projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Split ServerHello extensions
[openssl.git] / test / ct_test.c
1 /*
2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <ctype.h>
11 #include <math.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15
16 #include <openssl/ct.h>
17 #include <openssl/err.h>
18 #include <openssl/pem.h>
19 #include <openssl/x509.h>
20 #include <openssl/x509v3.h>
21 #include "testutil.h"
22 #include "test_main_custom.h"
23
24 #ifndef OPENSSL_NO_CT
25 /* Used when declaring buffers to read text files into */
26 #define CT_TEST_MAX_FILE_SIZE 8096
27
28 static char *certs_dir = NULL;
29 static char *ct_dir = NULL;
30
31 typedef struct ct_test_fixture {
32     const char *test_case_name;
33     /* The current time in milliseconds */
34     uint64_t epoch_time_in_ms;
35     /* The CT log store to use during tests */
36     CTLOG_STORE* ctlog_store;
37     /* Set the following to test handling of SCTs in X509 certificates */
38     const char *certs_dir;
39     char *certificate_file;
40     char *issuer_file;
41     /* Expected number of SCTs */
42     int expected_sct_count;
43     /* Expected number of valid SCTS */
44     int expected_valid_sct_count;
45     /* Set the following to test handling of SCTs in TLS format */
46     const unsigned char *tls_sct_list;
47     size_t tls_sct_list_len;
48     STACK_OF(SCT) *sct_list;
49     /*
50      * A file to load the expected SCT text from.
51      * This text will be compared to the actual text output during the test.
52      * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file.
53      */
54     const char *sct_dir;
55     const char *sct_text_file;
56     /* Whether to test the validity of the SCT(s) */
57     int test_validity;
58 } CT_TEST_FIXTURE;
59
60 static CT_TEST_FIXTURE set_up(const char *const test_case_name)
61 {
62     CT_TEST_FIXTURE fixture;
63     int setup_ok = 1;
64
65     memset(&fixture, 0, sizeof(fixture));
66
67     fixture.test_case_name = test_case_name;
68     fixture.epoch_time_in_ms = 1473269626000; /* Sep 7 17:33:46 2016 GMT */
69     fixture.ctlog_store = CTLOG_STORE_new();
70
71     if (fixture.ctlog_store == NULL) {
72         setup_ok = 0;
73         fprintf(stderr, "Failed to create a new CT log store\n");
74         goto end;
75     }
76
77     if (CTLOG_STORE_load_default_file(fixture.ctlog_store) != 1) {
78         setup_ok = 0;
79         fprintf(stderr, "Failed to load CT log list\n");
80         goto end;
81     }
82
83 end:
84     if (!setup_ok) {
85         CTLOG_STORE_free(fixture.ctlog_store);
86         exit(EXIT_FAILURE);
87     }
88     return fixture;
89 }
90
91 static void tear_down(CT_TEST_FIXTURE fixture)
92 {
93     CTLOG_STORE_free(fixture.ctlog_store);
94     SCT_LIST_free(fixture.sct_list);
95 }
96
97 static char *mk_file_path(const char *dir, const char *file)
98 {
99     char *full_file = NULL;
100     size_t full_file_l = 0;
101     const char *sep = "";
102 #ifndef OPENSSL_SYS_VMS
103     sep = "/";
104 #endif
105
106     full_file_l = strlen(dir) + strlen(sep) + strlen(file) + 1;
107     full_file = OPENSSL_zalloc(full_file_l);
108     if (full_file != NULL) {
109         OPENSSL_strlcpy(full_file, dir, full_file_l);
110         OPENSSL_strlcat(full_file, sep, full_file_l);
111         OPENSSL_strlcat(full_file, file, full_file_l);
112     }
113
114     return full_file;
115 }
116
117 static X509 *load_pem_cert(const char *dir, const char *file)
118 {
119     X509 *cert = NULL;
120     char *file_path = mk_file_path(dir, file);
121
122     if (file_path != NULL) {
123         BIO *cert_io = BIO_new_file(file_path, "r");
124         OPENSSL_free(file_path);
125
126         if (cert_io != NULL)
127             cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL);
128
129         BIO_free(cert_io);
130     }
131     return cert;
132 }
133
134 static int read_text_file(const char *dir, const char *file,
135                           char *buffer, int buffer_length)
136 {
137     int result = -1;
138     char *file_path = mk_file_path(dir, file);
139
140     if (file_path != NULL) {
141         BIO *file_io = BIO_new_file(file_path, "r");
142         OPENSSL_free(file_path);
143
144         if (file_io != NULL) {
145             result = BIO_read(file_io, buffer, buffer_length);
146             BIO_free(file_io);
147         }
148     }
149
150     return result;
151 }
152
153 static int compare_sct_list_printout(STACK_OF(SCT) *sct,
154     const char *expected_output)
155 {
156     BIO *text_buffer = NULL;
157     char *actual_output = NULL;
158     int result = 1;
159
160     text_buffer = BIO_new(BIO_s_mem());
161     if (text_buffer == NULL) {
162         fprintf(stderr, "Unable to allocate buffer\n");
163         goto end;
164     }
165
166     SCT_LIST_print(sct, text_buffer, 0, "\n", NULL);
167
168     /* Append null terminator because we're about to use the buffer contents
169     * as a string. */
