test/cmp_vfy_test.c

   1 /*
   2  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
   3  * Copyright Nokia 2007-2019
   4  * Copyright Siemens AG 2015-2019
   5  *
   6  * Licensed under the Apache License 2.0 (the "License").  You may not use
   7  * this file except in compliance with the License.  You can obtain a copy
   8  * in the file LICENSE in the source distribution or at
   9  * https://www.openssl.org/source/license.html
  10  */
  11
  12 #include "cmp_testlib.h"
  13 #include "../crypto/crmf/crmf_local.h" /* for manipulating POPO signature */
  14
  15 static const char *server_f;
  16 static const char *client_f;
  17 static const char *endentity1_f;
  18 static const char *endentity2_f;
  19 static const char *root_f;
  20 static const char *intermediate_f;
  21 static const char *ir_protected_f;
  22 static const char *ir_unprotected_f;
  23 static const char *ir_rmprotection_f;
  24 static const char *ip_waiting_f;
  25 static const char *instacert_f;
  26 static const char *instaca_f;
  27 static const char *ir_protected_0_extracerts;
  28 static const char *ir_protected_2_extracerts;
  29
  30 typedef struct test_fixture {
  31     const char *test_case_name;
  32     int expected;
  33     OSSL_CMP_CTX *cmp_ctx;
  34     OSSL_CMP_MSG *msg;
  35     X509 *cert;
  36     ossl_cmp_allow_unprotected_cb_t allow_unprotected_cb;
  37     int additional_arg;
  38 } CMP_VFY_TEST_FIXTURE;
  39
  40 static void tear_down(CMP_VFY_TEST_FIXTURE *fixture)
  41 {
  42     OSSL_CMP_MSG_free(fixture->msg);
  43     OSSL_CMP_CTX_free(fixture->cmp_ctx);
  44     OPENSSL_free(fixture);
  45 }
  46
  47 static int print_to_bio_out(const char *func, const char *file, int line,
  48                             OSSL_CMP_severity level, const char *msg)
  49 {
  50     return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg);
  51 }
  52
  53 static time_t test_time_valid = 0, test_time_after_expiration = 0;
  54
  55 static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name)
  56 {
  57     X509_STORE *ts = X509_STORE_new();
  58     CMP_VFY_TEST_FIXTURE *fixture;
  59
  60     if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
  61         return NULL;
  62     fixture->test_case_name = test_case_name;
  63     if (ts == NULL
  64             || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new())
  65             || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts)
  66             || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) {
  67         tear_down(fixture);
  68         X509_STORE_free(ts);
  69         return NULL;
  70     }
  71     X509_VERIFY_PARAM_set_time(X509_STORE_get0_param(ts), test_time_valid);
  72     X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
  73     return fixture;
  74 }
  75
  76 static X509 *srvcert = NULL;
  77 static X509 *clcert = NULL;
  78 /* chain */
  79 static X509 *endentity1 = NULL, *endentity2 = NULL,
  80     *intermediate = NULL, *root = NULL;
  81 /* INSTA chain */
  82 static X509 *insta_cert = NULL, *instaca_cert = NULL;
  83
  84 static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
  85 static OSSL_CMP_MSG *ir_unprotected, *ir_rmprotection;
  86
  87 static int flip_bit(ASN1_BIT_STRING *bitstr)
  88 {
  89     int bit_num = 7;
  90     int bit = ASN1_BIT_STRING_get_bit(bitstr, bit_num);
  91
  92     return ASN1_BIT_STRING_set_bit(bitstr, bit_num, !bit);
  93 }
  94
  95 static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture)
  96 {
  97     if ((fixture->msg = load_pkimsg(ir_protected_f)) == NULL)
  98         return 0;
  99     if (fixture->expected == 0) {
 100         const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir;
 101         const OSSL_CRMF_MSG *req = sk_OSSL_CRMF_MSG_value(reqs, 0);
 102         if (req == NULL || !flip_bit(req->popo->value.signature->signature))
 103             return 0;
 104     }
 105     return TEST_int_eq(fixture->expected,
 106                        ossl_cmp_verify_popo(fixture->msg,
 107                                             fixture->additional_arg));
 108 }
 109
 110 static int test_verify_popo(void)
 111 {
 112     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 113     fixture->expected = 1;
 114     EXECUTE_TEST(execute_verify_popo_test, tear_down);
 115     return result;
 116 }
 117
 118 static int test_verify_popo_bad(void)
 119 {
 120     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 121     fixture->expected = 0;
 122     EXECUTE_TEST(execute_verify_popo_test, tear_down);
 123     return result;
 124 }
 125
 126 static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture)
 127 {
 128     return TEST_int_eq(fixture->expected,
 129                        OSSL_CMP_validate_msg(fixture->cmp_ctx, fixture->msg));
 130 }
 131
 132 static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture)
 133 {
 134     X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx);
 135     int res = TEST_int_eq(fixture->expected,
 136                           OSSL_CMP_validate_cert_path(fixture->cmp_ctx,
