summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2021-12-14 11:29:19 +0100
committerDr. David von Oheimb <dev@ddvo.net>2022-07-20 11:40:37 +0200
commitb6fbef1159c9aeb1590c116a9426e169d2203506 (patch)
treefa6a73df8d5bd7fb5357966a96c3c34dddcbb358 /test
parentfad0f80eff188ef938fed614245a56ed56110deb (diff)
downloadopenssl-new-b6fbef1159c9aeb1590c116a9426e169d2203506.tar.gz
Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()
Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(), and add respective tests as well as the -srvcertout CLI option using the new function. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18656)
Diffstat (limited to 'test')
-rw-r--r--test/cmp_ctx_test.c6
-rw-r--r--test/cmp_vfy_test.c18
2 files changed, 18 insertions, 6 deletions
diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c
index 5876ae08a3..e4f80d93fc 100644
--- a/test/cmp_ctx_test.c
+++ b/test/cmp_ctx_test.c
@@ -78,7 +78,7 @@ static int execute_CTX_reinit_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture)
|| !ossl_cmp_ctx_set1_newChain(ctx, certs)
|| !ossl_cmp_ctx_set1_caPubs(ctx, certs)
|| !ossl_cmp_ctx_set1_extraCertsIn(ctx, certs)
- || !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_dup(test_cert))
+ || !ossl_cmp_ctx_set1_validatedSrvCert(ctx, test_cert)
|| !TEST_ptr(bytes = ASN1_OCTET_STRING_new())
|| !OSSL_CMP_CTX_set1_transactionID(ctx, bytes)
|| !OSSL_CMP_CTX_set1_senderNonce(ctx, bytes)
@@ -740,7 +740,7 @@ DEFINE_SET_CB_TEST(transfer_cb)
DEFINE_SET_GET_P_VOID_TEST(transfer_cb_arg)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, srvCert, X509)
-DEFINE_SET_TEST(ossl_cmp, ctx, 0, 0, validatedSrvCert, X509)
+DEFINE_SET_GET_TEST(ossl_cmp, ctx, 1, 0, 0, validatedSrvCert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME)
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trusted,
X509_STORE *, NULL,
@@ -837,7 +837,7 @@ int setup_tests(void)
ADD_TEST(test_CTX_set_get_transfer_cb_arg);
/* server authentication: */
ADD_TEST(test_CTX_set1_get0_srvCert);
- ADD_TEST(test_CTX_set0_get0_validatedSrvCert);
+ ADD_TEST(test_CTX_set1_get0_validatedSrvCert);
ADD_TEST(test_CTX_set1_get0_expected_sender);
ADD_TEST(test_CTX_set0_get0_trusted);
ADD_TEST(test_CTX_set1_get0_untrusted);
diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c
index 6b5844b30a..b17f17baeb 100644
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@@ -124,11 +124,15 @@ static int test_verify_popo_bad(void)
}
#endif
+/* indirectly checks also OSSL_CMP_validate_msg() */
static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture)
{
- return TEST_int_eq(fixture->expected,
- ossl_cmp_msg_check_update(fixture->cmp_ctx, fixture->msg,
- NULL, 0));
+ int res = TEST_int_eq(fixture->expected,
+ ossl_cmp_msg_check_update(fixture->cmp_ctx,
+ fixture->msg, NULL, 0));
+ X509 *validated = OSSL_CMP_CTX_get0_validatedSrvCert(fixture->cmp_ctx);
+
+ return res && (!fixture->expected || TEST_ptr_eq(validated, fixture->cert));
}
static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture)
@@ -151,6 +155,7 @@ static int test_validate_msg_mac_alg_protection(void)
};
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = NULL;
fixture->expected = 1;
if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1,
@@ -172,6 +177,7 @@ static int test_validate_msg_mac_alg_protection_bad(void)
};
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = NULL;
fixture->expected = 0;
if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad,
@@ -201,6 +207,7 @@ static int test_validate_msg_signature_partial_chain(int expired)
X509_STORE *ts;
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = srvcert;
ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx);
fixture->expected = !expired;
@@ -247,6 +254,7 @@ static int test_validate_msg_signature_srvcert_wrong(void)
static int test_validate_msg_signature_srvcert(int bad_sig)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = srvcert;
fixture->expected = !bad_sig;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))
@@ -273,6 +281,7 @@ static int test_validate_msg_signature_sender_cert_srvcert(void)
static int test_validate_msg_signature_sender_cert_untrusted(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = insta_cert;
fixture->expected = 1;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))
|| !add_trusted(fixture->cmp_ctx, instaca_cert)
@@ -287,6 +296,7 @@ static int test_validate_msg_signature_sender_cert_untrusted(void)
static int test_validate_msg_signature_sender_cert_trusted(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = insta_cert;
fixture->expected = 1;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))
|| !add_trusted(fixture->cmp_ctx, instaca_cert)
@@ -307,6 +317,7 @@ static int test_validate_msg_signature_sender_cert_extracert(void)
tear_down(fixture);
fixture = NULL;
}
+ fixture->cert = sk_X509_value(fixture->msg->extraCerts, 1); /* Insta CA */
EXECUTE_TEST(execute_validate_msg_test, tear_down);
return result;
}
@@ -329,6 +340,7 @@ static int test_validate_msg_signature_sender_cert_absent(void)
static int test_validate_with_sender(const X509_NAME *name, int expected)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
+ fixture->cert = srvcert;
fixture->expected = expected;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name))