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
2326bba0	319	if (!TEST_mem_eq(fixture->tls_sct_list, fixture->tls_sct_list_len,
adcd8e37	320	tls_sct_list, tls_sct_list_len))
5dc31221	321	goto end;
5dc31221	322	}
ababe86b	323	success = 1;
5dc31221 RP	324
	325	end:
	326	X509_free(cert);
7d054e5a RP	327	X509_free(issuer);
7d054e5a RP	328	SCT_LIST_free(scts);
5dc31221	329	SCT_free(sct);
7d054e5a	330	CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
4fc31f75	331	OPENSSL_free(tls_sct_list);
ababe86b	332	return success;
5dc31221 RP	333	}
5dc31221 RP	334
99801878	335	# define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
9b579777	336	# define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
5dc31221	337
62b0a0de	338	static int test_no_scts_in_certificate(void)
5dc31221 RP	339	{
5dc31221 RP	340	SETUP_CT_TEST_FIXTURE();
99801878 P	341	if (fixture == NULL)
99801878 P	342	return 0;
2326bba0 P	343	fixture->certs_dir = certs_dir;
	344	fixture->certificate_file = "leaf.pem";
	345	fixture->issuer_file = "subinterCA.pem";
	346	fixture->expected_sct_count = 0;
5dc31221	347	EXECUTE_CT_TEST();
99801878	348	return result;
5dc31221 RP	349	}
5dc31221 RP	350
62b0a0de	351	static int test_one_sct_in_certificate(void)
5dc31221 RP	352	{
5dc31221 RP	353	SETUP_CT_TEST_FIXTURE();
99801878 P	354	if (fixture == NULL)
99801878 P	355	return 0;
2326bba0 P	356	fixture->certs_dir = certs_dir;
	357	fixture->certificate_file = "embeddedSCTs1.pem";
	358	fixture->issuer_file = "embeddedSCTs1_issuer.pem";
	359	fixture->expected_sct_count = 1;
	360	fixture->sct_dir = certs_dir;
	361	fixture->sct_text_file = "embeddedSCTs1.sct";
5dc31221	362	EXECUTE_CT_TEST();
99801878	363	return result;
5dc31221 RP	364	}
5dc31221 RP	365
62b0a0de	366	static int test_multiple_scts_in_certificate(void)
5dc31221 RP	367	{
5dc31221 RP	368	SETUP_CT_TEST_FIXTURE();
99801878 P	369	if (fixture == NULL)
99801878 P	370	return 0;
2326bba0 P	371	fixture->certs_dir = certs_dir;
	372	fixture->certificate_file = "embeddedSCTs3.pem";
	373	fixture->issuer_file = "embeddedSCTs3_issuer.pem";
	374	fixture->expected_sct_count = 3;
	375	fixture->sct_dir = certs_dir;
	376	fixture->sct_text_file = "embeddedSCTs3.sct";
5dc31221	377	EXECUTE_CT_TEST();
99801878	378	return result;
5dc31221 RP	379	}
5dc31221 RP	380
62b0a0de	381	static int test_verify_one_sct(void)
7d054e5a RP	382	{
7d054e5a RP	383	SETUP_CT_TEST_FIXTURE();
99801878 P	384	if (fixture == NULL)
99801878 P	385	return 0;
2326bba0 P	386	fixture->certs_dir = certs_dir;
	387	fixture->certificate_file = "embeddedSCTs1.pem";
	388	fixture->issuer_file = "embeddedSCTs1_issuer.pem";
	389	fixture->expected_sct_count = fixture->expected_valid_sct_count = 1;
	390	fixture->test_validity = 1;
7d054e5a	391	EXECUTE_CT_TEST();
99801878	392	return result;
7d054e5a RP	393	}
7d054e5a RP	394
62b0a0de	395	static int test_verify_multiple_scts(void)
7d054e5a RP	396	{
7d054e5a RP	397	SETUP_CT_TEST_FIXTURE();
99801878 P	398	if (fixture == NULL)
99801878 P	399	return 0;
2326bba0 P	400	fixture->certs_dir = certs_dir;
	401	fixture->certificate_file = "embeddedSCTs3.pem";
	402	fixture->issuer_file = "embeddedSCTs3_issuer.pem";
	403	fixture->expected_sct_count = fixture->expected_valid_sct_count = 3;
	404	fixture->test_validity = 1;
1fa9ffd9	405	EXECUTE_CT_TEST();
99801878	406	return result;
1fa9ffd9 RP	407	}
1fa9ffd9 RP	408
62b0a0de	409	static int test_verify_fails_for_future_sct(void)
1fa9ffd9 RP	410	{
1fa9ffd9 RP	411	SETUP_CT_TEST_FIXTURE();
99801878 P	412	if (fixture == NULL)
99801878 P	413	return 0;
98f29466	414	fixture->epoch_time_in_ms = 1365094800000ULL; /* Apr 4 17:00:00 2013 GMT */
2326bba0 P	415	fixture->certs_dir = certs_dir;
	416	fixture->certificate_file = "embeddedSCTs1.pem";
	417	fixture->issuer_file = "embeddedSCTs1_issuer.pem";
	418	fixture->expected_sct_count = 1;
	419	fixture->expected_valid_sct_count = 0;
	420	fixture->test_validity = 1;
7d054e5a	421	EXECUTE_CT_TEST();
99801878	422	return result;
7d054e5a RP	423	}
7d054e5a RP	424
62b0a0de	425	static int test_decode_tls_sct(void)
5dc31221	426	{
4fc31f75 RP	427	const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
	428	"\x00\x76"
	429	"\x00" /* version */
5dc31221 RP	430	/* log ID */
