diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-12-14 11:29:19 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-07-20 11:40:37 +0200 |
| commit | b6fbef1159c9aeb1590c116a9426e169d2203506 (patch) | |
| tree | fa6a73df8d5bd7fb5357966a96c3c34dddcbb358 /test | |
| parent | fad0f80eff188ef938fed614245a56ed56110deb (diff) | |
| download | openssl-new-b6fbef1159c9aeb1590c116a9426e169d2203506.tar.gz | |
Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()
Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(),
and add respective tests as well as the -srvcertout CLI option using the new function.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18656)
Diffstat (limited to 'test')
| -rw-r--r-- | test/cmp_ctx_test.c | 6 | ||||
| -rw-r--r-- | test/cmp_vfy_test.c | 18 |
2 files changed, 18 insertions, 6 deletions
diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c index 5876ae08a3..e4f80d93fc 100644 --- a/test/cmp_ctx_test.c +++ b/test/cmp_ctx_test.c @@ -78,7 +78,7 @@ static int execute_CTX_reinit_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) || !ossl_cmp_ctx_set1_newChain(ctx, certs) || !ossl_cmp_ctx_set1_caPubs(ctx, certs) || !ossl_cmp_ctx_set1_extraCertsIn(ctx, certs) - || !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_dup(test_cert)) + || !ossl_cmp_ctx_set1_validatedSrvCert(ctx, test_cert) || !TEST_ptr(bytes = ASN1_OCTET_STRING_new()) || !OSSL_CMP_CTX_set1_transactionID(ctx, bytes) || !OSSL_CMP_CTX_set1_senderNonce(ctx, bytes) @@ -740,7 +740,7 @@ DEFINE_SET_CB_TEST(transfer_cb) DEFINE_SET_GET_P_VOID_TEST(transfer_cb_arg) DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, srvCert, X509) -DEFINE_SET_TEST(ossl_cmp, ctx, 0, 0, validatedSrvCert, X509) +DEFINE_SET_GET_TEST(ossl_cmp, ctx, 1, 0, 0, validatedSrvCert, X509) DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME) DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trusted, X509_STORE *, NULL, @@ -837,7 +837,7 @@ int setup_tests(void) ADD_TEST(test_CTX_set_get_transfer_cb_arg); /* server authentication: */ ADD_TEST(test_CTX_set1_get0_srvCert); - ADD_TEST(test_CTX_set0_get0_validatedSrvCert); + ADD_TEST(test_CTX_set1_get0_validatedSrvCert); ADD_TEST(test_CTX_set1_get0_expected_sender); ADD_TEST(test_CTX_set0_get0_trusted); ADD_TEST(test_CTX_set1_get0_untrusted); diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index 6b5844b30a..b17f17baeb 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -124,11 +124,15 @@ static int test_verify_popo_bad(void) } #endif +/* indirectly checks also OSSL_CMP_validate_msg() */ static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture) { - return TEST_int_eq(fixture->expected, - ossl_cmp_msg_check_update(fixture->cmp_ctx, fixture->msg, - NULL, 0)); + int res = TEST_int_eq(fixture->expected, + ossl_cmp_msg_check_update(fixture->cmp_ctx, + fixture->msg, NULL, 0)); + X509 *validated = OSSL_CMP_CTX_get0_validatedSrvCert(fixture->cmp_ctx); + + return res && (!fixture->expected || TEST_ptr_eq(validated, fixture->cert)); } static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) @@ -151,6 +155,7 @@ static int test_validate_msg_mac_alg_protection(void) }; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = NULL; fixture->expected = 1; if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, @@ -172,6 +177,7 @@ static int test_validate_msg_mac_alg_protection_bad(void) }; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = NULL; fixture->expected = 0; if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad, @@ -201,6 +207,7 @@ static int test_validate_msg_signature_partial_chain(int expired) X509_STORE *ts; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx); fixture->expected = !expired; @@ -247,6 +254,7 @@ static int test_validate_msg_signature_srvcert_wrong(void) static int test_validate_msg_signature_srvcert(int bad_sig) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; fixture->expected = !bad_sig; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert)) @@ -273,6 +281,7 @@ static int test_validate_msg_signature_sender_cert_srvcert(void) static int test_validate_msg_signature_sender_cert_untrusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) @@ -287,6 +296,7 @@ static int test_validate_msg_signature_sender_cert_untrusted(void) static int test_validate_msg_signature_sender_cert_trusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) @@ -307,6 +317,7 @@ static int test_validate_msg_signature_sender_cert_extracert(void) tear_down(fixture); fixture = NULL; } + fixture->cert = sk_X509_value(fixture->msg->extraCerts, 1); /* Insta CA */ EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } @@ -329,6 +340,7 @@ static int test_validate_msg_signature_sender_cert_absent(void) static int test_validate_with_sender(const X509_NAME *name, int expected) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; fixture->expected = expected; if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name)) |