Convert more tests
[openssl.git] / test / ct_test.c
1 /*
2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <ctype.h>
11 #include <math.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15
16 #include <openssl/ct.h>
17 #include <openssl/err.h>
18 #include <openssl/pem.h>
19 #include <openssl/x509.h>
20 #include <openssl/x509v3.h>
21 #include "testutil.h"
22 #include "test_main_custom.h"
23
24 #ifndef OPENSSL_NO_CT
25 /* Used when declaring buffers to read text files into */
26 #define CT_TEST_MAX_FILE_SIZE 8096
27
28 static char *certs_dir = NULL;
29 static char *ct_dir = NULL;
30
31 typedef struct ct_test_fixture {
32     const char *test_case_name;
33     /* The current time in milliseconds */
34     uint64_t epoch_time_in_ms;
35     /* The CT log store to use during tests */
36     CTLOG_STORE* ctlog_store;
37     /* Set the following to test handling of SCTs in X509 certificates */
38     const char *certs_dir;
39     char *certificate_file;
40     char *issuer_file;
41     /* Expected number of SCTs */
42     int expected_sct_count;
43     /* Expected number of valid SCTS */
44     int expected_valid_sct_count;
45     /* Set the following to test handling of SCTs in TLS format */
46     const unsigned char *tls_sct_list;
47     size_t tls_sct_list_len;
48     STACK_OF(SCT) *sct_list;
49     /*
50      * A file to load the expected SCT text from.
51      * This text will be compared to the actual text output during the test.
52      * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
53      */
54     const char *sct_dir;
55     const char *sct_text_file;
56     /* Whether to test the validity of the SCT(s) */
57     int test_validity;
58 } CT_TEST_FIXTURE;
59
60 static CT_TEST_FIXTURE set_up(const char *const test_case_name)
61 {
62     CT_TEST_FIXTURE fixture;
63     int ok = 0;
64
65     memset(&fixture, 0, sizeof(fixture));
66     fixture.test_case_name = test_case_name;
67     fixture.epoch_time_in_ms = 1473269626000; /* Sep 7 17:33:46 2016 GMT */
68     if (!TEST_ptr(fixture.ctlog_store = CTLOG_STORE_new())
69             || !TEST_int_eq(
70                     CTLOG_STORE_load_default_file(fixture.ctlog_store), 1))
71         goto end;
72     ok = 1;
73
74 end:
75     if (!ok) {
76         CTLOG_STORE_free(fixture.ctlog_store);
77         TEST_error("Failed to setup");
78         exit(EXIT_FAILURE);
79     }
80     return fixture;
81 }
82
83 static void tear_down(CT_TEST_FIXTURE fixture)
84 {
85     CTLOG_STORE_free(fixture.ctlog_store);
86     SCT_LIST_free(fixture.sct_list);
87 }
88
89 static char *mk_file_path(const char *dir, const char *file)
90 {
91 #ifndef OPENSSL_SYS_VMS
92     const char *sep = "/";
93 #else
94     const char *sep = "";
95 #endif
96     size_t len = strlen(dir) + strlen(sep) + strlen(file) + 1;
97     char *full_file = OPENSSL_zalloc(len);
98
99     if (full_file != NULL) {
100         OPENSSL_strlcpy(full_file, dir, len);
101         OPENSSL_strlcat(full_file, sep, len);
102         OPENSSL_strlcat(full_file, file, len);
103     }
104
105     return full_file;
106 }
107
108 static X509 *load_pem_cert(const char *dir, const char *file)
109 {
110     X509 *cert = NULL;
111     char *file_path = mk_file_path(dir, file);
112
113     if (file_path != NULL) {
114         BIO *cert_io = BIO_new_file(file_path, "r");
115
116         if (cert_io != NULL)
117             cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
118         BIO_free(cert_io);
119     }
120
121     OPENSSL_free(file_path);
122     return cert;
123 }
124
125 static int read_text_file(const char *dir, const char *file,
126                           char *buffer, int buffer_length)
127 {
128     int len = -1;
129     char *file_path = mk_file_path(dir, file);
130
131     if (file_path != NULL) {
132         BIO *file_io = BIO_new_file(file_path, "r");
133
134         if (file_io != NULL)
135             len = BIO_read(file_io, buffer, buffer_length);
136         BIO_free(file_io);
137     }
138
139     OPENSSL_free(file_path);
140     return len;
141 }
142
143 static int compare_sct_list_printout(STACK_OF(SCT) *sct,
144                                      const char *expected_output)
145 {
146     BIO *text_buffer = NULL;
147     char *actual_output = NULL;
148     int result = 0;
149
