From: Dr. David von Oheimb Date: Wed, 22 Oct 2025 15:36:14 +0000 (+0200) Subject: cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more... X-Git-Tag: openssl-4.0.0~102 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f48e58305757b2c4eb13869659c7770a4df7e9c;p=thirdparty%2Fopenssl.git cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain Reviewed-by: Neil Horman Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28973) (cherry picked from commit 525a4f1efbab0d3c2aff59ab8e671b8d9f35ddee) --- diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index 215b95b744a..d05f99ea044 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -19,6 +19,8 @@ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq); void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx); +OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req); int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); @@ -34,6 +36,7 @@ int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, int fail_info, const char *text); int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); +int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype); int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 24c52b30de6..caae0ae3b80 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -10,6 +10,7 @@ #include "apps.h" #include "cmp_mock_srv.h" +#include "../../crypto/cmp/cmp_local.h" /* for access to msg->protection */ #include #include @@ -28,6 +29,7 @@ typedef struct { X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */ OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */ int sendError; /* send error response on given request type */ + int useBadProtection; /* use bad protection on given response type */ OSSL_CMP_MSG *req; /* original request message during polling */ int pollCount; /* number of polls before actual cert response */ int curr_pollCount; /* number of polls so far for current request */ @@ -59,6 +61,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void) goto err; ctx->sendError = -1; + ctx->useBadProtection = -1; /* all other elements are initialized to 0 or NULL, respectively */ return ctx; @@ -187,6 +190,19 @@ int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype) return 1; } +int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype) +{ + mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); + + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + /* might check bodytype, but this would require exporting all body types */ + ctx->useBadProtection = bodytype; + return 1; +} + int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -713,6 +729,25 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, return 1; } +OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req) +{ + OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(ctx); + OSSL_CMP_MSG *rsp = OSSL_CMP_CTX_server_perform(ctx, req); + + if (srv_ctx != NULL && rsp != NULL) { + mock_srv_ctx *mock_ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); + + if (mock_ctx != NULL && OSSL_CMP_MSG_get_bodytype(rsp) == mock_ctx->useBadProtection) { + ASN1_BIT_STRING *prot = rsp->protection; + + if (prot != NULL && prot->length != 0 && prot->data != NULL) + prot->data[0] ^= 0x80; /* flip most significant bit of the first byte */ + } + } + return rsp; +} + OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq) { OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq); diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 3e5973158d8..8c6afa8607d 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -140,6 +140,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, int time_left; OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; + ctx->status = OSSL_CMP_PKISTATUS_trans; #ifndef OPENSSL_NO_HTTP if (transfer_cb == NULL) transfer_cb = OSSL_CMP_MSG_http_perform; @@ -166,7 +167,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, /* should print error queue since transfer_cb may call ERR_clear_error() */ OSSL_CMP_CTX_print_errors(ctx); - if (ctx->server != NULL) + if (ctx->server != NULL || ctx->transfer_cb != NULL) ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); *rep = (*transfer_cb)(ctx, req); @@ -180,6 +181,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, return 0; } + ctx->status = OSSL_CMP_PKISTATUS_checking_response; bt = OSSL_CMP_MSG_get_bodytype(*rep); /* * The body type in the 'bt' variable is not yet verified. @@ -275,11 +277,15 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, "received 'waiting' PKIStatus, starting to poll for response"); *rep = NULL; for (;;) { + int bak = ctx->status; + + ctx->status = OSSL_CMP_PKISTATUS_request; if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL) goto err; if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP)) goto