Ordinals adjustment
[openssl.git] / test / ct_test.c
1 /*
2  * Tests the Certificate Transparency public API.
3  *
4  * Author:      Rob Percival (robpercival@google.com)
5  *
6  * ====================================================================
7  * Copyright (c) 2016 The OpenSSL Project.    All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *        notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *        notice, this list of conditions and the following disclaimer in
18  *        the documentation and/or other materials provided with the
19  *        distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *        software must display the following acknowledgment:
23  *        "This product includes software developed by the OpenSSL Project
24  *        for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *        endorse or promote products derived from this software without
28  *        prior written permission. For written permission, please contact
29  *        licensing@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *        nor may "OpenSSL" appear in their names without prior written
33  *        permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *        acknowledgment:
37  *        "This product includes software developed by the OpenSSL Project
38  *        for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.    IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  */
54
55 #include <ctype.h>
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59
60 #include <openssl/ct.h>
61 #include <openssl/err.h>
62 #include <openssl/pem.h>
63 #include <openssl/x509.h>
64 #include <openssl/x509v3.h>
65 #include "testutil.h"
66
67 #ifndef OPENSSL_NO_CT
68
69 /* Used when declaring buffers to read text files into */
70 #define CT_TEST_MAX_FILE_SIZE 8096
71
72 static char *certs_dir = NULL;
73 static char *ct_dir = NULL;
74
75 typedef struct ct_test_fixture {
76     const char *test_case_name;
77     /* The CT log store to use during tests */
78     CTLOG_STORE* ctlog_store;
79     /* Set the following to test handling of SCTs in X509 certificates */
80     const char *certs_dir;
81     char *certificate_file;
82     char *issuer_file;
83     int expected_sct_count;
84     /* Set the following to test handling of SCTs in TLS format */
85     const unsigned char *tls_sct;
86     size_t tls_sct_len;
87     SCT *sct;
88     /*
89      * A file to load the expected SCT text from.
90      * This text will be compared to the actual text output during the test.
91      * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
92      */
93     const char *sct_dir;
94     const char *sct_text_file;
95     /* Whether to test the validity of the SCT(s) */
96     int test_validity;
97
98 } CT_TEST_FIXTURE;
99
100 static CT_TEST_FIXTURE set_up(const char *const test_case_name)
101 {
102     CT_TEST_FIXTURE fixture;
103     int setup_ok = 1;
104     CTLOG_STORE *ctlog_store = CTLOG_STORE_new();
105
106     if (ctlog_store == NULL) {
107         setup_ok = 0;
108         fprintf(stderr, "Failed to create a new CT log store\n");
109         goto end;
110     }
111
112     if (CTLOG_STORE_load_default_file(ctlog_store) != 1) {
113         setup_ok = 0;
114         fprintf(stderr, "Failed to load CT log list\n");
115         goto end;
116     }
117
118     memset(&fixture, 0, sizeof(fixture));
119     fixture.test_case_name = test_case_name;
120     fixture.ctlog_store = ctlog_store;
121
122 end:
123     if (!setup_ok) {
124         exit(EXIT_FAILURE);
125     }
126     return fixture;
127 }
128
129 static void tear_down(CT_TEST_FIXTURE fixture)
130 {
131     CTLOG_STORE_free(fixture.ctlog_store);
132     SCT_free(fixture.sct);
133     ERR_print_errors_fp(stderr);
134 }
135
136 static char *mk_file_path(const char *dir, const char *file)
137 {
138     char *full_file = NULL;
139     size_t full_file_l = 0;
140     const char *sep = "";
141 #ifndef OPENSSL_SYS_VMS
142     sep = "/";
143 #endif
144
145     full_file_l = strlen(dir) + strlen(sep) + strlen(file) + 1;
146     full_file = OPENSSL_zalloc(full_file_l);
147     if (full_file != NULL) {
