diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-11-05 09:56:59 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-12-12 10:57:25 +0000 |
commit | 3dbc5156b0b2c7a57be160706e6ad38a14edae37 (patch) | |
tree | e86c4b137be850621acfd835398b4bc1cf699467 /test/cmp_protect_test.c | |
parent | 0402c90ff9caac4c680e3cb6db7729e00d3fc20b (diff) | |
download | openssl-new-3dbc5156b0b2c7a57be160706e6ad38a14edae37.tar.gz |
chunk 6 of CMP contribution to OpenSSL
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10297)
Diffstat (limited to 'test/cmp_protect_test.c')
-rw-r--r-- | test/cmp_protect_test.c | 517 |
1 files changed, 517 insertions, 0 deletions
diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c new file mode 100644 index 0000000000..89be39f7fc --- /dev/null +++ b/test/cmp_protect_test.c @@ -0,0 +1,517 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cmp_testlib.h" + +static const char *ir_protected_f; +static const char *ir_unprotected_f; +static const char *ip_PBM_f; + +typedef struct test_fixture { + const char *test_case_name; + OSSL_CMP_CTX *cmp_ctx; + /* for protection tests */ + OSSL_CMP_MSG *msg; + OSSL_CMP_PKISI *si; /* for error and response messages */ + ASN1_OCTET_STRING *secret; + EVP_PKEY *privkey; + EVP_PKEY *pubkey; + unsigned char *mem; + int memlen; + X509 *cert; + STACK_OF(X509) *certs; + STACK_OF(X509) *chain; + int callback_arg; + int expected; +} CMP_PROTECT_TEST_FIXTURE; + +static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + OSSL_CMP_CTX_free(fixture->cmp_ctx); + OSSL_CMP_MSG_free(fixture->msg); + ASN1_OCTET_STRING_free(fixture->secret); + OSSL_CMP_PKISI_free(fixture->si); + + OPENSSL_free(fixture->mem); + sk_X509_free(fixture->certs); + sk_X509_free(fixture->chain); + + OPENSSL_free(fixture); +} + +static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name) +{ + CMP_PROTECT_TEST_FIXTURE *fixture; + + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) + return NULL; + fixture->test_case_name = test_case_name; + if (!TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new())) { + tear_down(fixture); + return NULL; + } + return fixture; +} + +static EVP_PKEY *loadedprivkey = NULL; +static EVP_PKEY *loadedpubkey = NULL; +static EVP_PKEY *loadedkey = NULL; +static X509 *cert = NULL; +static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; +static OSSL_CMP_MSG *ir_unprotected, *ir_protected; +static X509 *endentity1 = NULL, *endentity2 = NULL, + *root = NULL, *intermediate = NULL; + +static int execute_calc_protection_fails_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + ASN1_BIT_STRING *protection = + ossl_cmp_calc_protection(fixture->msg, fixture->secret, + fixture->privkey); + int res = TEST_ptr_null(protection); + + ASN1_BIT_STRING_free(protection); + return res; +} + +static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + ASN1_BIT_STRING *protection = + ossl_cmp_calc_protection(fixture->msg, fixture->secret, NULL); + int res = TEST_ptr(protection) + && TEST_true(ASN1_STRING_cmp(protection, fixture->msg->protection) == 0); + + ASN1_BIT_STRING_free(protection); + return res; +} + +/* + * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c, + * but without the need for a OSSL_CMP_CTX or a X509 certificate + */ +static int verify_signature(OSSL_CMP_MSG *msg, + ASN1_BIT_STRING *protection, + EVP_PKEY *pkey, int digest_nid) +{ + CMP_PROTECTEDPART prot_part; + unsigned char *prot_part_der = NULL; + int len; + EVP_MD_CTX *ctx = NULL; + const EVP_MD *digest = EVP_get_digestbynid(digest_nid); + int res; + + prot_part.header = OSSL_CMP_MSG_get0_header(msg); + prot_part.body = msg->body; + res = + TEST_int_ge(len = i2d_CMP_PROTECTEDPART(&prot_part, &prot_part_der), 0) + && TEST_ptr(ctx = EVP_MD_CTX_new()) + && TEST_true(EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey)) + && TEST_int_eq(EVP_DigestVerify(ctx, protection->data, + protection->length, + prot_part_der, len), 