 137                                                       ts, fixture->cert));
 138
 139     OSSL_CMP_CTX_print_errors(fixture->cmp_ctx);
 140     return res;
 141 }
 142
 143 static int test_validate_msg_mac_alg_protection(void)
 144 {
 145     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 146     /* secret value belonging to cmp-test/CMP_IP_waitingStatus_PBM.der */
 147     const unsigned char sec_1[] = {
 148         '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3',
 149         'Q', '-', 'u', 'd', 'N', 'R'
 150     };
 151
 152     fixture->expected = 1;
 153     if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1,
 154                                                  sizeof(sec_1)))
 155             || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) {
 156         tear_down(fixture);
 157         fixture = NULL;
 158     }
 159     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 160     return result;
 161 }
 162
 163 static int test_validate_msg_mac_alg_protection_bad(void)
 164 {
 165     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 166     const unsigned char sec_bad[] = {
 167         '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3',
 168         'Q', '-', 'u', 'd', 'N', 'r'
 169     };
 170     fixture->expected = 0;
 171
 172     if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad,
 173                                                  sizeof(sec_bad)))
 174             || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) {
 175         tear_down(fixture);
 176         fixture = NULL;
 177     }
 178     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 179     return result;
 180 }
 181
 182 static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert)
 183 {
 184     return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert);
 185 }
 186
 187 static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert)
 188 {
 189     return ossl_cmp_sk_X509_add1_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx),
 190                                       cert, 0, 0);
 191 }
 192
 193 static int test_validate_msg_signature_partial_chain(int expired)
 194 {
 195     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 196     X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx);
 197
 198     fixture->expected = !expired;
 199     if (ts == NULL
 200             || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
 201             || !add_trusted(fixture->cmp_ctx, srvcert)) {
 202         tear_down(fixture);
 203         fixture = NULL;
 204     } else {
 205         X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
 206         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
 207         if (expired)
 208             X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration);
 209     }
 210     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 211     return result;
 212 }
 213
 214 static int test_validate_msg_signature_trusted_ok(void)
 215 {
 216     return test_validate_msg_signature_partial_chain(0);
 217 }
 218
 219 static int test_validate_msg_signature_trusted_expired(void)
 220 {
 221     return test_validate_msg_signature_partial_chain(1);
 222 }
 223
 224 static int test_validate_msg_signature_srvcert_wrong(void)
 225 {
 226     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 227     fixture->expected = 0;
 228     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
 229         || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) {
 230         tear_down(fixture);
 231         fixture = NULL;
 232     }
 233     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 234     return result;
 235 }
 236
 237 static int test_validate_msg_signature_srvcert(int bad_sig)
 238 {
 239     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 240     fixture->expected = !bad_sig;
 241     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
 242         || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))
 243         || (bad_sig && !flip_bit(fixture->msg->protection))) {
 244         tear_down(fixture);
 245         fixture = NULL;
 246     }
 247     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 248     return result;
 249 }
 250
 251 static int test_validate_msg_signature_bad(void)
 252 {
 253     return test_validate_msg_signature_srvcert(1);
 254 }
 255
 256 static int test_validate_msg_signature_sender_cert_srvcert(void)
 257 {
 258     return test_validate_msg_signature_srvcert(0);
 259 }
 260
 261 static int test_validate_msg_signature_sender_cert_untrusted(void)
 262 {
 263     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 264     fixture->expected = 1;
 265     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))
 266             || !add_trusted(fixture->cmp_ctx, instaca_cert)
 267             || !add_untrusted(fixture->cmp_ctx, insta_cert)) {
 268         tear_down(fixture);
 269         fixture = NULL;
 270     }
 271     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 272     return result;
 273 }
 274
