Fix ct_test to not assume it's in the source directory
[openssl.git] / test / ct_test.c
1 /*
2  * Tests the Certificate Transparency public API.
3  *
4  * Author:      Rob Percival (robpercival@google.com)
5  *
6  * ====================================================================
7  * Copyright (c) 2016 The OpenSSL Project.    All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *        notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *        notice, this list of conditions and the following disclaimer in
18  *        the documentation and/or other materials provided with the
19  *        distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *        software must display the following acknowledgment:
23  *        "This product includes software developed by the OpenSSL Project
24  *        for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *        endorse or promote products derived from this software without
28  *        prior written permission. For written permission, please contact
29  *        licensing@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *        nor may "OpenSSL" appear in their names without prior written
33  *        permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *        acknowledgment:
37  *        "This product includes software developed by the OpenSSL Project
38  *        for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.    IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  */
54
55 #include <ctype.h>
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59
60 #include <openssl/ct.h>
61 #include <openssl/err.h>
62 #include <openssl/pem.h>
63 #include <openssl/x509.h>
64 #include <openssl/x509v3.h>
65 #include "testutil.h"
66
67 #ifndef OPENSSL_NO_CT
68
69 /* Used when declaring buffers to read text files into */
70 #define CT_TEST_MAX_FILE_SIZE 8096
71
72 char *certs_dir = NULL;
73 char *ct_dir = NULL;
74
75 typedef struct ct_test_fixture {
76     const char *test_case_name;
77     /* The CT log store to use during tests */
78     CTLOG_STORE* ctlog_store;
79     /* Set the following to test handling of SCTs in X509 certificates */
80     const char *certs_dir;
81     char *certificate_file;
82     char *issuer_file;
83     int expected_sct_count;
84     /* Set the following to test handling of SCTs in TLS format */
85     const uint8_t *tls_sct;
86     size_t tls_sct_len;
87     SCT *sct;
88     /*
89      * A file to load the expected SCT text from.
90      * This text will be compared to the actual text output during the test.
91      * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
92      */
93     const char *sct_dir;
94     const char *sct_text_file;
95     /* Whether to test the validity of the SCT(s) */
96     int test_validity;
97
98 } CT_TEST_FIXTURE;
99
100 static CT_TEST_FIXTURE set_up(const char *const test_case_name)
101 {
102     CT_TEST_FIXTURE fixture;
103     int setup_ok = 1;
104     CTLOG_STORE *ctlog_store = CTLOG_STORE_new();
105
106     if (ctlog_store == NULL) {
107         setup_ok = 0;
108         fprintf(stderr, "Failed to create a new CT log store\n");
109         goto end;
110     }
111
112     if (CTLOG_STORE_load_default_file(ctlog_store) != 1) {
113         setup_ok = 0;
114         fprintf(stderr, "Failed to load CT log list\n");
115         goto end;
116     }
117
118     memset(&fixture, 0, sizeof(fixture));
119     fixture.test_case_name = test_case_name;
120     fixture.ctlog_store = ctlog_store;
121
122 end:
123     if (!setup_ok) {
124         exit(EXIT_FAILURE);
125     }
126     return fixture;
127 }
128
129 static void tear_down(CT_TEST_FIXTURE fixture)
130 {
131     CTLOG_STORE_free(fixture.ctlog_store);
132     SCT_free(fixture.sct);
133     ERR_print_errors_fp(stderr);
134 }
135
136 static char *mk_file_path(const char *dir, const char *file)
137 {
138     char *full_file = NULL;
139     size_t full_file_l = 0;
140     const char *sep = "";
141 #ifndef OPENSSL_SYS_VMS
142     sep = "/";
143 #endif
144
145     full_file_l = strlen(dir) + strlen(sep) + strlen(file) + 1;
146     full_file = OPENSSL_zalloc(full_file_l);
147     if (full_file != NULL) {
148         OPENSSL_strlcpy(full_file, dir, full_file_l);
149         OPENSSL_strlcat(full_file, sep, full_file_l);
150         OPENSSL_strlcat(full_file, file, full_file_l);
151     }
152
153     return full_file;
154 }
155
156 static X509 *load_pem_cert(const char *dir, const char *file)
157 {
158     X509 *cert = NULL;
159     char *file_path = mk_file_path(dir, file);
160
161     if (file_path != NULL) {
162         BIO *cert_io = BIO_new_file(file_path, "r");
163         OPENSSL_free(file_path);
164
165         if (cert_io != NULL)
166             cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
167
168         BIO_free(cert_io);
169     }
170     return cert;
171 }
172
173 static int read_text_file(const char *dir, const char *file,