1); + /* cleanup */ + EVP_MD_CTX_free(ctx); + OPENSSL_free(prot_part_der); + return res; +} + +/* Calls OSSL_CMP_calc_protection and compares and verifies signature */ +static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE * + fixture) +{ + ASN1_BIT_STRING *protection = + ossl_cmp_calc_protection(fixture->msg, NULL, fixture->privkey); + int ret = (TEST_ptr(protection) + && TEST_true(ASN1_STRING_cmp(protection, + fixture->msg->protection) == 0) + && TEST_true(verify_signature(fixture->msg, protection, + fixture->pubkey, + fixture->cmp_ctx->digest))); + + ASN1_BIT_STRING_free(protection); + return ret; +} + +static int test_cmp_calc_protection_no_key_no_secret(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f)) + || !TEST_ptr(fixture->msg->header->protectionAlg = + X509_ALGOR_new() /* no specific alg needed here */)) { + tear_down(fixture); + fixture = NULL; + } + + EXECUTE_TEST(execute_calc_protection_fails_test, tear_down); + return result; +} + +static int test_cmp_calc_protection_pkey(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->pubkey = loadedpubkey; + fixture->privkey = loadedprivkey; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_calc_protection_signature_test, tear_down); + return result; +} + +static int test_cmp_calc_protection_pbmac(void) +{ + unsigned char sec_insta[] = { 'i', 'n', 's', 't', 'a' }; + + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + if (!TEST_ptr(fixture->secret = ASN1_OCTET_STRING_new()) + || !TEST_true(ASN1_OCTET_STRING_set + (fixture->secret, sec_insta, sizeof(sec_insta))) + || !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_calc_protection_pbmac_test, tear_down); + return result; +} +static int execute_MSG_protect_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + return TEST_int_eq(fixture->expected, + ossl_cmp_msg_protect(fixture->cmp_ctx, fixture->msg)); +} + +#define SET_OPT_UNPROTECTED_SEND(ctx, val) \ + OSSL_CMP_CTX_set_option((ctx), OSSL_CMP_OPT_UNPROTECTED_SEND, (val)) +static int test_MSG_protect_unprotected_request(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + + fixture->expected = 1; + if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected)) + || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 1))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_MSG_protect_test, tear_down); + return result; +} + +static int test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key(void) +{ + const size_t size = sizeof(rand_data) / 2; + + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->expected = 1; + + if (!TEST_ptr(fixture->msg = + OSSL_CMP_MSG_dup(ir_unprotected)) + || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0)) + /* + * Use half of the 16 bytes of random input + * for each reference and secret value + */ + || !TEST_true(OSSL_CMP_CTX_set1_referenceValue(fixture->cmp_ctx, + rand_data, size)) + || !TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, + rand_data + size, + size))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_MSG_protect_test, tear_down); + return result; +} + +static int test_MSG_protect_with_certificate_and_key(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->expected = 1; + + if (!TEST_ptr(fixture->msg = + OSSL_CMP_MSG_dup(ir_unprotected)) + || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0)) + || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey)) + || !TEST_true(OSSL_CMP_CTX_set1_clCert(fixture->cmp_ctx, cert))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_MSG_protect_test, tear_down); + return result; +} + +static int test_MSG_protect_certificate_based_without_cert(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + OSSL_CMP_CTX *ctx = fixture->cmp_ctx; + + fixture->expected = 0; + if (!TEST_ptr(fixture->msg = + OSSL_CMP_MSG_dup(ir_unprotected)) + || !