 275 static int test_validate_msg_signature_sender_cert_trusted(void)
 276 {
 277     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 278     fixture->expected = 1;
 279     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))
 280             || !add_trusted(fixture->cmp_ctx, instaca_cert)
 281             || !add_trusted(fixture->cmp_ctx, insta_cert)) {
 282         tear_down(fixture);
 283         fixture = NULL;
 284     }
 285     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 286     return result;
 287 }
 288
 289 static int test_validate_msg_signature_sender_cert_extracert(void)
 290 {
 291     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 292     fixture->expected = 1;
 293     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts))
 294             || !add_trusted(fixture->cmp_ctx, instaca_cert)) {
 295         tear_down(fixture);
 296         fixture = NULL;
 297     }
 298     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 299     return result;
 300 }
 301
 302
 303 static int test_validate_msg_signature_sender_cert_absent(void)
 304 {
 305     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 306     fixture->expected = 0;
 307     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))) {
 308         tear_down(fixture);
 309         fixture = NULL;
 310     }
 311     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 312     return result;
 313 }
 314
 315
 316 static int test_validate_with_sender(const X509_NAME *name, int expected)
 317 {
 318     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 319     fixture->expected = expected;
 320     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
 321         || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name))
 322         || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))) {
 323         tear_down(fixture);
 324         fixture = NULL;
 325     }
 326     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 327     return result;
 328 }
 329
 330 static int test_validate_msg_signature_expected_sender(void)
 331 {
 332     return test_validate_with_sender(X509_get_subject_name(srvcert), 1);
 333 }
 334
 335 static int test_validate_msg_signature_unexpected_sender(void)
 336 {
 337     return test_validate_with_sender(X509_get_subject_name(root), 0);
 338 }
 339
 340 static int test_validate_msg_unprotected_request(void)
 341 {
 342     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 343     fixture->expected = 0;
 344     if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))) {
 345         tear_down(fixture);
 346         fixture = NULL;
 347     }
 348     EXECUTE_TEST(execute_validate_msg_test, tear_down);
 349     return result;
 350 }
 351
 352 static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired)
 353 {
 354     (*fixture)->cert = endentity2;
 355     (*fixture)->expected = wrong == NULL && !expired;
 356     if (expired) {
 357         X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx);
 358         X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
 359         X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration);
 360     }
 361     if (!add_trusted((*fixture)->cmp_ctx, wrong == NULL ? root : wrong)
 362             || !add_untrusted((*fixture)->cmp_ctx, endentity1)
 363             || !add_untrusted((*fixture)->cmp_ctx, intermediate)) {
 364         tear_down((*fixture));
 365         (*fixture) = NULL;
 366     }
 367 }
 368
 369 static int test_validate_cert_path_ok(void)
 370 {
 371     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 372     setup_path(&fixture, NULL, 0);
 373     EXECUTE_TEST(execute_validate_cert_path_test, tear_down);
 374     return result;
 375 }
 376
 377 static int test_validate_cert_path_wrong_anchor(void)
 378 {
 379     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 380     setup_path(&fixture, srvcert /* wrong/non-root cert */, 0);
 381     EXECUTE_TEST(execute_validate_cert_path_test, tear_down);
 382     return result;
 383 }
 384
 385 static int test_validate_cert_path_expired(void)
 386 {
 387     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 388     setup_path(&fixture, NULL, 1);
 389     EXECUTE_TEST(execute_validate_cert_path_test, tear_down);
 390     return result;
 391 }
 392
 393 static int execute_MSG_check_received_test(CMP_VFY_TEST_FIXTURE *fixture)
 394 {
 395     const OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(fixture->msg);
 396     const ASN1_OCTET_STRING *tid = OSSL_CMP_HDR_get0_transactionID(hdr);
 397
 398     if (!TEST_int_eq(fixture->expected,
 399                      ossl_cmp_msg_check_received(fixture->cmp_ctx,
 400                                                  fixture->msg,
 401                                                  fixture->allow_unprotected_cb,
 402                                                  fixture->additional_arg)))
 403         return 0;
 404
 405     if (fixture->expected < 0) /* error expected aready during above check */
 406         return 1;
 407     return
 408         TEST_int_eq(0,