174                           char *buffer, int buffer_length)
175 {
176     int result = -1;
177     char *file_path = mk_file_path(dir, file);
178
179     if (file_path != NULL) {
180         BIO *file_io = BIO_new_file(file_path, "r");
181         OPENSSL_free(file_path);
182
183         if (file_io != NULL) {
184             result = BIO_read(file_io, buffer, buffer_length);
185             BIO_free(file_io);
186         }
187     }
188
189     return result;
190 }
191
192 static int compare_sct_printout(SCT *sct,
193     const char *expected_output)
194 {
195     BIO *text_buffer = NULL;
196     char *actual_output = NULL;
197     int result = 1;
198
199     text_buffer = BIO_new(BIO_s_mem());
200     if (text_buffer == NULL) {
201         fprintf(stderr, "Unable to allocate buffer\n");
202         goto end;
203     }
204
205     SCT_print(sct, text_buffer, 0);
206
207     /* Append null terminator because we're about to use the buffer contents
208     * as a string. */
209     if (BIO_write(text_buffer, "\0", 1) != 1) {
210         fprintf(stderr, "Failed to append null terminator to SCT text\n");
211         goto end;
212     }
213
214     BIO_get_mem_data(text_buffer, &actual_output);
215     result = strcmp(actual_output, expected_output);
216
217     if (result != 0) {
218         fprintf(stderr,
219             "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
220             expected_output, actual_output);
221     }
222
223 end:
224     BIO_free(text_buffer);
225     return result;
226 }
227
228 static int compare_extension_printout(X509_EXTENSION *extension,
229                                       const char *expected_output)
230 {
231     BIO *text_buffer = NULL;
232     char *actual_output = NULL;
233     int result = 1;
234
235     text_buffer = BIO_new(BIO_s_mem());
236     if (text_buffer == NULL) {
237         fprintf(stderr, "Unable to allocate buffer\n");
238         goto end;
239     }
240
241     if (!X509V3_EXT_print(text_buffer, extension, X509V3_EXT_DEFAULT, 0)) {
242         fprintf(stderr, "Failed to print extension\n");
243         goto end;
244     }
245
246     /* Append null terminator because we're about to use the buffer contents
247      * as a string. */
248     if (BIO_write(text_buffer, "\0", 1) != 1) {
249         fprintf(stderr, "Failed to append null terminator to extension text\n");
250         goto end;
251     }
252
253     BIO_get_mem_data(text_buffer, &actual_output);
254     result = strcmp(actual_output, expected_output);
255
256     if (result != 0) {
257         fprintf(stderr,
258                 "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
259                 expected_output, actual_output);
260     }
261
262 end:
263     BIO_free(text_buffer);
264     return result;
265 }
266
267 static int execute_cert_test(CT_TEST_FIXTURE fixture)
268 {
269     int test_failed = 0;
270     X509 *cert = NULL, *issuer = NULL;
271     STACK_OF(SCT) *scts = NULL;
272     SCT *sct = NULL;
273     char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
274     int sct_text_len = 0;
275     unsigned char *tls_sct = NULL;
276     size_t tls_sct_len = 0;
277     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
278
279     if (fixture.sct_text_file != NULL) {
280         sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
281                                       expected_sct_text,
282                                       CT_TEST_MAX_FILE_SIZE - 1);
283
284         if (sct_text_len < 0) {
285             test_failed = 1;
286             fprintf(stderr, "Test data file not found: %s\n",
287                 fixture.sct_text_file);
288             goto end;
289         }
290
291         expected_sct_text[sct_text_len] = '\0';
292     }
293
294     CT_POLICY_EVAL_CTX_set0_log_store(ct_policy_ctx, fixture.ctlog_store);
295
296     if (fixture.certificate_file != NULL) {
297         int sct_extension_index;
298         X509_EXTENSION *sct_extension = NULL;
299         cert = load_pem_cert(fixture.certs_dir, fixture.certificate_file);
300
301         if (cert == NULL) {
302             test_failed = 1;
303             fprintf(stderr, "Unable to load certificate: %s\n",
304                 fixture.certificate_file);
305             goto end;
306         }
307
308         CT_POLICY_EVAL_CTX_set0_cert(ct_policy_ctx, cert);
309
310         if (fixture.issuer_file != NULL) {
311             issuer = load_pem_cert(fixture.certs_dir, fixture.issuer_file);
312
313             if (issuer == NULL) {
314                 test_failed = 1;
315                 fprintf(stderr, "Unable to load issuer certificate: %s\n",
316                         fixture.issuer_file);
317                 goto end;
318             }
319
320             CT_POLICY_EVAL_CTX_set0_issuer(ct_policy_ctx, issuer);
321         }
322
323         sct_extension_index =
324                 X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