170     if (BIO_write(text_buffer, "\0", 1) != 1) {
171         fprintf(stderr, "Failed to append null terminator to SCT text\n");
172         goto end;
173     }
174
175     BIO_get_mem_data(text_buffer, &actual_output);
176     result = strcmp(actual_output, expected_output);
177
178     if (result != 0) {
179         fprintf(stderr,
180             "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
181             expected_output, actual_output);
182     }
183
184 end:
185     BIO_free(text_buffer);
186     return result;
187 }
188
189 static int compare_extension_printout(X509_EXTENSION *extension,
190                                       const char *expected_output)
191 {
192     BIO *text_buffer = NULL;
193     char *actual_output = NULL;
194     int result = 1;
195
196     text_buffer = BIO_new(BIO_s_mem());
197     if (text_buffer == NULL) {
198         fprintf(stderr, "Unable to allocate buffer\n");
199         goto end;
200     }
201
202     if (!X509V3_EXT_print(text_buffer, extension, X509V3_EXT_DEFAULT, 0)) {
203         fprintf(stderr, "Failed to print extension\n");
204         goto end;
205     }
206
207     /* Append null terminator because we're about to use the buffer contents
208      * as a string. */
209     if (BIO_write(text_buffer, "\0", 1) != 1) {
210         fprintf(stderr,
211                 "Failed to append null terminator to extension text\n");
212         goto end;
213     }
214
215     BIO_get_mem_data(text_buffer, &actual_output);
216     result = strcmp(actual_output, expected_output);
217
218     if (result != 0) {
219         fprintf(stderr,
220                 "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
221                 expected_output, actual_output);
222     }
223
224 end:
225     BIO_free(text_buffer);
226     return result;
227 }
228
229 static int assert_validity(CT_TEST_FIXTURE fixture,
230                            STACK_OF(SCT) *scts,
231                            CT_POLICY_EVAL_CTX *policy_ctx) {
232     int invalid_sct_count = 0;
233     int valid_sct_count = 0;
234     int i;
235
236     if (SCT_LIST_validate(scts, policy_ctx) < 0) {
237         fprintf(stderr, "Error verifying SCTs\n");
238         return 0;
239     }
240
241     for (i = 0; i < sk_SCT_num(scts); ++i) {
242         SCT *sct_i = sk_SCT_value(scts, i);
243         switch (SCT_get_validation_status(sct_i)) {
244         case SCT_VALIDATION_STATUS_VALID:
245             ++valid_sct_count;
246             break;
247         case SCT_VALIDATION_STATUS_INVALID:
248             ++invalid_sct_count;
249             break;
250         case SCT_VALIDATION_STATUS_NOT_SET:
251         case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
252         case SCT_VALIDATION_STATUS_UNVERIFIED:
253         case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
254             /* Ignore other validation statuses. */
255             break;
256         }
257     }
258
259     if (valid_sct_count != fixture.expected_valid_sct_count) {
260         int unverified_sct_count = sk_SCT_num(scts) -
261                 invalid_sct_count - valid_sct_count;
262
263         fprintf(stderr,
264                 "%d SCTs failed verification\n"
265                 "%d SCTs passed verification (%d expected)\n"
266                 "%d SCTs were unverified\n",
267                 invalid_sct_count,
268                 valid_sct_count,
269                 fixture.expected_valid_sct_count,
270                 unverified_sct_count);
271         return 0;
272     }
273
274     return 1;
275 }
276
277 static int execute_cert_test(CT_TEST_FIXTURE fixture)
278 {
279     int success = 0;
280     X509 *cert = NULL, *issuer = NULL;
281     STACK_OF(SCT) *scts = NULL;
282     SCT *sct = NULL;
283     char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
284     int sct_text_len = 0;
285     unsigned char *tls_sct_list = NULL;
286     size_t tls_sct_list_len = 0;
287     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
288
289     if (fixture.sct_text_file != NULL) {
290         sct_text_len = read_text_file(fixture.sct_dir, fixture.sct_text_file,
291                                       expected_sct_text,
292                                       CT_TEST_MAX_FILE_SIZE - 1);
293
294         if (sct_text_len < 0) {
295             fprintf(stderr, "Test data file not found: %s\n",
296                 fixture.sct_text_file);
297             goto end;
298         }
299
300         expected_sct_text[sct_text_len] = '\0';
301     }
302
303     CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
304             ct_policy_ctx, fixture.ctlog_store);
305
306     CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture.epoch_time_in_ms);
307
308     if (fixture.certificate_file != NULL) {
309         int sct_extension_index;
310         X509_EXTENSION *sct_extension = NULL;
311         cert = load_pem_cert(fixture.certs_dir, fixture.certificate_file);