err; + ctx->status = bak; /* handle potential pollRep */ if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) { @@ -335,6 +341,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); if (time_left <= 0) { + ctx->status = OSSL_CMP_PKISTATUS_trans; ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); goto err; } @@ -446,7 +453,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, OSSL_CMP_MSG *certConf; OSSL_CMP_MSG *PKIconf = NULL; int res = 0; + int bak = ctx->status; + ctx->status = OSSL_CMP_PKISTATUS_request; /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); if (certConf == NULL) @@ -455,6 +464,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, res = send_receive_also_delayed(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); + if (res) + ctx->status = bak; + err: OSSL_CMP_MSG_free(certConf); OSSL_CMP_MSG_free(PKIconf); @@ -470,6 +482,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, OSSL_CMP_MSG *PKIconf = NULL; int res = 0; + ctx->status = OSSL_CMP_PKISTATUS_request; /* not overwriting ctx->status on error exchange */ if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) goto err; @@ -479,6 +492,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, res = send_receive_also_delayed(ctx, error, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); + ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; err: OSSL_CMP_MSG_free(error); @@ -781,7 +795,7 @@ retry: ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, "rejecting newly enrolled cert with subject: %s; %s", subj, txt); - ctx->status = OSSL_CMP_PKISTATUS_rejection; + ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; ret = 0; } OPENSSL_free(subj); @@ -803,7 +817,6 @@ static int initial_certreq(OSSL_CMP_CTX *ctx, if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) return 0; - ctx->status = OSSL_CMP_PKISTATUS_trans; res = send_receive_check(ctx, req, p_rep, rep_type); OSSL_CMP_MSG_free(req); return res; @@ -909,7 +922,6 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) if ((rr = ossl_cmp_rr_new(ctx)) == NULL) goto end; - ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) goto end; @@ -1029,7 +1041,6 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) if ((genm = ossl_cmp_genm_new(ctx)) == NULL) goto err; - ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) goto err; ctx->status = OSSL_CMP_PKISTATUS_accepted; diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index a28cafd7047..0f161df1b62 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -380,13 +380,12 @@ err: return valid; } +/* checks protection of msg but not cert revocation nor cert chain */ static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert, const OSSL_CMP_MSG *msg) { return cert_acceptable(ctx, "previously validated", "sender cert", - cert, NULL, NULL, msg) - && (check_cert_path(ctx, ctx->trusted, cert) - || check_cert_path_3gpp(ctx, msg, cert)); + cert, NULL, NULL, msg); } /*- @@ -496,11 +495,13 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) (void)ERR_set_mark(); ctx->log_cb = NULL; /* temporarily disable logging */ - /* - * try first cached scrt, used successfully earlier in same transaction, - * for validating this and any further msgs where extraCerts may be left out - */ if (scrt != NULL) { + /*- + * try first using cached message sender cert (in 'scrt' variable), + * which was used successfully earlier in the same transaction + * (assuming that the certificate itself was not revoked meanwhile and + * is a good guess for use in validating also the current message) + */ if (check_msg_given_cert(ctx, scrt, msg)) { ctx->log_cb = backup_log_cb; (void)ERR_pop_to_mark(); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 13b5b895e3e..d62afe61aa4 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -736,9 +736,15 @@ implements a form of trust-on-first-use (TOFU). =item B<-no_cache_extracerts> Do not cache certificates in the extraCerts field of CMP messages received. -By default, they are kept as they may be helful for validating further messages. +By default, they are kept as they may be helpful for validating further messages. This option applies to both CMP clients and the mock server. +In any case, after successfully validating an incoming message, its protection +certificate (if any) is cached for reuse with validation of subsequent messages. +This is done not only for efficiency but also +to eliminate the need for the sender to include its certificate and related chain +in the extraCerts field of subsequent messages of the same transaction. + =item B<-srvcertout> I The file where to save the successfully validated certificate, if any, diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index