 409                     ASN1_OCTET_STRING_cmp(ossl_cmp_hdr_get0_senderNonce(hdr),
 410                                           fixture->cmp_ctx->recipNonce))
 411         && TEST_int_eq(0,
 412                        ASN1_OCTET_STRING_cmp(tid,
 413                                              fixture->cmp_ctx->transactionID));
 414 }
 415
 416 static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
 417                              int invalid_protection, int allow)
 418 {
 419     return allow;
 420 }
 421
 422 static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected,
 423                                  ossl_cmp_allow_unprotected_cb_t cb, int arg,
 424                                  const unsigned char *trid_data,
 425                                  const unsigned char *nonce_data)
 426 {
 427     OSSL_CMP_CTX *ctx = (*fixture)->cmp_ctx;
 428     int nonce_len = OSSL_CMP_SENDERNONCE_LENGTH;
 429
 430     (*fixture)->expected = expected;
 431     (*fixture)->allow_unprotected_cb = cb;
 432     (*fixture)->additional_arg = arg;
 433     (*fixture)->msg = OSSL_CMP_MSG_dup(ir_rmprotection);
 434     if ((*fixture)->msg == NULL
 435         || (nonce_data != NULL
 436             && !ossl_cmp_asn1_octet_string_set1_bytes(&ctx->senderNonce,
 437                                                       nonce_data, nonce_len))) {
 438         tear_down((*fixture));
 439         (*fixture) = NULL;
 440     } else if (trid_data != NULL) {
 441         ASN1_OCTET_STRING *trid = ASN1_OCTET_STRING_new();
 442         if (trid == NULL
 443             || !ASN1_OCTET_STRING_set(trid, trid_data,
 444                                       OSSL_CMP_TRANSACTIONID_LENGTH)
 445             || !OSSL_CMP_CTX_set1_transactionID(ctx, trid)) {
 446             tear_down((*fixture));
 447             (*fixture) = NULL;
 448         }
 449         ASN1_OCTET_STRING_free(trid);
 450     }
 451 }
 452
 453 static int test_MSG_check_received_no_protection_no_cb(void)
 454 {
 455     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 456     setup_check_received(&fixture, -1, NULL, 0, NULL, NULL);
 457     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 458     return result;
 459 }
 460
 461 static int test_MSG_check_received_no_protection_restrictive_cb(void)
 462 {
 463     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 464     setup_check_received(&fixture, -1, allow_unprotected, 0, NULL, NULL);
 465     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 466     return result;
 467 }
 468
 469 static int test_MSG_check_received_no_protection_permissive_cb(void)
 470 {
 471     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 472     setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1,
 473                          NULL, NULL);
 474     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 475     return result;
 476 }
 477
 478 static int test_MSG_check_received_check_transaction_id(void)
 479 {
 480     /* Transaction id belonging to CMP_IR_rmprotection.der */
 481     const unsigned char trans_id[OSSL_CMP_TRANSACTIONID_LENGTH] = {
 482         0x39, 0xB6, 0x90, 0x28, 0xC4, 0xBC, 0x7A, 0xF6,
 483         0xBE, 0xC6, 0x4A, 0x88, 0x97, 0xA6, 0x95, 0x0B
 484     };
 485
 486     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 487     setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1,
 488                          trans_id, NULL);
 489     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 490     return result;
 491 }
 492
 493 static int test_MSG_check_received_check_transaction_id_bad(void)
 494 {
 495     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 496     setup_check_received(&fixture, -1, allow_unprotected, 1, rand_data, NULL);
 497     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 498     return result;
 499 }
 500
 501 static int test_MSG_check_received_check_recipient_nonce(void)
 502 {
 503     /* Recipient nonce belonging to CMP_IP_ir_rmprotection.der */
 504     const unsigned char rec_nonce[OSSL_CMP_SENDERNONCE_LENGTH] = {
 505         0x48, 0xF1, 0x71, 0x1F, 0xE5, 0xAF, 0x1C, 0x8B,
 506         0x21, 0x97, 0x5C, 0x84, 0x74, 0x49, 0xBA, 0x32
 507     };
 508
 509     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 510     setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1,
 511                          NULL, rec_nonce);
 512     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 513     return result;
 514 }
 515
 516 static int test_MSG_check_received_check_recipient_nonce_bad(void)
 517 {
 518     SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
 519     setup_check_received(&fixture, -1, allow_unprotected, 1, NULL, rand_data);
 520     EXECUTE_TEST(execute_MSG_check_received_test, tear_down);
 521     return result;
 522 }
 523
 524 void cleanup_tests(void)
 525 {
 526     X509_free(srvcert);
 527     X509_free(clcert);
 528     X509_free(endentity1);
 529     X509_free(endentity2);
 530     X509_free(intermediate);
 531     X509_free(root);
 532     X509_free(insta_cert);
 533     X509_free(instaca_cert);