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0)) + || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, loadedkey))) { + tear_down(fixture); + fixture = NULL; + } + EVP_PKEY_up_ref(loadedkey); + EXECUTE_TEST(execute_MSG_protect_test, tear_down); + return result; +} + +static int test_MSG_protect_no_key_no_secret(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->expected = 0; + if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected)) + || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_MSG_protect_test, tear_down); + return result; +} + +static int execute_MSG_add_extraCerts_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + return TEST_true(ossl_cmp_msg_add_extraCerts(fixture->cmp_ctx, + fixture->msg)); +} + +static int test_MSG_add_extraCerts(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_protected))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_MSG_add_extraCerts_test, tear_down); + return result; +} + +static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + STACK_OF(X509) *result = NULL; + int ret = 0; + + if (TEST_ptr(result = ossl_cmp_build_cert_chain(fixture->certs, + fixture->cert))) { + /* Check whether chain built is equal to the expected one */ + ret = TEST_int_eq(0, STACK_OF_X509_cmp(result, fixture->chain)); + sk_X509_pop_free(result, X509_free); + } + return ret; +} + +static int test_cmp_build_cert_chain(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->cert = endentity2; + if (!TEST_ptr(fixture->certs = sk_X509_new_null()) + || !TEST_ptr(fixture->chain = sk_X509_new_null()) + || !TEST_true(sk_X509_push(fixture->certs, endentity1)) + || !TEST_true(sk_X509_push(fixture->certs, root)) + || !TEST_true(sk_X509_push(fixture->certs, intermediate)) + || !TEST_true(sk_X509_push(fixture->chain, endentity2)) + || !TEST_true(sk_X509_push(fixture->chain, intermediate))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down); + return result; +} + +static int test_cmp_build_cert_chain_missing_intermediate(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->cert = endentity2; + if (!TEST_ptr(fixture->certs = sk_X509_new_null()) + || !TEST_ptr(fixture->chain = sk_X509_new_null()) + || !TEST_true(sk_X509_push(fixture->certs, endentity1)) + || !TEST_true(sk_X509_push(fixture->certs, root)) + || !TEST_true(sk_X509_push(fixture->chain, endentity2))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down); + return result; +} + +static int test_cmp_build_cert_chain_missing_root(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->cert = endentity2; + if (!TEST_ptr(fixture->certs = sk_X509_new_null()) + || !TEST_ptr(fixture->chain = sk_X509_new_null()) + || !TEST_true(sk_X509_push(fixture->certs, endentity1)) + || !TEST_true(sk_X509_push(fixture->certs, intermediate)) + || !TEST_true(sk_X509_push(fixture->chain, endentity2)) + || !TEST_true(sk_X509_push(fixture->chain, intermediate))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down); + return result; +} + +static int test_cmp_build_cert_chain_no_certs(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->cert = endentity2; + if (!TEST_ptr(fixture->certs = sk_X509_new_null()) + || !TEST_ptr(fixture->chain = sk_X509_new_null()) + || !TEST_true(sk_X509_push(fixture->chain, endentity2))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down); + return result; +} + +static int execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE *fixture) +{ + X509_STORE *store = X509_STORE_new(); + STACK_OF(X509) *sk = NULL; + int res = 0; + + if (!TEST_true(ossl_cmp_X509_STORE_add1_certs(store, + fixture->certs, + fixture->callback_arg))) + goto err; + sk = ossl_cmp_X509_STORE_get1_certs(store); + if (!TEST_int_eq(0, STACK_OF_X509_cmp(sk, fixture->chain))) + goto err; + res = 1; + err: + X509_STORE_free(store); + sk_X509_pop_free(sk, X509_free); + return res; + +} + +static int test_X509_STORE(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->callback_arg = 0; /* self-signed allowed */ + if (!TEST_ptr(fixture->certs = sk_X509_new_null()) + || !sk_X509_push(fixture->certs, endentity1) + || !sk_X509_push(fixture->certs, endentity2) + || !sk_X509_push(fixture->certs, root) + || !sk_X509_push(fixture->certs, intermediate) + || !TEST_ptr(fixture->chain = sk_X509_dup(fixture->certs))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_X509_STORE_test, tear_down); + return result; +} + +static int test_X509_STORE_only_self_signed(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->certs = sk_X509_new_null(); + fixture->chain = sk_X509_new_null(); + fixture->callback_arg = 1; /* only self-signed */ + if (!TEST_true(sk_X509_push(fixture->certs, endentity1)) + || !TEST_true(sk_X509_push(fixture->certs, endentity2)) + || !TEST_true(sk_X509_push(fixture->certs, root)) + || !TEST_true(sk_X509_push(fixture->certs, intermediate)) + || !TEST_true(sk_X509_push(fixture->chain, root))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_X509_STORE_test, tear_down); + return result; +} + + +void cleanup_tests(void) +{ + EVP_PKEY_free(loadedprivkey); + EVP_PKEY_free(loadedpubkey); + EVP_PKEY_free(loadedkey); + X509_free(cert); + X509_free(endentity1); + X509_free(endentity2); + X509_free(root); + X509_free(intermediate); + OSSL_CMP_MSG_free(ir_protected); + OSSL_CMP_MSG_free(ir_unprotected); + +} + +int setup_tests(void) +{ + char *server_f; + char *server_key_f; + char *server_cert_f; + char *endentity1_f; + char *endentity2_f; + char *root_f; + char *intermediate_f; + + RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH); + if (!TEST_ptr(server_f = test_get_argument(0)) + || !TEST_ptr(ir_protected_f = test_get_argument(1)) + || !TEST_ptr(ir_unprotected_f = test_get_argument(2)) + || !TEST_ptr(ip_PBM_f = test_get_argument(3)) + || !TEST_ptr(server_cert_f = test_get_argument(4)) + || !TEST_ptr(server_key_f = test_get_argument(5)) + || !TEST_ptr(endentity1_f = test_get_argument(6)) + || !TEST_ptr(endentity2_f = test_get_argument(7)) + || !TEST_ptr(root_f = test_get_argument(8)) + || !TEST_ptr(intermediate_f = test_get_argument(9))) { + TEST_error("usage: cmp_protect_test server.pem " + "IR_protected.der IR_unprotected.der IP_PBM.der " + "server.crt server.pem" + "EndEntity1.crt EndEntity2.crt " + "Root_CA.crt Intermediate_CA.crt\n"); + return 0; + } + if (!TEST_ptr(loadedkey = load_pem_key(server_key_f)) + || !TEST_ptr(cert = load_pem_cert(server_cert_f))) + return 0; + + if (!TEST_ptr(loadedprivkey = load_pem_key(server_f))) + return 0; + if (TEST_true(EVP_PKEY_up_ref(loadedprivkey))) + loadedpubkey = loadedprivkey; + if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f)) + || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f))) + return 0; + if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f)) + || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f)) + || !TEST_ptr(root = load_pem_cert(root_f)) + || !TEST_ptr(intermediate = load_pem_cert(intermediate_f))) + return 0; + if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) + return 0; + + /* Message protection tests */ + ADD_TEST(test_cmp_calc_protection_no_key_no_secret); + ADD_TEST(test_cmp_calc_protection_pkey); + ADD_TEST(test_cmp_calc_protection_pbmac); + + ADD_TEST(test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key); + ADD_TEST(test_MSG_protect_with_certificate_and_key); + ADD_TEST(test_MSG_protect_certificate_based_without_cert); + ADD_TEST(test_MSG_protect_unprotected_request); + ADD_TEST(test_MSG_protect_no_key_no_secret); + + ADD_TEST(test_MSG_add_extraCerts); + + ADD_TEST(test_cmp_build_cert_chain); + ADD_TEST(test_cmp_build_cert_chain_missing_root); + ADD_TEST(test_cmp_build_cert_chain_missing_intermediate); + ADD_TEST(test_cmp_build_cert_chain_no_certs); + + ADD_TEST(test_X509_STORE); + ADD_TEST(test_X509_STORE_only_self_signed); + + return 1; +} |