a99702b83a3..6f40173b6e4 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -361,6 +361,12 @@ implements a form of trust-on-first-use (TOFU). Do not cache certificates received in the extraCerts CMP message field. Otherwise they are stored to potentially help validate further messages. +In any case, after successfully validating an incoming message, its protection +certificate (if any) is cached for reuse with validation of subsequent messages. +This is done not only for efficiency but also +to eliminate the need for the sender to include its certificate and related chain +in the extraCerts field of subsequent messages of the same transaction. + =back OSSL_CMP_CTX_get_option() reads the current value of the given option diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 096fe41b196..639197eef38 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -197,6 +197,8 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO; * -- CertReqMsg * } */ +#define OSSL_CMP_PKISTATUS_rejected_by_client -5 +#define OSSL_CMP_PKISTATUS_checking_response -4 #define OSSL_CMP_PKISTATUS_request -3 #define OSSL_CMP_PKISTATUS_trans -2 #define OSSL_CMP_PKISTATUS_unspecified -1 diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index 50e3906fde6..f080fe16158 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -35,7 +35,7 @@ static EVP_PKEY *server_key = NULL; static X509 *server_cert = NULL; static EVP_PKEY *client_key = NULL; static X509 *client_cert = NULL; -static unsigned char ref[CMP_TEST_REFVALUE_LENGTH]; +static unsigned char ref[CMP_TEST_REFVALUE_LENGTH]; /* not actually used */ /* * For these unit tests, the client abandons message protection, and for @@ -51,6 +51,30 @@ static void tear_down(CMP_SES_TEST_FIXTURE *fixture) OPENSSL_free(fixture); } +static int set_simple_trust(OSSL_CMP_CTX *ctx, X509 *trusted) +{ + X509_STORE *ts = X509_STORE_new(); + X509_VERIFY_PARAM *vpm; + + /* + * not simply using OSSL_CMP_CTX_set1_srvCert() (to pin the server cert) + * in order to make sure that validated server cert gets cached, + * which is needed for the negative test case test_exec_KUR_bad_pkiConf_protection + */ + if (ts == NULL || !X509_STORE_add_cert(ts, trusted)) + goto err; + + vpm = X509_STORE_get0_param(ts); + if (!X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME | X509_V_FLAG_PARTIAL_CHAIN) + || !OSSL_CMP_CTX_set0_trusted(ctx, ts)) + goto err; + + return 1; +err: + X509_STORE_free(ts); + return 0; +} + static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name) { CMP_SES_TEST_FIXTURE *fixture; @@ -70,15 +94,15 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name) goto err; if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new(libctx, NULL)) || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out) - || !OSSL_CMP_CTX_set_transfer_cb(ctx, OSSL_CMP_CTX_server_perform) + /* using default verbosity: OSSL_CMP_LOG_INFO */ + || !OSSL_CMP_CTX_set_transfer_cb(ctx, ossl_cmp_mock_server_perform) || !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, fixture->srv_ctx) || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1) - || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1) || !OSSL_CMP_CTX_set1_oldCert(ctx, client_cert) || !OSSL_CMP_CTX_set1_pkey(ctx, client_key) /* client_key is by default used also for newPkey */ - || !OSSL_CMP_CTX_set1_srvCert(ctx, server_cert) - || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref))) + || !set_simple_trust(ctx, server_cert) + || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref))) /* not actually needed */ goto err; fixture->req_type = -1; return fixture; @@ -143,9 +167,7 @@ static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture) int status = OSSL_CMP_CTX_get_status(ctx); print_errors_PKIStatusInfo(ctx); - if (!TEST_int_eq(status, fixture->expected) - && !(fixture->expected == OSSL_CMP_PKISTATUS_waiting - && TEST_int_eq(status, OSSL_CMP_PKISTATUS_trans))) + if (!TEST_int_eq(status, fixture->expected)) return 0; if (fixture->expected != OSSL_CMP_PKISTATUS_accepted) return TEST_ptr_null(res); @@ -249,9 +271,9 @@ static int test_exec_IR_ses_poll_no_timeout(void) static int test_exec_IR_ses_poll_total_timeout(void) { - return !test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter, + return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter, 3 /* pollCount */, checkAfter + 4, - OSSL_CMP_PKISTATUS_waiting); + OSSL_CMP_PKISTATUS_trans); } static int test_exec_CR_ses(int implicit_confirm, int granted, int reject) @@ -281,7 +303,9 @@ static int test_exec_CR_ses_implicit_confirm(void) && test_exec_CR_ses(1, 1 /* granted */, 0); } -static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified) +/* the KUR transactions include certConf/pkiConf */ +static int