Ensure we use a non-zero time for tickets in early data
[openssl.git] / test / cmp_protect_test.c
index 66cc6af370d5fe4fc2d3864a3fa151e4ed29c39c..0612a1faee97f54d2ac7cdf03ac309bbd723d603 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
  *
@@ -9,9 +9,7 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "cmp_testlib.h"
-
-DEFINE_STACK_OF(X509)
+#include "helpers/cmp_testlib.h"
 
 static const char *ir_protected_f;
 static const char *ir_unprotected_f;
@@ -29,11 +27,12 @@ typedef struct test_fixture {
     X509 *cert;
     STACK_OF(X509) *certs;
     STACK_OF(X509) *chain;
+    int with_ss;
     int callback_arg;
     int expected;
 } CMP_PROTECT_TEST_FIXTURE;
 
-static OPENSSL_CTX *libctx = NULL;
+static OSSL_LIB_CTX *libctx = NULL;
 static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL;
 
 static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture)
@@ -96,7 +95,7 @@ static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture)
 
 /*
  * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c,
- * but without the need for a OSSL_CMP_CTX or a X509 certificate
+ * but without the need for an OSSL_CMP_CTX or a X509 certificate
  */
 static int verify_signature(OSSL_CMP_MSG *msg,
                             ASN1_BIT_STRING *protection,
@@ -144,7 +143,7 @@ static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE *
 static int test_cmp_calc_protection_no_key_no_secret(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
-    if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))
+    if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f, libctx))
             || !TEST_ptr(fixture->msg->header->protectionAlg =
                          X509_ALGOR_new() /* no specific alg needed here */)) {
         tear_down(fixture);
@@ -160,7 +159,7 @@ static int test_cmp_calc_protection_pkey(void)
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     fixture->pubkey = loadedpubkey;
     if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedprivkey))
-            || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))) {
+            || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) {
         tear_down(fixture);
         fixture = NULL;
     }
@@ -175,7 +174,7 @@ static int test_cmp_calc_protection_pbmac(void)
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
                                                  sec_insta, sizeof(sec_insta)))
-            || !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f))) {
+            || !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f, libctx))) {
         tear_down(fixture);
         fixture = NULL;
     }
@@ -333,21 +332,41 @@ static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture)
 {
     int ret = 0;
     OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
+    X509_STORE *store;
     STACK_OF(X509) *chain =
-        ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
-                                  fixture->certs, fixture->cert);
+        X509_build_chain(fixture->cert, fixture->certs, NULL,
+                         fixture->with_ss, ctx->libctx, ctx->propq);
 
     if (TEST_ptr(chain)) {
         /* Check whether chain built is equal to the expected one */
         ret = TEST_int_eq(0, STACK_OF_X509_cmp(chain, fixture->chain));
-        sk_X509_pop_free(chain, X509_free);
+        OSSL_STACK_OF_X509_free(chain);
+    }
+    if (!ret)
+        return 0;
+
+    if (TEST_ptr(store = X509_STORE_new())
+            && TEST_true(X509_STORE_add_cert(store, root))) {
+        X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store),
+                                    X509_V_FLAG_NO_CHECK_TIME);
+        chain = X509_build_chain(fixture->cert, fixture->certs, store,
+                                 fixture->with_ss, ctx->libctx, ctx->propq);
+        ret = TEST_int_eq(fixture->expected, chain != NULL);
+        if (ret && chain != NULL) {
+            /* Check whether chain built is equal to the expected one */
+            ret = TEST_int_eq(0, STACK_OF_X509_cmp(chain, fixture->chain));
+            OSSL_STACK_OF_X509_free(chain);
+        }
     }
+    X509_STORE_free(store);
     return ret;
 }
 
 static int test_cmp_build_cert_chain(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -359,13 +378,21 @@ static int test_cmp_build_cert_chain(void)
         tear_down(fixture);
         fixture = NULL;
     }
-    EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
+    if (fixture != NULL) {
+        result = execute_cmp_build_cert_chain_test(fixture);
+        fixture->with_ss = 1;
+        if (result && TEST_true(sk_X509_push(fixture->chain, root)))
+            result = execute_cmp_build_cert_chain_test(fixture);
+    }
+    tear_down(fixture);
     return result;
 }
 
 static int test_cmp_build_cert_chain_missing_intermediate(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 0;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -379,9 +406,11 @@ static int test_cmp_build_cert_chain_missing_intermediate(void)
     return result;
 }
 