325         sct_extension = X509_get_ext(cert, sct_extension_index);
326         if (fixture.expected_sct_count > 0) {
327             if (sct_extension == NULL) {
328                 test_failed = 1;
329                 fprintf(stderr, "SCT extension not found in: %s\n",
330                     fixture.certificate_file);
331                 goto end;
332             }
333
334             if (fixture.sct_text_file) {
335                 test_failed = compare_extension_printout(sct_extension,
336                                                     expected_sct_text);
337                 if (test_failed != 0)
338                     goto end;
339             }
340
341             if (fixture.test_validity) {
342                 int are_scts_validated = 0;
343                 scts = X509V3_EXT_d2i(sct_extension);
344                 SCT_LIST_set_source(scts, SCT_SOURCE_X509V3_EXTENSION);
345
346                 are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx);
347                 if (are_scts_validated < 0) {
348                     fprintf(stderr, "Error verifying SCTs\n");
349                     test_failed = 1;
350                 } else if (!are_scts_validated) {
351                     int invalid_sct_count = 0;
352                     int valid_sct_count = 0;
353                     int i;
354
355                     for (i = 0; i < sk_SCT_num(scts); ++i) {
356                         SCT *sct_i = sk_SCT_value(scts, i);
357                         switch (SCT_get_validation_status(sct_i)) {
358                         case SCT_VALIDATION_STATUS_VALID:
359                             ++valid_sct_count;
360                             break;
361                         case SCT_VALIDATION_STATUS_INVALID:
362                             ++invalid_sct_count;
363                             break;
364                         default:
365                             /* Ignore other validation statuses. */
366                             break;
367                         }
368                     }
369
370                     if (valid_sct_count != fixture.expected_sct_count) {
371                         int unverified_sct_count = sk_SCT_num(scts) -
372                                 invalid_sct_count - valid_sct_count;
373
374                         fprintf(stderr,
375                                 "%d SCTs failed verification\n"
376                                 "%d SCTs passed verification (%d expected)\n"
377                                 "%d SCTs were unverified\n",
378                                 invalid_sct_count,
379                                 valid_sct_count,
380                                 fixture.expected_sct_count,
381                                 unverified_sct_count);
382                     }
383                     test_failed = 1;
384                 }
385
386                 if (test_failed != 0)
387                     goto end;
388             }
389         } else if (sct_extension != NULL) {
390             test_failed = 1;
391             fprintf(stderr,
392                     "Expected no SCTs, but found SCT extension in: %s\n",
393                     fixture.certificate_file);
394             goto end;
395         }
396     }
397
398     if (fixture.tls_sct != NULL) {
399         const unsigned char *p = fixture.tls_sct;
400         if (o2i_SCT(&sct, &p, fixture.tls_sct_len) == NULL) {
401             test_failed = 1;
402             fprintf(stderr, "Failed to decode SCT from TLS format\n");
403             goto end;
404         }
405
406         if (fixture.sct_text_file) {
407             test_failed = compare_sct_printout(sct, expected_sct_text);
408             if (test_failed != 0)
409                 goto end;
410         }
411
412         tls_sct_len = i2o_SCT(sct, &tls_sct);
413         if (tls_sct_len != fixture.tls_sct_len ||
414             memcmp(fixture.tls_sct, tls_sct, tls_sct_len) != 0) {
415             test_failed = 1;
416             fprintf(stderr, "Failed to encode SCT into TLS format correctly\n");
417             goto end;
418         }
419
420         if (fixture.test_validity && cert != NULL) {
421             int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
422             if (is_sct_validated < 0) {
423                 test_failed = 1;
424                 fprintf(stderr, "Error validating SCT\n");
425                 goto end;
426             } else if (!is_sct_validated) {
427                 test_failed = 1;
428                 fprintf(stderr, "SCT failed verification\n");
429                 goto end;
430             }
431         }
432     }
433
434 end:
435     X509_free(cert);
436     X509_free(issuer);
437     SCT_LIST_free(scts);
438     SCT_free(sct);
439     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
440     OPENSSL_free(tls_sct);
441     return test_failed;
442 }
443
444 #define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