test_exec_KUR_ses(int transfer_error, int server_use_bad_protection, + int pubkey, int raverified) { SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_PKIBODY_KUR; @@ -289,6 +313,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified) if (transfer_error) OSSL_CMP_CTX_set_transfer_cb_arg(fixture->cmp_ctx, NULL); + (void)ossl_cmp_mock_srv_set_useBadProtection(fixture->srv_ctx, server_use_bad_protection); + if (pubkey) { EVP_PKEY *key = raverified /* wrong key */ ? server_key : client_key; @@ -301,7 +327,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified) if (pubkey || raverified) OSSL_CMP_CTX_set_option(fixture->cmp_ctx, OSSL_CMP_OPT_POPO_METHOD, OSSL_CRMF_POPO_RAVERIFIED); - fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? OSSL_CMP_PKISTATUS_rejection + fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? (pubkey ? OSSL_CMP_PKISTATUS_rejected_by_client : OSSL_CMP_PKISTATUS_rejection) + : server_use_bad_protection != -1 ? OSSL_CMP_PKISTATUS_checking_response : OSSL_CMP_PKISTATUS_accepted; EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down); return result; @@ -309,18 +336,23 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified) static int test_exec_KUR_ses_ok(void) { - return test_exec_KUR_ses(0, 0, 0); + return test_exec_KUR_ses(0, -1, 0, 0); } static int test_exec_KUR_ses_transfer_error(void) { - return test_exec_KUR_ses(1, 0, 0); + return test_exec_KUR_ses(1, -1, 0, 0); +} + +static int test_exec_KUR_bad_pkiConf_protection(void) +{ + return test_exec_KUR_ses(0, OSSL_CMP_PKIBODY_PKICONF, 0, 0); } static int test_exec_KUR_ses_wrong_popo(void) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* cf ossl_cmp_verify_popo() */ - return test_exec_KUR_ses(0, 0, 1); + return test_exec_KUR_ses(0, -1, 0, 1); #else return 1; #endif @@ -328,12 +360,12 @@ static int test_exec_KUR_ses_wrong_popo(void) static int test_exec_KUR_ses_pub(void) { - return test_exec_KUR_ses(0, 1, 0); + return test_exec_KUR_ses(0, -1, 1, 0); } static int test_exec_KUR_ses_wrong_pub(void) { - return test_exec_KUR_ses(0, 1, 1); + return test_exec_KUR_ses(0, -1, 1, 1); } static int test_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, @@ -355,7 +387,7 @@ static int test_exec_P10CR_ses(int reject) SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_PKIBODY_P10CR; - fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejection + fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejected_by_client : OSSL_CMP_PKISTATUS_accepted; ctx = fixture->cmp_ctx; if (!TEST_ptr(csr = load_csr_der(pkcs10_f, libctx)) @@ -451,7 +483,7 @@ static int test_exec_GENM_ses_poll_total_timeout(void) { return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter, 3 /* pollCount */, checkAfter + 2, - OSSL_CMP_PKISTATUS_waiting); + OSSL_CMP_PKISTATUS_trans); } static int test_exec_GENM_ses(int transfer_error, int total_timeout, int expect) @@ -561,7 +593,7 @@ int setup_tests(void) || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx)) || !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx)) || !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx)) - || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) { + || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) { /* not actually used */ cleanup_tests(); return 0; } @@ -577,6 +609,7 @@ int setup_tests(void) ADD_TEST(test_exec_IR_ses_poll_total_timeout); ADD_TEST(test_exec_KUR_ses_ok); ADD_TEST(test_exec_KUR_ses_transfer_error); + ADD_TEST(test_exec_KUR_bad_pkiConf_protection); ADD_TEST(test_exec_KUR_ses_wrong_popo); ADD_TEST(test_exec_KUR_ses_pub); ADD_TEST(test_exec_KUR_ses_wrong_pub); diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index c6c54239b1d..9e77baa4b12 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -147,6 +147,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0,using popo 1 with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem 1, using popo -1 redundantly with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem 1, using popo -1 alternatively to -centralkeygen, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem -1, using centrally generated key (and cert) , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345 +1, using centrally generated key (and cert) with existing chain, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345, -extracerts, issuing.crt +1, using centrally generated key (and cert) without giving chain (requires sender cert caching), -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345, -extracerts, "" 0, using centrally generated key with wrong password, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong 0, using popo -1 (instead of -centralkeygen) without -newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK