| crltest.c (1.1.1.3) | crltest.c (1.1.1.1) |
|---|---|
| 1/* | 1/* |
| 2 * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. | 2 * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. |
| 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 | 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 |
| 10#include "internal/nelem.h" | 10#include <stdio.h> 11#include "../e_os.h" |
| 11#include <string.h> 12#include <openssl/bio.h> 13#include <openssl/crypto.h> 14#include <openssl/err.h> 15#include <openssl/pem.h> 16#include <openssl/x509.h> 17 18#include "testutil.h" --- 152 unchanged lines hidden (view full) --- 171 "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n", 172 "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n", 173 "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n", 174 "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n", 175 "-----END X509 CRL-----\n", 176 NULL 177}; 178 | 12#include <string.h> 13#include <openssl/bio.h> 14#include <openssl/crypto.h> 15#include <openssl/err.h> 16#include <openssl/pem.h> 17#include <openssl/x509.h> 18 19#include "testutil.h" --- 152 unchanged lines hidden (view full) --- 172 "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n", 173 "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n", 174 "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n", 175 "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n", 176 "-----END X509 CRL-----\n", 177 NULL 178}; 179 |
| 179static const char **unknown_critical_crls[] = { 180 kUnknownCriticalCRL, kUnknownCriticalCRL2 181}; | |
| 182 | 180 |
| 183static X509 *test_root = NULL; 184static X509 *test_leaf = NULL; 185 | |
| 186/* 187 * Glue an array of strings together. Return a BIO and put the string 188 * into |*out| so we can free it. 189 */ | 181/* 182 * Glue an array of strings together. Return a BIO and put the string 183 * into |*out| so we can free it. 184 */ |
| 190static BIO *glue2bio(const char **pem, char **out) | 185static BIO *glue(const char **pem, char **out) |
| 191{ | 186{ |
| 187 char *dest; 188 int i; |
|
| 192 size_t s = 0; 193 | 189 size_t s = 0; 190 |
| 194 *out = glue_strings(pem, &s); | 191 /* Glue the strings together. */ 192 for (i = 0; pem[i] != NULL; ++i) 193 s += strlen(pem[i]); 194 dest = *out = OPENSSL_malloc(s + 1); 195 if (dest == NULL) 196 return NULL; 197 for (i = 0; pem[i] != NULL; ++i) 198 dest += strlen(strcpy(dest, pem[i])); |
| 195 return BIO_new_mem_buf(*out, s); 196} 197 198/* 199 * Create a CRL from an array of strings. 200 */ 201static X509_CRL *CRL_from_strings(const char **pem) 202{ 203 char *p; | 199 return BIO_new_mem_buf(*out, s); 200} 201 202/* 203 * Create a CRL from an array of strings. 204 */ 205static X509_CRL *CRL_from_strings(const char **pem) 206{ 207 char *p; |
| 204 BIO *b = glue2bio(pem, &p); | 208 BIO *b = glue(pem, &p); |
| 205 X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); 206 207 OPENSSL_free(p); 208 BIO_free(b); 209 return crl; 210} 211 212/* 213 * Create an X509 from an array of strings. 214 */ 215static X509 *X509_from_strings(const char **pem) 216{ 217 char *p; | 209 X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); 210 211 OPENSSL_free(p); 212 BIO_free(b); 213 return crl; 214} 215 216/* 217 * Create an X509 from an array of strings. 218 */ 219static X509 *X509_from_strings(const char **pem) 220{ 221 char *p; |
| 218 BIO *b = glue2bio(pem, &p); | 222 BIO *b = glue(pem, &p); |
| 219 X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); 220 221 OPENSSL_free(p); 222 BIO_free(b); 223 return x; 224} 225 226/* --- 6 unchanged lines hidden (view full) --- 233 unsigned long flags) 234{ 235 X509_STORE_CTX *ctx = X509_STORE_CTX_new(); 236 X509_STORE *store = X509_STORE_new(); 237 X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); 238 STACK_OF(X509) *roots = sk_X509_new_null(); 239 int status = X509_V_ERR_UNSPECIFIED; 240 | 223 X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); 224 225 OPENSSL_free(p); 226 BIO_free(b); 227 return x; 228} 229 230/* --- 6 unchanged lines hidden (view full) --- 237 unsigned long flags) 238{ 239 X509_STORE_CTX *ctx = X509_STORE_CTX_new(); 240 X509_STORE *store = X509_STORE_new(); 241 X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); 242 STACK_OF(X509) *roots = sk_X509_new_null(); 243 int status = X509_V_ERR_UNSPECIFIED; 244 |
| 241 if (!TEST_ptr(ctx) 242 || !TEST_ptr(store) 243 || !TEST_ptr(param) 244 || !TEST_ptr(roots)) | 245 if (ctx == NULL || store == NULL || param == NULL || roots == NULL) |
| 245 goto err; 246 247 /* Create a stack; upref the cert because we free it below. */ 248 X509_up_ref(root); | 246 goto err; 247 248 /* Create a stack; upref the cert because we free it below. */ 249 X509_up_ref(root); |
| 249 if (!TEST_true(sk_X509_push(roots, root)) 250 || !TEST_true(X509_STORE_CTX_init(ctx, store, leaf, NULL))) | 250 if (!sk_X509_push(roots, root)) |
| 251 goto err; | 251 goto err; |
| 252 253 if (!X509_STORE_CTX_init(ctx, store, leaf, NULL)) 254 goto err; |
|
| 252 X509_STORE_CTX_set0_trusted_stack(ctx, roots); 253 X509_STORE_CTX_set0_crls(ctx, crls); 254 X509_VERIFY_PARAM_set_time(param, PARAM_TIME); | 255 X509_STORE_CTX_set0_trusted_stack(ctx, roots); 256 X509_STORE_CTX_set0_crls(ctx, crls); 257 X509_VERIFY_PARAM_set_time(param, PARAM_TIME); |
| 255 if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), PARAM_TIME)) | 258 if (X509_VERIFY_PARAM_get_time(param) != PARAM_TIME) { 259 fprintf(stderr, "set_time/get_time mismatch.\n"); |
| 256 goto err; | 260 goto err; |
| 261 } |
|
| 257 X509_VERIFY_PARAM_set_depth(param, 16); 258 if (flags) 259 X509_VERIFY_PARAM_set_flags(param, flags); 260 X509_STORE_CTX_set0_param(ctx, param); | 262 X509_VERIFY_PARAM_set_depth(param, 16); 263 if (flags) 264 X509_VERIFY_PARAM_set_flags(param, flags); 265 X509_STORE_CTX_set0_param(ctx, param); |
| 261 param = NULL; | |
| 262 263 ERR_clear_error(); 264 status = X509_verify_cert(ctx) == 1 ? X509_V_OK 265 : X509_STORE_CTX_get_error(ctx); 266err: 267 sk_X509_pop_free(roots, X509_free); 268 sk_X509_CRL_pop_free(crls, X509_CRL_free); | 266 267 ERR_clear_error(); 268 status = X509_verify_cert(ctx) == 1 ? X509_V_OK 269 : X509_STORE_CTX_get_error(ctx); 270err: 271 sk_X509_pop_free(roots, X509_free); 272 sk_X509_CRL_pop_free(crls, X509_CRL_free); |
| 269 X509_VERIFY_PARAM_free(param); | |
| 270 X509_STORE_CTX_free(ctx); 271 X509_STORE_free(store); 272 return status; 273} 274 275/* 276 * Create a stack of CRL's. Upref each one because we call pop_free on 277 * the stack and need to keep the CRL's around until the test exits. --- 7 unchanged lines hidden (view full) --- 285 X509_CRL_up_ref(x1); 286 if (x2 != NULL) { 287 sk_X509_CRL_push(sk, x2); 288 X509_CRL_up_ref(x2); 289 } 290 return sk; 291} 292 | 273 X509_STORE_CTX_free(ctx); 274 X509_STORE_free(store); 275 return status; 276} 277 278/* 279 * Create a stack of CRL's. Upref each one because we call pop_free on 280 * the stack and need to keep the CRL's around until the test exits. --- 7 unchanged lines hidden (view full) --- 288 X509_CRL_up_ref(x1); 289 if (x2 != NULL) { 290 sk_X509_CRL_push(sk, x2); 291 X509_CRL_up_ref(x2); 292 } 293 return sk; 294} 295 |
| 293static int test_basic_crl(void) | 296static int test_crl() |
| 294{ | 297{ |
| 298 X509 *root = X509_from_strings(kCRLTestRoot); 299 X509 *leaf = X509_from_strings(kCRLTestLeaf); |
|
| 295 X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); 296 X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); | 300 X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); 301 X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); |
| 297 int r; 298 299 r = TEST_ptr(basic_crl) 300 && TEST_ptr(revoked_crl) 301 && TEST_int_eq(verify(test_leaf, test_root, 302 make_CRL_stack(basic_crl, NULL), 303 X509_V_FLAG_CRL_CHECK), X509_V_OK) 304 && TEST_int_eq(verify(test_leaf, test_root, 305 make_CRL_stack(basic_crl, revoked_crl), 306 X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); 307 X509_CRL_free(basic_crl); 308 X509_CRL_free(revoked_crl); 309 return r; 310} 311 312static int test_no_crl(void) 313{ 314 return TEST_int_eq(verify(test_leaf, test_root, NULL, 315 X509_V_FLAG_CRL_CHECK), 316 X509_V_ERR_UNABLE_TO_GET_CRL); 317} 318 319static int test_bad_issuer_crl(void) 320{ | |
| 321 X509_CRL *bad_issuer_crl = CRL_from_strings(kBadIssuerCRL); | 302 X509_CRL *bad_issuer_crl = CRL_from_strings(kBadIssuerCRL); |
| 322 int r; | 303 X509_CRL *known_critical_crl = CRL_from_strings(kKnownCriticalCRL); 304 X509_CRL *unknown_critical_crl = CRL_from_strings(kUnknownCriticalCRL); 305 X509_CRL *unknown_critical_crl2 = CRL_from_strings(kUnknownCriticalCRL2); 306 int status = 0; |
| 323 | 307 |
| 324 r = TEST_ptr(bad_issuer_crl) 325 && TEST_int_eq(verify(test_leaf, test_root, 326 make_CRL_stack(bad_issuer_crl, NULL), 327 X509_V_FLAG_CRL_CHECK), 328 X509_V_ERR_UNABLE_TO_GET_CRL); 329 X509_CRL_free(bad_issuer_crl); 330 return r; 331} | 308 if (root == NULL || leaf == NULL || basic_crl == NULL 309 || revoked_crl == NULL || bad_issuer_crl == NULL 310 || known_critical_crl == NULL || unknown_critical_crl == NULL 311 || unknown_critical_crl2 == NULL) { 312 fprintf(stderr, "Failed to parse certificates and CRLs.\n"); 313 goto err; 314 } |
| 332 | 315 |
| 333static int test_known_critical_crl(void) 334{ 335 X509_CRL *known_critical_crl = CRL_from_strings(kKnownCriticalCRL); 336 int r; | 316 if (verify(leaf, root, make_CRL_stack(basic_crl, NULL), 317 X509_V_FLAG_CRL_CHECK) != X509_V_OK) { 318 fprintf(stderr, "Cert with CRL didn't verify.\n"); 319 goto err; 320 } |
| 337 | 321 |