148         OPENSSL_strlcpy(full_file, dir, full_file_l);
149         OPENSSL_strlcat(full_file, sep, full_file_l);
150         OPENSSL_strlcat(full_file, file, full_file_l);
151     }
152
153     return full_file;
154 }
155
156 static X509 *load_pem_cert(const char *dir, const char *file)
157 {
158     X509 *cert = NULL;
159     char *file_path = mk_file_path(dir, file);
160
161     if (file_path != NULL) {
162         BIO *cert_io = BIO_new_file(file_path, "r");
163         OPENSSL_free(file_path);
164
165         if (cert_io != NULL)
166             cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
167
168         BIO_free(cert_io);
169     }
170     return cert;
171 }
172
173 static int read_text_file(const char *dir, const char *file,
174                           char *buffer, int buffer_length)
175 {
176     int result = -1;
177     char *file_path = mk_file_path(dir, file);
178
179     if (file_path != NULL) {
180         BIO *file_io = BIO_new_file(file_path, "r");
181         OPENSSL_free(file_path);
182
183         if (file_io != NULL) {
184             result = BIO_read(file_io, buffer, buffer_length);
185             BIO_free(file_io);
186         }
187     }
188
189     return result;
190 }
191
192 static int compare_sct_printout(SCT *sct,
193     const char *expected_output)
194 {
195     BIO *text_buffer = NULL;
196     char *actual_output = NULL;
197     int result = 1;
198
199     text_buffer = BIO_new(BIO_s_mem());
200     if (text_buffer == NULL) {
201         fprintf(stderr, "Unable to allocate buffer\n");
202         goto end;
203     }
204
205     SCT_print(sct, text_buffer, 0, NULL);
206
207     /* Append null terminator because we're about to use the buffer contents
208     * as a string. */
209     if (BIO_write(text_buffer, "\0", 1) != 1) {
210         fprintf(stderr, "Failed to append null terminator to SCT text\n");
211         goto end;
212     }
213
214     BIO_get_mem_data(text_buffer, &actual_output);
215     result = strcmp(actual_output, expected_output);
216
217     if (result != 0) {
218         fprintf(stderr,
219             "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
220             expected_output, actual_output);
221     }
222
223 end:
224     BIO_free(text_buffer);
225     return result;
226 }
227
228 static int compare_extension_printout(X509_EXTENSION *extension,
229                                       const char *expected_output)
230 {
231     BIO *text_buffer = NULL;
232     char *actual_output = NULL;
233     int result = 1;
234
235     text_buffer = BIO_new(BIO_s_mem());
236     if (text_buffer == NULL) {
237         fprintf(stderr, "Unable to allocate buffer\n");
238         goto end;
239     }
240
241     if (!X509V3_EXT_print(text_buffer, extension, X509V3_EXT_DEFAULT, 0)) {
242         fprintf(stderr, "Failed to print extension\n");
243         goto end;
244     }
245
246     /* Append null terminator because we're about to use the buffer contents
247      * as a string. */
248     if (BIO_write(text_buffer, "\0", 1) != 1) {
249         fprintf(stderr, "Failed to append null terminator to extension text\n");
250         goto end;
251     }
252
253     BIO_get_mem_data(text_buffer, &actual_output);
254     result = strcmp(actual_output, expected_output);
255
256     if (result != 0) {
257         fprintf(stderr,
258                 "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
259                 expected_output, actual_output);
260     }
261
262 end:
263     BIO_free(text_buffer);
264     return result;
265 }
266
267 static int execute_cert_test(CT_TEST_FIXTURE fixture)
268 {
269     int test_failed = 0;
270     X509 *cert = NULL, *issuer = NULL;
271     STACK_OF(SCT) *scts = NULL;
272     SCT *sct = NULL;
273     char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
274     int sct_text_len = 0;
275     unsigned char *tls_sct = NULL;
276     size_t tls_sct_len = 0;
277     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
278
279     if (fixture.sct_text_file != NULL) {
280         sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
281                                       expected_sct_text,
282                                       CT_TEST_MAX_FILE_SIZE - 1);
283
284         if (sct_text_len < 0) {
285             test_failed = 1;
286             fprintf(stderr, "Test data file not found: %s\n",
287                 fixture.sct_text_file);
288             goto end;
289         }
290
291         expected_sct_text[sct_text_len] = '\0';
292     }
293
294     CT_POLICY_EVAL_CTX_set0_log_store(ct_policy_ctx, fixture.ctlog_store);
295
296     if (fixture.certificate_file != NULL) {
297         int sct_extension_index;
298         X509_EXTENSION *sct_extension = NULL;
299         cert = load_pem_cert(fixture.certs_dir, fixture.certificate_file);
300
301         if (cert == NULL) {
302             test_failed = 1;
303             fprintf(stderr, "Unable to load certificate: %s\n",
304                 fixture.certificate_file);
305             goto end;
306         }
307
308         CT_POLICY_EVAL_CTX_set0_cert(ct_policy_ctx, cert);
309
310         if (fixture.issuer_file != NULL) {
311             issuer = load_pem_cert(fixture.certs_dir, fixture.issuer_file);
312
313             if (issuer == NULL) {
314                 test_failed = 1;
315                 fprintf(stderr, "Unable to load issuer certificate: %s\n",
316                         fixture.issuer_file);
317                 goto end;
318             }
319
320             CT_POLICY_EVAL_CTX_set0_issuer(ct_policy_ctx, issuer);
321         }
322
323         sct_extension_index =
324                 X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
325         sct_extension = X509_get_ext(cert, sct_extension_index);
326         if (fixture.expected_sct_count > 0) {
327             if (sct_extension == NULL) {
328                 test_failed = 1;
329                 fprintf(stderr, "SCT extension not found in: %s\n",
330                     fixture.certificate_file);
331                 goto end;
332             }
333
334             if (fixture.sct_text_file) {
335                 test_failed = compare_extension_printout(sct_extension,
336                                                     expected_sct_text);
337                 if (test_failed != 0)
338                     goto end;
339             }
340
341             if (fixture.test_validity) {
342                 int are_scts_validated = 0;
343                 int i;
344
345                 scts = X509V3_EXT_d2i(sct_extension);
346                 for (i = 0; i < sk_SCT_num(scts); ++i) {
347                     SCT *sct_i = sk_SCT_value(scts, i);
348
349                     if (!SCT_set_source(sct_i, SCT_SOURCE_X509V3_EXTENSION)) {
350                         fprintf(stderr,
351                                 "Error setting SCT source to X509v3 extension\n");
352                         test_failed = 1;
353                         goto end;
354                     }
355                 }
356
357                 are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx);
358                 if (are_scts_validated < 0) {
359                     fprintf(stderr, "Error verifying SCTs\n");
360                     test_failed = 1;
361                 } else if (!are_scts_validated) {
362                     int invalid_sct_count = 0;
363                     int valid_sct_count = 0;
364
365                     for (i = 0; i < sk_SCT_num(scts); ++i) {
366                         SCT *sct_i = sk_SCT_value(scts, i);
367                         switch (SCT_get_validation_status(sct_i)) {
368                         case SCT_VALIDATION_STATUS_VALID:
369                             ++valid_sct_count;
370                             break;
371                         case SCT_VALIDATION_STATUS_INVALID:
372                             ++invalid_sct_count;
373                             break;
374                         default:
375                             /* Ignore other validation statuses. */
376                             break;
377                         }
378                     }
379
380                     if (valid_sct_count != fixture.expected_sct_count) {
381                         int unverified_sct_count = sk_SCT_num(scts) -