 534     OSSL_CMP_MSG_free(ir_unprotected);
 535     OSSL_CMP_MSG_free(ir_rmprotection);
 536     return;
 537 }
 538
 539 int setup_tests(void)
 540 {
 541     /* Set test time stamps */
 542     struct tm ts = { 0 };
 543
 544     ts.tm_year = 2018 - 1900;      /* 2018 */
 545     ts.tm_mon = 1;                 /* February */
 546     ts.tm_mday = 18;               /* 18th */
 547     test_time_valid = mktime(&ts); /* February 18th 2018 */
 548     ts.tm_year += 10;              /* February 18th 2028 */
 549     test_time_after_expiration = mktime(&ts);
 550
 551     if (!test_skip_common_options()) {
 552         TEST_error("Error parsing test options\n");
 553         return 0;
 554     }
 555
 556     RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH);
 557     if (!TEST_ptr(server_f = test_get_argument(0))
 558             || !TEST_ptr(client_f = test_get_argument(1))
 559             || !TEST_ptr(endentity1_f = test_get_argument(2))
 560             || !TEST_ptr(endentity2_f = test_get_argument(3))
 561             || !TEST_ptr(root_f = test_get_argument(4))
 562             || !TEST_ptr(intermediate_f = test_get_argument(5))
 563             || !TEST_ptr(ir_protected_f = test_get_argument(6))
 564             || !TEST_ptr(ir_unprotected_f = test_get_argument(7))
 565             || !TEST_ptr(ip_waiting_f = test_get_argument(8))
 566             || !TEST_ptr(ir_rmprotection_f = test_get_argument(9))
 567             || !TEST_ptr(instacert_f = test_get_argument(10))
 568             || !TEST_ptr(instaca_f = test_get_argument(11))
 569             || !TEST_ptr(ir_protected_0_extracerts = test_get_argument(12))
 570             || !TEST_ptr(ir_protected_2_extracerts = test_get_argument(13))) {
 571         TEST_error("usage: cmp_vfy_test server.crt client.crt "
 572                    "EndEntity1.crt EndEntity2.crt "
 573                    "Root_CA.crt Intermediate_CA.crt "
 574                    "CMP_IR_protected.der CMP_IR_unprotected.der "
 575                    "IP_waitingStatus_PBM.der IR_rmprotection.der "
 576                    "insta.cert.pem insta_ca.cert.pem "
 577                    "IR_protected_0_extraCerts.der "
 578                    "IR_protected_2_extraCerts.der\n");
 579         return 0;
 580     }
 581
 582     /* Load certificates for cert chain */
 583     if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f))
 584             || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f))
 585             || !TEST_ptr(root = load_pem_cert(root_f))
 586             || !TEST_ptr(intermediate = load_pem_cert(intermediate_f)))
 587         goto err;
 588
 589     if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f))
 590             || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f)))
 591         goto err;
 592
 593     /* Load certificates for message validation */
 594     if (!TEST_ptr(srvcert = load_pem_cert(server_f))
 595             || !TEST_ptr(clcert = load_pem_cert(client_f)))
 596         goto err;
 597     if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
 598         goto err;
 599     if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f))
 600             || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f)))
 601         goto err;
 602
 603     /* Message validation tests */
 604     ADD_TEST(test_verify_popo);
 605     ADD_TEST(test_verify_popo_bad);
 606     ADD_TEST(test_validate_msg_signature_trusted_ok);
 607     ADD_TEST(test_validate_msg_signature_trusted_expired);
 608     ADD_TEST(test_validate_msg_signature_srvcert_wrong);
 609     ADD_TEST(test_validate_msg_signature_bad);
 610     ADD_TEST(test_validate_msg_signature_sender_cert_srvcert);
 611     ADD_TEST(test_validate_msg_signature_sender_cert_untrusted);
 612     ADD_TEST(test_validate_msg_signature_sender_cert_trusted);
 613     ADD_TEST(test_validate_msg_signature_sender_cert_extracert);
 614     ADD_TEST(test_validate_msg_signature_sender_cert_absent);
 615     ADD_TEST(test_validate_msg_signature_expected_sender);
 616     ADD_TEST(test_validate_msg_signature_unexpected_sender);
 617     ADD_TEST(test_validate_msg_unprotected_request);
 618     ADD_TEST(test_validate_msg_mac_alg_protection);
 619     ADD_TEST(test_validate_msg_mac_alg_protection_bad);
 620
 621     /* Cert path validation tests */
 622     ADD_TEST(test_validate_cert_path_ok);
 623     ADD_TEST(test_validate_cert_path_expired);
 624     ADD_TEST(test_validate_cert_path_wrong_anchor);
 625
 626     ADD_TEST(test_MSG_check_received_no_protection_no_cb);
 627     ADD_TEST(test_MSG_check_received_no_protection_restrictive_cb);
 628     ADD_TEST(test_MSG_check_received_no_protection_permissive_cb);
 629     ADD_TEST(test_MSG_check_received_check_transaction_id);
 630     ADD_TEST(test_MSG_check_received_check_transaction_id_bad);
 631     ADD_TEST(test_MSG_check_received_check_recipient_nonce);
 632     ADD_TEST(test_MSG_check_received_check_recipient_nonce_bad);
 633
 634     return 1;
 635
 636  err:
 637     cleanup_tests();
 638     return 0;
 639
 640 }