312
313         if (cert == NULL) {
314             fprintf(stderr, "Unable to load certificate: %s\n",
315                 fixture.certificate_file);
316             goto end;
317         }
318
319         CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);
320
321         if (fixture.issuer_file != NULL) {
322             issuer = load_pem_cert(fixture.certs_dir, fixture.issuer_file);
323
324             if (issuer == NULL) {
325                 fprintf(stderr, "Unable to load issuer certificate: %s\n",
326                         fixture.issuer_file);
327                 goto end;
328             }
329
330             CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
331         }
332
333         sct_extension_index =
334                 X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
335         sct_extension = X509_get_ext(cert, sct_extension_index);
336         if (fixture.expected_sct_count > 0) {
337             if (sct_extension == NULL) {
338                 fprintf(stderr, "SCT extension not found in: %s\n",
339                     fixture.certificate_file);
340                 goto end;
341             }
342
343             if (fixture.sct_text_file
344                 && compare_extension_printout(sct_extension,
345                                               expected_sct_text)) {
346                     goto end;
347             }
348
349             if (fixture.test_validity) {
350                 int i;
351
352                 scts = X509V3_EXT_d2i(sct_extension);
353                 for (i = 0; i < sk_SCT_num(scts); ++i) {
354                     SCT *sct_i = sk_SCT_value(scts, i);
355
356                     if (!SCT_set_source(sct_i, SCT_SOURCE_X509V3_EXTENSION)) {
357                         fprintf(stderr,
358                                 "Error setting SCT source to X509v3 extension\n");
359                         goto end;
360                     }
361                 }
362
363                 if (!assert_validity(fixture, scts, ct_policy_ctx))
364                     goto end;
365             }
366         } else if (sct_extension != NULL) {
367             fprintf(stderr,
368                     "Expected no SCTs, but found SCT extension in: %s\n",
369                     fixture.certificate_file);
370             goto end;
371         }
372     }
373
374     if (fixture.tls_sct_list != NULL) {
375         const unsigned char *p = fixture.tls_sct_list;
376         if (o2i_SCT_LIST(&scts, &p, fixture.tls_sct_list_len) == NULL) {
377             fprintf(stderr, "Failed to decode SCTs from TLS format\n");
378             goto end;
379         }
380
381         if (fixture.test_validity && cert != NULL) {
382             if (!assert_validity(fixture, scts, ct_policy_ctx))
383                 goto end;
384         }
385
386         if (fixture.sct_text_file
387             && compare_sct_list_printout(scts, expected_sct_text)) {
388                 goto end;
389         }
390
391         tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list);
392         if (tls_sct_list_len != fixture.tls_sct_list_len ||
393             memcmp(fixture.tls_sct_list, tls_sct_list, tls_sct_list_len) != 0) {
394             fprintf(stderr,
395                     "Failed to encode SCTs into TLS format correctly\n");
396             goto end;
397         }
398     }
399     success = 1;
400
401 end:
402     X509_free(cert);
403     X509_free(issuer);
404     SCT_LIST_free(scts);
405     SCT_free(sct);
406     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
407     OPENSSL_free(tls_sct_list);
408     return success;
409 }
410
411 #define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up)
412 #define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down)
413
414 static int test_no_scts_in_certificate()
415 {
416     SETUP_CT_TEST_FIXTURE();
417     fixture.certs_dir = certs_dir;
418     fixture.certificate_file = "leaf.pem";
419     fixture.issuer_file = "subinterCA.pem";
420     fixture.expected_sct_count = 0;
421     EXECUTE_CT_TEST();
422 }
423
424 static int test_one_sct_in_certificate()
425 {
426     SETUP_CT_TEST_FIXTURE();
427     fixture.certs_dir = certs_dir;
428     fixture.certificate_file = "embeddedSCTs1.pem";
429     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
430     fixture.expected_sct_count = 1;
431     fixture.sct_dir = certs_dir;
432     fixture.sct_text_file = "embeddedSCTs1.sct";
433     EXECUTE_CT_TEST();
434 }
435
436 static int test_multiple_scts_in_certificate()
437 {
438     SETUP_CT_TEST_FIXTURE();
439     fixture.certs_dir = certs_dir;
440     fixture.certificate_file = "embeddedSCTs3.pem";
441     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
442     fixture.expected_sct_count = 3;
443     fixture.sct_dir = certs_dir;
444     fixture.sct_text_file = "embeddedSCTs3.sct";
445     EXECUTE_CT_TEST();
446 }
447
448 static int test_verify_one_sct()