445 #define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
446
447 static int test_no_scts_in_certificate()
448 {
449     SETUP_CT_TEST_FIXTURE();
450     fixture.certs_dir = certs_dir;
451     fixture.certificate_file = "leaf.pem";
452     fixture.issuer_file = "subinterCA.pem";
453     fixture.expected_sct_count = 0;
454     EXECUTE_CT_TEST();
455 }
456
457 static int test_one_sct_in_certificate()
458 {
459     SETUP_CT_TEST_FIXTURE();
460     fixture.certs_dir = certs_dir;
461     fixture.certificate_file = "embeddedSCTs1.pem";
462     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
463     fixture.expected_sct_count = 1;
464     fixture.sct_dir = certs_dir;
465     fixture.sct_text_file = "embeddedSCTs1.sct";
466     EXECUTE_CT_TEST();
467 }
468
469 static int test_multiple_scts_in_certificate()
470 {
471     SETUP_CT_TEST_FIXTURE();
472     fixture.certs_dir = certs_dir;
473     fixture.certificate_file = "embeddedSCTs3.pem";
474     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
475     fixture.expected_sct_count = 3;
476     fixture.sct_dir = certs_dir;
477     fixture.sct_text_file = "embeddedSCTs3.sct";
478     EXECUTE_CT_TEST();
479 }
480
481 static int test_verify_one_sct()
482 {
483     SETUP_CT_TEST_FIXTURE();
484     fixture.certs_dir = certs_dir;
485     fixture.certificate_file = "embeddedSCTs1.pem";
486     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
487     fixture.expected_sct_count = 1;
488     fixture.test_validity = 1;
489     EXECUTE_CT_TEST();
490 }
491
492 static int test_verify_multiple_scts()
493 {
494     SETUP_CT_TEST_FIXTURE();
495     fixture.certs_dir = certs_dir;
496     fixture.certificate_file = "embeddedSCTs3.pem";
497     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
498     fixture.expected_sct_count = 3;
499     fixture.test_validity = 1;
500     EXECUTE_CT_TEST();
501 }
502
503 static int test_decode_tls_sct()
504 {
505     SETUP_CT_TEST_FIXTURE();
506     fixture.tls_sct = (unsigned char *)
507         "\x00" /* version */
508         /* log ID */
509         "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
510         "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
511         "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
512         "\x00\x00" /* extensions length */
513         "" /* extensions */
514         "\x04\x03" /* hash and signature algorithms */
515         "\x00\x47" /* signature length */
516         "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
517         "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
518         "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
519         "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
520         "\xED\xBF\x08"; /* signature */
521     fixture.tls_sct_len = 118;
522     fixture.sct_dir = ct_dir;
523     fixture.sct_text_file = "tls1.sct";
524     EXECUTE_CT_TEST();
525 }
526
527 static int test_encode_tls_sct()
528 {
529     SETUP_CT_TEST_FIXTURE();
530
531     SCT *sct = SCT_new();
532     SCT_set_version(sct, 0);
533     SCT_set1_log_id(sct, (unsigned char *)
534         "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
535         "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64", 32);
536     SCT_set_timestamp(sct, 1);
537     SCT_set1_extensions(sct, (unsigned char *)"", 0);
538     SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256);
539     SCT_set1_signature(sct, (unsigned char *)
540         "\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE"
541         "\x1F\xD6\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3"
542         "\xE5\xE2\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5"
543         "\xE8\xAB\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51"
544         "\x9D\x89\xED\xBF\x08", 71);
545     fixture.sct = sct;
546     fixture.sct_dir = ct_dir;
547     fixture.sct_text_file = "tls1.sct";
548     EXECUTE_CT_TEST();
549 }
550
551 int main(int argc, char *argv[])
552 {
553     int result = 0;
554     char *tmp_env = NULL;
555
556     tmp_env = getenv("CT_DIR");
557     ct_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "ct");
558     tmp_env = getenv("CERTS_DIR");
559     certs_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "certs");
560
561     ADD_TEST(test_no_scts_in_certificate);
562     ADD_TEST(test_one_sct_in_certificate);
563     ADD_TEST(test_multiple_scts_in_certificate);
564     ADD_TEST(test_verify_one_sct);
565     ADD_TEST(test_verify_multiple_scts);
566     ADD_TEST(test_decode_tls_sct);
567     ADD_TEST(test_encode_tls_sct);
568
569     result = run_tests(argv[0]);
570     ERR_print_errors_fp(stderr);
571
572     OPENSSL_free(ct_dir);
573     OPENSSL_free(certs_dir);
574
575     return result;
576 }
577
578 #else /* OPENSSL_NO_CT */
579
580 int main(int argc, char* argv[])
581 {
582     return EXIT_SUCCESS;
583 }
584
585 #endif /* OPENSSL_NO_CT */