150     if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())))
151         goto end;
152
153     SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);
154
155     /* Append \0 because we're about to use the buffer contents as a string. */
156     if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
157         goto end;
158
159     BIO_get_mem_data(text_buffer, &actual_output);
160     if (!TEST_str_eq(actual_output, expected_output))
161         goto end;
162     result = 1;
163
164 end:
165     BIO_free(text_buffer);
166     return result;
167 }
168
169 static int compare_extension_printout(X509_EXTENSION *extension,
170                                       const char *expected_output)
171 {
172     BIO *text_buffer = NULL;
173     char *actual_output = NULL;
174     int result = 0;
175
176     if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))
177             || !TEST_true(X509V3_EXT_print(text_buffer, extension,
178                                            X509V3_EXT_DEFAULT, 0)))
179         goto end;
180
181     /* Append \0 because we're about to use the buffer contents as a string. */
182     if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
183         goto end;
184
185     BIO_get_mem_data(text_buffer, &actual_output);
186     if (!TEST_str_eq(actual_output, expected_output))
187         goto end;
188
189     result = 1;
190
191 end:
192     BIO_free(text_buffer);
193     return result;
194 }
195
196 static int assert_validity(CT_TEST_FIXTURE fixture, STACK_OF(SCT) *scts,
197                            CT_POLICY_EVAL_CTX *policy_ctx)
198 {
199     int invalid_sct_count = 0;
200     int valid_sct_count = 0;
201     int i;
202
203     if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0))
204         return 0;
205
206     for (i = 0; i < sk_SCT_num(scts); ++i) {
207         SCT *sct_i = sk_SCT_value(scts, i);
208
209         switch (SCT_get_validation_status(sct_i)) {
210         case SCT_VALIDATION_STATUS_VALID:
211             ++valid_sct_count;
212             break;
213         case SCT_VALIDATION_STATUS_INVALID:
214             ++invalid_sct_count;
215             break;
216         case SCT_VALIDATION_STATUS_NOT_SET:
217         case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
218         case SCT_VALIDATION_STATUS_UNVERIFIED:
219         case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
220             /* Ignore other validation statuses. */
221             break;
222         }
223     }
224
225     if (!TEST_int_eq(valid_sct_count, fixture.expected_valid_sct_count)) {
226         int unverified_sct_count = sk_SCT_num(scts) -
227                                         invalid_sct_count - valid_sct_count;
228
229         TEST_info("%d SCTs failed, %d SCTs unverified",
230                   invalid_sct_count, unverified_sct_count);
231         return 0;
232     }
233
234     return 1;
235 }
236
237 static int execute_cert_test(CT_TEST_FIXTURE fixture)
238 {
239     int success = 0;
240     X509 *cert = NULL, *issuer = NULL;
241     STACK_OF(SCT) *scts = NULL;
242     SCT *sct = NULL;
243     char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
244     int sct_text_len = 0;
245     unsigned char *tls_sct_list = NULL;
246     size_t tls_sct_list_len = 0;
247     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
248
249     if (fixture.sct_text_file != NULL) {
250         sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
251                                       expected_sct_text,
252                                       CT_TEST_MAX_FILE_SIZE - 1);
253
254         if (!TEST_int_ge(sct_text_len, 0))
255             goto end;
256         expected_sct_text[sct_text_len] = '\0';
257     }
258
259     CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
260             ct_policy_ctx, fixture.ctlog_store);
261
262     CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture.epoch_time_in_ms);
263
264     if (fixture.certificate_file != NULL) {
265         int sct_extension_index;
266         X509_EXTENSION *sct_extension = NULL;
267
268         if (!TEST_ptr(cert = load_pem_cert(fixture.certs_dir,
269                                            fixture.certificate_file)))
270             goto end;
271
272         CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);
273