	431	"\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
	432	"\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
	433	"\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
	434	"\x00\x00" /* extensions length */
	435	"" /* extensions */
	436	"\x04\x03" /* hash and signature algorithms */
	437	"\x00\x47" /* signature length */
dc919c69	438	/* signature */
5dc31221 RP	439	"\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
	440	"\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
	441	"\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
	442	"\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
dc919c69 RP	443	"\xED\xBF\x08";
	444
	445	SETUP_CT_TEST_FIXTURE();
99801878 P	446	if (fixture == NULL)
99801878 P	447	return 0;
2326bba0 P	448	fixture->tls_sct_list = tls_sct_list;
	449	fixture->tls_sct_list_len = 0x7a;
	450	fixture->sct_dir = ct_dir;
	451	fixture->sct_text_file = "tls1.sct";
5dc31221	452	EXECUTE_CT_TEST();
99801878	453	return result;
5dc31221 RP	454	}
5dc31221 RP	455
62b0a0de	456	static int test_encode_tls_sct(void)
5dc31221	457	{
f7a39a5a RP	458	const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
	459	const uint64_t timestamp = 1;
	460	const char extensions[] = "";
e2635c49 RP	461	const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
e2635c49 RP	462	"eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
765731a8	463	SCT *sct = NULL;
dc919c69	464
5dc31221	465	SETUP_CT_TEST_FIXTURE();
99801878 P	466	if (fixture == NULL)
99801878 P	467	return 0;
5dc31221	468
2326bba0	469	fixture->sct_list = sk_SCT_new_null();
adcd8e37 RS	470	if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
	471	CT_LOG_ENTRY_TYPE_X509, timestamp,
	472	extensions, signature)))
f7a39a5a	473
d836d71b	474	return 0;
4fc31f75	475
2326bba0 P	476	sk_SCT_push(fixture->sct_list, sct);
	477	fixture->sct_dir = ct_dir;
	478	fixture->sct_text_file = "tls1.sct";
5dc31221	479	EXECUTE_CT_TEST();
99801878	480	return result;
5dc31221 RP	481	}
5dc31221 RP	482
ebcb5368 RP	483	/*
	484	* Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
	485	* Allow +-10 minutes, as it may compensate for clock skew.
	486	*/
62b0a0de	487	static int test_default_ct_policy_eval_ctx_time_is_now(void)
ebcb5368 RP	488	{
	489	int success = 0;
	490	CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
bc278f30 MC	491	const time_t default_time =
bc278f30 MC	492	(time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000);
ebcb5368 RP	493	const time_t time_tolerance = 600; /* 10 minutes */
ebcb5368 RP	494
b9d1ad32 AP	495	if (!TEST_time_t_le(abs((int)difftime(time(NULL), default_time)),
b9d1ad32 AP	496	time_tolerance))
ebcb5368	497	goto end;
ebcb5368 RP	498
	499	success = 1;
	500	end:
	501	CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
	502	return success;
	503	}
	504
62b0a0de BK	505	static int test_ctlog_from_base64(void)
62b0a0de BK	506	{
efc21a51	507	CTLOG *ctlogp = NULL;
62b0a0de BK	508	const char notb64[] = "\01\02\03\04";
	509	const char pad[] = "====";
	510	const char name[] = "name";
	511
	512	/* We expect these to both fail! */
efc21a51 P	513	if (!TEST_true(!CTLOG_new_from_base64(&ctlogp, notb64, name))
efc21a51 P	514	\|\| !TEST_true(!CTLOG_new_from_base64(&ctlogp, pad, name)))
62b0a0de BK	515	return 0;
	516	return 1;
	517	}
9b579777	518	#endif
62b0a0de	519
ad887416	520	int setup_tests(void)
5dc31221	521	{
9b579777	522	#ifndef OPENSSL_NO_CT
adcd8e37 RS	523	if ((ct_dir = getenv("CT_DIR")) == NULL)
	524	ct_dir = "ct";
	525	if ((certs_dir = getenv("CERTS_DIR")) == NULL)
	526	certs_dir = "certs";
5dc31221 RP	527
	528	ADD_TEST(test_no_scts_in_certificate);
	529	ADD_TEST(test_one_sct_in_certificate);
	530	ADD_TEST(test_multiple_scts_in_certificate);
7d054e5a RP	531	ADD_TEST(test_verify_one_sct);
7d054e5a RP	532	ADD_TEST(test_verify_multiple_scts);
1fa9ffd9	533	ADD_TEST(test_verify_fails_for_future_sct);
5dc31221 RP	534	ADD_TEST(test_decode_tls_sct);
5dc31221 RP	535	ADD_TEST(test_encode_tls_sct);
ebcb5368	536	ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
62b0a0de	537	ADD_TEST(test_ctlog_from_base64);
42e055e1	538	#else
42e055e1	539	printf("No CT support\n");
e364c3b2	540	#endif
ad887416	541	return 1;
9b579777	542	}