-static int test_cmp_build_cert_chain_missing_root(void)
+static int test_cmp_build_cert_chain_no_root(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -396,9 +425,28 @@ static int test_cmp_build_cert_chain_missing_root(void)
     return result;
 }
 
+static int test_cmp_build_cert_chain_only_root(void)
+{
+    SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    fixture->with_ss = 0; /* still chain must include the only cert (root) */
+    fixture->cert = root;
+    if (!TEST_ptr(fixture->certs = sk_X509_new_null())
+            || !TEST_ptr(fixture->chain = sk_X509_new_null())
+            || !TEST_true(sk_X509_push(fixture->certs, root))
+            || !TEST_true(sk_X509_push(fixture->chain, root))) {
+        tear_down(fixture);
+        fixture = NULL;
+    }
+    EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
+    return result;
+}
+
 static int test_cmp_build_cert_chain_no_certs(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 0;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -427,7 +475,7 @@ static int execute_X509_STORE_test(CMP_PROTECT_TEST_FIXTURE *fixture)
     res = 1;
  err:
     X509_STORE_free(store);
-    sk_X509_pop_free(sk, X509_free);
+    OSSL_STACK_OF_X509_free(sk);
     return res;
 
 }
@@ -467,7 +515,6 @@ static int test_X509_STORE_only_self_issued(void)
     return result;
 }
 
-
 void cleanup_tests(void)
 {
     EVP_PKEY_free(loadedprivkey);
@@ -480,7 +527,7 @@ void cleanup_tests(void)
     X509_free(intermediate);
     OSSL_CMP_MSG_free(ir_protected);
     OSSL_CMP_MSG_free(ir_unprotected);
-    OPENSSL_CTX_free(libctx);
+    OSSL_LIB_CTX_free(libctx);
 }
 
 #define USAGE "server.pem IR_protected.der IR_unprotected.der IP_PBM.der " \
@@ -518,24 +565,24 @@ int setup_tests(void)
         return 0;
     }
 
-    if (!test_get_libctx(&libctx, &default_null_provider, &provider, 10, USAGE))
+    if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE))
         return 0;
 
-    if (!TEST_ptr(loadedkey = load_pem_key(server_key_f, libctx))
-            || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx)))
+    if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx))
+            || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)))
         return 0;
 
-    if (!TEST_ptr(loadedprivkey = load_pem_key(server_f, libctx)))
+    if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx)))
         return 0;
     if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
         loadedpubkey = loadedprivkey;
-    if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f))
-            || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)))
+    if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f, libctx))
+        || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)))
         return 0;
-    if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx))
-            || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx))
-            || !TEST_ptr(root = load_pem_cert(root_f, libctx))
-            || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx)))
+    if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
+            || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx))
+            || !TEST_ptr(root = load_cert_pem(root_f, libctx))
+            || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx)))
         return 0;
     if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
         return 0;
@@ -556,7 +603,8 @@ int setup_tests(void)
 
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_cmp_build_cert_chain);
-    ADD_TEST(test_cmp_build_cert_chain_missing_root);
+    ADD_TEST(test_cmp_build_cert_chain_only_root);
+    ADD_TEST(test_cmp_build_cert_chain_no_root);
     ADD_TEST(test_cmp_build_cert_chain_missing_intermediate);
     ADD_TEST(test_cmp_build_cert_chain_no_certs);
 #endif