274         if (fixture.issuer_file != NULL) {
275             if (!TEST_ptr(issuer = load_pem_cert(fixture.certs_dir,
276                                                  fixture.issuer_file)))
277                 goto end;
278             CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
279         }
280
281         sct_extension_index =
282                 X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
283         sct_extension = X509_get_ext(cert, sct_extension_index);
284         if (fixture.expected_sct_count > 0) {
285             if (!TEST_ptr(sct_extension))
286                 goto end;
287
288             if (fixture.sct_text_file
289                 && !compare_extension_printout(sct_extension,
290                                                expected_sct_text))
291                     goto end;
292
293             if (fixture.test_validity) {
294                 int i;
295
296                 scts = X509V3_EXT_d2i(sct_extension);
297                 for (i = 0; i < sk_SCT_num(scts); ++i) {
298                     SCT *sct_i = sk_SCT_value(scts, i);
299
300                     if (!TEST_true(SCT_set_source(sct_i,
301                                                   SCT_SOURCE_X509V3_EXTENSION)))
302                         goto end;
303                 }
304
305                 if (!assert_validity(fixture, scts, ct_policy_ctx))
306                     goto end;
307             }
308         } else if (!TEST_ptr_null(sct_extension)) {
309             goto end;
310         }
311     }
312
313     if (fixture.tls_sct_list != NULL) {
314         const unsigned char *p = fixture.tls_sct_list;
315
316         if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture.tls_sct_list_len)))
317             goto end;
318
319         if (fixture.test_validity && cert != NULL) {
320             if (!assert_validity(fixture, scts, ct_policy_ctx))
321                 goto end;
322         }
323
324         if (fixture.sct_text_file
325             && !compare_sct_list_printout(scts, expected_sct_text)) {
326                 goto end;
327         }
328
329         tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
330         if (!TEST_mem_eq(fixture.tls_sct_list, fixture.tls_sct_list_len,
331                          tls_sct_list, tls_sct_list_len))
332             goto end;
333     }
334     success = 1;
335
336 end:
337     X509_free(cert);
338     X509_free(issuer);
339     SCT_LIST_free(scts);
340     SCT_free(sct);
341     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
342     OPENSSL_free(tls_sct_list);
343     return success;
344 }
345
346 #define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
347 #define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
348
349 static int test_no_scts_in_certificate()
350 {
351     SETUP_CT_TEST_FIXTURE();
352     fixture.certs_dir = certs_dir;
353     fixture.certificate_file = "leaf.pem";
354     fixture.issuer_file = "subinterCA.pem";
355     fixture.expected_sct_count = 0;
356     EXECUTE_CT_TEST();
357 }
358
359 static int test_one_sct_in_certificate()
360 {
361     SETUP_CT_TEST_FIXTURE();
362     fixture.certs_dir = certs_dir;
363     fixture.certificate_file = "embeddedSCTs1.pem";
364     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
365     fixture.expected_sct_count = 1;
366     fixture.sct_dir = certs_dir;
367     fixture.sct_text_file = "embeddedSCTs1.sct";
368     EXECUTE_CT_TEST();
369 }
370
371 static int test_multiple_scts_in_certificate()
372 {
373     SETUP_CT_TEST_FIXTURE();
374     fixture.certs_dir = certs_dir;
375     fixture.certificate_file = "embeddedSCTs3.pem";
376     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
377     fixture.expected_sct_count = 3;
378     fixture.sct_dir = certs_dir;
379     fixture.sct_text_file = "embeddedSCTs3.sct";
380     EXECUTE_CT_TEST();
381 }
382
383 static int test_verify_one_sct()
384 {
385     SETUP_CT_TEST_FIXTURE();
386     fixture.certs_dir = certs_dir;
387     fixture.certificate_file = "embeddedSCTs1.pem";
388     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
389     fixture.expected_sct_count = fixture.expected_valid_sct_count = 1;
390     fixture.test_validity = 1;
391     EXECUTE_CT_TEST();
392 }
393
394 static int test_verify_multiple_scts()
395 {
396     SETUP_CT_TEST_FIXTURE();
397     fixture.certs_dir = certs_dir;
398     fixture.certificate_file = "embeddedSCTs3.pem";
399     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
400     fixture.expected_sct_count = fixture.expected_valid_sct_count = 3;
401     fixture.test_validity = 1;
402     EXECUTE_CT_TEST();
403 }
404
405 static int test_verify_fails_for_future_sct()
406 {
407     SETUP_CT_TEST_FIXTURE();
408     fixture.epoch_time_in_ms = 1365094800000; /* Apr 4 17:00:00 2013 GMT */
409     fixture.certs_dir = certs_dir;
410     fixture.certificate_file = "embeddedSCTs1.pem";
411     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
412     fixture.expected_sct_count = 1;
413     fixture.expected_valid_sct_count = 0;
414     fixture.test_validity = 1;
415     EXECUTE_CT_TEST();
416 }
417
418 static int test_decode_tls_sct()
419 {
420     const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
421         "\x00\x76"
422         "\x00" /* version */
423         /* log ID */
424         "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
425         "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
426         "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
427         "\x00\x00" /* extensions length */
428         "" /* extensions */
429         "\x04\x03" /* hash and signature algorithms */
430         "\x00\x47" /* signature length */
431         /* signature */
432         "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
433         "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
434         "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
435         "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
436         "\xED\xBF\x08";
437
438     SETUP_CT_TEST_FIXTURE();
439     fixture.tls_sct_list = tls_sct_list;
440     fixture.tls_sct_list_len = 0x7a;
441     fixture.sct_dir = ct_dir;
442     fixture.sct_text_file = "tls1.sct";
443     EXECUTE_CT_TEST();
444 }
445
446 static int test_encode_tls_sct()
447 {
448     const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
449     const uint64_t timestamp = 1;
450     const char extensions[] = "";
451     const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
452             "eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
453     SCT *sct = NULL;
454
455     SETUP_CT_TEST_FIXTURE();
456
457     fixture.sct_list = sk_SCT_new_null();
458     if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
459                                             CT_LOG_ENTRY_TYPE_X509, timestamp,
460                                             extensions, signature)))
461
462         return 0;
463
464     sk_SCT_push(fixture.sct_list, sct);
465     fixture.sct_dir = ct_dir;
466     fixture.sct_text_file = "tls1.sct";
467     EXECUTE_CT_TEST();
468 }
469
470 /*
471  * Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
472  * Allow +-10 minutes, as it may compensate for clock skew.
473  */
474 static int test_default_ct_policy_eval_ctx_time_is_now()
475 {
476     int success = 0;
477     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
478     const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) /
479             1000;
480     const time_t time_tolerance = 600;  /* 10 minutes */
481
482     if (!TEST_uint_le(fabs(difftime(time(NULL), default_time)), time_tolerance))
483         goto end;
484
485     success = 1;
486 end:
487     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
488     return success;
489 }
490
491 int test_main(int argc, char *argv[])
492 {
493     if ((ct_dir = getenv("CT_DIR")) == NULL)
494         ct_dir = "ct";
495     if ((certs_dir = getenv("CERTS_DIR")) == NULL)
496         certs_dir = "certs";
497
498     ADD_TEST(test_no_scts_in_certificate);
499     ADD_TEST(test_one_sct_in_certificate);
500     ADD_TEST(test_multiple_scts_in_certificate);
501     ADD_TEST(test_verify_one_sct);
502     ADD_TEST(test_verify_multiple_scts);
503     ADD_TEST(test_verify_fails_for_future_sct);
504     ADD_TEST(test_decode_tls_sct);
505     ADD_TEST(test_encode_tls_sct);
506     ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
507
508     return run_tests(argv[0]);
509 }
510 #else
511 int test_main(int argc, char *argv[])
512 {
513     printf("No CT support\n");
514     return 0;
515 }
516 #endif