| 338 r = TEST_ptr(known_critical_crl) 339 && TEST_int_eq(verify(test_leaf, test_root, 340 make_CRL_stack(known_critical_crl, NULL), 341 X509_V_FLAG_CRL_CHECK), X509_V_OK); 342 X509_CRL_free(known_critical_crl); 343 return r; 344} | 322 if (verify(leaf, root, make_CRL_stack(basic_crl, revoked_crl), 323 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_CERT_REVOKED) { 324 fprintf(stderr, "Revoked CRL wasn't checked.\n"); 325 goto err; 326 } |
| 345 | 327 |
| 346static int test_unknown_critical_crl(int n) 347{ 348 X509_CRL *unknown_critical_crl = CRL_from_strings(unknown_critical_crls[n]); 349 int r; | 328 if (verify(leaf, root, NULL, 329 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) { 330 fprintf(stderr, "CRLs were not required.\n"); 331 goto err; 332 } |
| 350 | 333 |
| 351 r = TEST_ptr(unknown_critical_crl) 352 && TEST_int_eq(verify(test_leaf, test_root, 353 make_CRL_stack(unknown_critical_crl, NULL), 354 X509_V_FLAG_CRL_CHECK), 355 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION); 356 X509_CRL_free(unknown_critical_crl); 357 return r; 358} | 334 if (verify(leaf, root, make_CRL_stack(bad_issuer_crl, NULL), 335 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) { 336 fprintf(stderr, "Bad CRL issuer was unnoticed.\n"); 337 goto err; 338 } |
| 359 | 339 |
| 360static int test_reuse_crl(void) 361{ 362 X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); 363 char *p; 364 BIO *b = glue2bio(kRevokedCRL, &p); | 340 if (verify(leaf, root, make_CRL_stack(known_critical_crl, NULL), 341 X509_V_FLAG_CRL_CHECK) != X509_V_OK) { 342 fprintf(stderr, "CRL with known critical extension was rejected.\n"); 343 goto err; 344 } |
| 365 | 345 |
| 366 reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); | 346 if (verify(leaf, root, make_CRL_stack(unknown_critical_crl, NULL), 347 X509_V_FLAG_CRL_CHECK) != 348 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) { 349 fprintf(stderr, "CRL with unknown critical extension was accepted.\n"); 350 goto err; 351 } |
| 367 | 352 |
| 368 OPENSSL_free(p); 369 BIO_free(b); 370 X509_CRL_free(reused_crl); 371 return 1; 372} | 353 if (verify(leaf, root, make_CRL_stack(unknown_critical_crl2, NULL), 354 X509_V_FLAG_CRL_CHECK) != 355 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) { 356 fprintf(stderr, "CRL with unknown critical extension (2) was accepted.\n"); 357 goto err; 358 } |
| 373 | 359 |
| 374int setup_tests(void) 375{ 376 if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) 377 || !TEST_ptr(test_leaf = X509_from_strings(kCRLTestLeaf))) 378 return 0; | 360 status = 1; |
| 379 | 361 |
| 380 ADD_TEST(test_no_crl); 381 ADD_TEST(test_basic_crl); 382 ADD_TEST(test_bad_issuer_crl); 383 ADD_TEST(test_known_critical_crl); 384 ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); 385 ADD_TEST(test_reuse_crl); 386 return 1; | 362err: 363 X509_free(root); 364 X509_free(leaf); 365 X509_CRL_free(basic_crl); 366 X509_CRL_free(revoked_crl); 367 X509_CRL_free(bad_issuer_crl); 368 X509_CRL_free(known_critical_crl); 369 X509_CRL_free(unknown_critical_crl); 370 X509_CRL_free(unknown_critical_crl2); 371 return status; |
| 387} 388 | 372} 373 |
| 389void cleanup_tests(void) | 374int main() |
| 390{ | 375{ |
| 391 X509_free(test_root); 392 X509_free(test_leaf); | 376 ADD_TEST(test_crl); 377 return run_tests("crltest"); |
| 393} | 378} |