382                                 invalid_sct_count - valid_sct_count;
383
384                         fprintf(stderr,
385                                 "%d SCTs failed verification\n"
386                                 "%d SCTs passed verification (%d expected)\n"
387                                 "%d SCTs were unverified\n",
388                                 invalid_sct_count,
389                                 valid_sct_count,
390                                 fixture.expected_sct_count,
391                                 unverified_sct_count);
392                     }
393                     test_failed = 1;
394                 }
395
396                 if (test_failed != 0)
397                     goto end;
398             }
399         } else if (sct_extension != NULL) {
400             test_failed = 1;
401             fprintf(stderr,
402                     "Expected no SCTs, but found SCT extension in: %s\n",
403                     fixture.certificate_file);
404             goto end;
405         }
406     }
407
408     if (fixture.tls_sct != NULL) {
409         const unsigned char *p = fixture.tls_sct;
410         if (o2i_SCT(&sct, &p, fixture.tls_sct_len) == NULL) {
411             test_failed = 1;
412             fprintf(stderr, "Failed to decode SCT from TLS format\n");
413             goto end;
414         }
415
416         if (fixture.sct_text_file) {
417             test_failed = compare_sct_printout(sct, expected_sct_text);
418             if (test_failed != 0)
419                 goto end;
420         }
421
422         tls_sct_len = i2o_SCT(sct, &tls_sct);
423         if (tls_sct_len != fixture.tls_sct_len ||
424             memcmp(fixture.tls_sct, tls_sct, tls_sct_len) != 0) {
425             test_failed = 1;
426             fprintf(stderr, "Failed to encode SCT into TLS format correctly\n");
427             goto end;
428         }
429
430         if (fixture.test_validity && cert != NULL) {
431             int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
432             if (is_sct_validated < 0) {
433                 test_failed = 1;
434                 fprintf(stderr, "Error validating SCT\n");
435                 goto end;
436             } else if (!is_sct_validated) {
437                 test_failed = 1;
438                 fprintf(stderr, "SCT failed verification\n");
439                 goto end;
440             }
441         }
442     }
443
444 end:
445     X509_free(cert);
446     X509_free(issuer);
447     SCT_LIST_free(scts);
448     SCT_free(sct);
449     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
450     OPENSSL_free(tls_sct);
451     return test_failed;
452 }
453
454 #define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
455 #define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
456
457 static int test_no_scts_in_certificate()
458 {
459     SETUP_CT_TEST_FIXTURE();
460     fixture.certs_dir = certs_dir;
461     fixture.certificate_file = "leaf.pem";
462     fixture.issuer_file = "subinterCA.pem";
463     fixture.expected_sct_count = 0;
464     EXECUTE_CT_TEST();
465 }
466
467 static int test_one_sct_in_certificate()
468 {
469     SETUP_CT_TEST_FIXTURE();
470     fixture.certs_dir = certs_dir;
471     fixture.certificate_file = "embeddedSCTs1.pem";
472     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
473     fixture.expected_sct_count = 1;
474     fixture.sct_dir = certs_dir;
475     fixture.sct_text_file = "embeddedSCTs1.sct";
476     EXECUTE_CT_TEST();
477 }
478
479 static int test_multiple_scts_in_certificate()
480 {
481     SETUP_CT_TEST_FIXTURE();
482     fixture.certs_dir = certs_dir;
483     fixture.certificate_file = "embeddedSCTs3.pem";
484     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
485     fixture.expected_sct_count = 3;
486     fixture.sct_dir = certs_dir;
487     fixture.sct_text_file = "embeddedSCTs3.sct";
488     EXECUTE_CT_TEST();
489 }
490
491 static int test_verify_one_sct()
492 {
493     SETUP_CT_TEST_FIXTURE();
494     fixture.certs_dir = certs_dir;
495     fixture.certificate_file = "embeddedSCTs1.pem";
496     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
497     fixture.expected_sct_count = 1;
498     fixture.test_validity = 1;
499     EXECUTE_CT_TEST();
500 }
501
502 static int test_verify_multiple_scts()
503 {
504     SETUP_CT_TEST_FIXTURE();
505     fixture.certs_dir = certs_dir;
506     fixture.certificate_file = "embeddedSCTs3.pem";
507     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
508     fixture.expected_sct_count = 3;
509     fixture.test_validity = 1;
510     EXECUTE_CT_TEST();
511 }
512
513 static int test_decode_tls_sct()
514 {
515     const unsigned char tls_sct[] = "\x00" /* version */
516         /* log ID */
517         "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
518         "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
519         "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
520         "\x00\x00" /* extensions length */
521         "" /* extensions */
522         "\x04\x03" /* hash and signature algorithms */
523         "\x00\x47" /* signature length */
524         /* signature */
525         "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
526         "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
527         "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
528         "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
529         "\xED\xBF\x08";
530
531     SETUP_CT_TEST_FIXTURE();
532     fixture.tls_sct = tls_sct;
533     fixture.tls_sct_len = 118;
534     fixture.sct_dir = ct_dir;
535     fixture.sct_text_file = "tls1.sct";
536     EXECUTE_CT_TEST();
537 }
538
539 static int test_encode_tls_sct()
540 {
541     const unsigned char log_id[] = "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9"
542             "\x61\x68\x32\x5D\xDC\x5C\x79\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E"
543             "\x0B\xBD\x3F\x74\xD7\x64";
544
545     const unsigned char signature[] = "\x45\x02\x20\x48\x2F\x67\x51\xAF\x35"
546             "\xDB\xA6\x54\x36\xBE\x1F\xD6\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95"
547             "\x92\x45\x30\x28\x8F\xA3\xE5\xE2\x3E\x06\x02\x21\x00\xE4\xED\xC0"
548             "\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB\x6A\x68\x06\x53\x98\x7D\xCF"
549             "\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89\xED\xBF\x08";
550
551     SETUP_CT_TEST_FIXTURE();
552
553     SCT *sct = SCT_new();
554     if (!SCT_set_version(sct, SCT_VERSION_V1)) {
555         fprintf(stderr, "Failed to set SCT version\n");
556         return 1;
557     }
558     if (!SCT_set1_log_id(sct, log_id, 32)) {
559         fprintf(stderr, "Failed to set SCT log ID\n");
560         return 1;
561     }
562     SCT_set_timestamp(sct, 1);
563     if (!SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256)) {
564         fprintf(stderr, "Failed to set SCT signature NID\n");
565         return 1;
566     }
567     if (!SCT_set1_signature(sct, signature, 71)) {
568         fprintf(stderr, "Failed to set SCT signature\n");
569         return 1;
570     }
571     fixture.sct = sct;
572     fixture.sct_dir = ct_dir;
573     fixture.sct_text_file = "tls1.sct";
574     EXECUTE_CT_TEST();
575 }
576
577 int main(int argc, char *argv[])
578 {
579     int result = 0;
580     char *tmp_env = NULL;
581
582     tmp_env = getenv("CT_DIR");
583     ct_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "ct");
584     tmp_env = getenv("CERTS_DIR");
585     certs_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "certs");
586
587     ADD_TEST(test_no_scts_in_certificate);
588     ADD_TEST(test_one_sct_in_certificate);
589     ADD_TEST(test_multiple_scts_in_certificate);
590     ADD_TEST(test_verify_one_sct);
591     ADD_TEST(test_verify_multiple_scts);
592     ADD_TEST(test_decode_tls_sct);
593     ADD_TEST(test_encode_tls_sct);
594
595     result = run_tests(argv[0]);
596     ERR_print_errors_fp(stderr);
597
598     OPENSSL_free(ct_dir);
599     OPENSSL_free(certs_dir);
600
601     return result;
602 }
603
604 #else /* OPENSSL_NO_CT */
605
606 int main(int argc, char* argv[])
607 {
608     return EXIT_SUCCESS;
609 }
610
611 #endif /* OPENSSL_NO_CT */