449 {
450     SETUP_CT_TEST_FIXTURE();
451     fixture.certs_dir = certs_dir;
452     fixture.certificate_file = "embeddedSCTs1.pem";
453     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
454     fixture.expected_sct_count = fixture.expected_valid_sct_count = 1;
455     fixture.test_validity = 1;
456     EXECUTE_CT_TEST();
457 }
458
459 static int test_verify_multiple_scts()
460 {
461     SETUP_CT_TEST_FIXTURE();
462     fixture.certs_dir = certs_dir;
463     fixture.certificate_file = "embeddedSCTs3.pem";
464     fixture.issuer_file = "embeddedSCTs3_issuer.pem";
465     fixture.expected_sct_count = fixture.expected_valid_sct_count = 3;
466     fixture.test_validity = 1;
467     EXECUTE_CT_TEST();
468 }
469
470 static int test_verify_fails_for_future_sct()
471 {
472     SETUP_CT_TEST_FIXTURE();
473     fixture.epoch_time_in_ms = 1365094800000; /* Apr 4 17:00:00 2013 GMT */
474     fixture.certs_dir = certs_dir;
475     fixture.certificate_file = "embeddedSCTs1.pem";
476     fixture.issuer_file = "embeddedSCTs1_issuer.pem";
477     fixture.expected_sct_count = 1;
478     fixture.expected_valid_sct_count = 0;
479     fixture.test_validity = 1;
480     EXECUTE_CT_TEST();
481 }
482
483 static int test_decode_tls_sct()
484 {
485     const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */
486         "\x00\x76"
487         "\x00" /* version */
488         /* log ID */
489         "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
490         "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
491         "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */
492         "\x00\x00" /* extensions length */
493         "" /* extensions */
494         "\x04\x03" /* hash and signature algorithms */
495         "\x00\x47" /* signature length */
496         /* signature */
497         "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
498         "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
499         "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
500         "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
501         "\xED\xBF\x08";
502
503     SETUP_CT_TEST_FIXTURE();
504     fixture.tls_sct_list = tls_sct_list;
505     fixture.tls_sct_list_len = 0x7a;
506     fixture.sct_dir = ct_dir;
507     fixture.sct_text_file = "tls1.sct";
508     EXECUTE_CT_TEST();
509 }
510
511 static int test_encode_tls_sct()
512 {
513     const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q=";
514     const uint64_t timestamp = 1;
515     const char extensions[] = "";
516     const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5"
517             "eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I";
518     SCT *sct = NULL;
519
520     SETUP_CT_TEST_FIXTURE();
521
522     fixture.sct_list = sk_SCT_new_null();
523     sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
524                               CT_LOG_ENTRY_TYPE_X509, timestamp,
525                               extensions, signature);
526
527     if (sct == NULL) {
528         tear_down(fixture);
529         fprintf(stderr, "Failed to create SCT from base64-encoded test data\n");
530         return 0;
531     }
532
533     sk_SCT_push(fixture.sct_list, sct);
534     fixture.sct_dir = ct_dir;
535     fixture.sct_text_file = "tls1.sct";
536     EXECUTE_CT_TEST();
537 }
538
539 /*
540  * Tests that the CT_POLICY_EVAL_CTX default time is approximately now.
541  * Allow +-10 minutes, as it may compensate for clock skew.
542  */
543 static int test_default_ct_policy_eval_ctx_time_is_now()
544 {
545     int success = 0;
546     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
547     const time_t default_time = CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) /
548             1000;
549     const time_t time_tolerance = 600;  /* 10 minutes */
550
551     if (fabs(difftime(time(NULL), default_time)) > time_tolerance) {
552         fprintf(stderr,
553                 "Default CT_POLICY_EVAL_CTX time is not approximately now.\n");
554         goto end;
555     }
556
557     success = 1;
558 end:
559     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
560     return success;
561 }
562
563 int test_main(int argc, char *argv[])
564 {
565     int result = 0;
566     char *tmp_env;
567
568     tmp_env = getenv("CT_DIR");
569     ct_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "ct");
570     tmp_env = getenv("CERTS_DIR");
571     certs_dir = OPENSSL_strdup(tmp_env != NULL ? tmp_env : "certs");
572
573     ADD_TEST(test_no_scts_in_certificate);
574     ADD_TEST(test_one_sct_in_certificate);
575     ADD_TEST(test_multiple_scts_in_certificate);
576     ADD_TEST(test_verify_one_sct);
577     ADD_TEST(test_verify_multiple_scts);
578     ADD_TEST(test_verify_fails_for_future_sct);
579     ADD_TEST(test_decode_tls_sct);
580     ADD_TEST(test_encode_tls_sct);
581     ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now);
582
583     result = run_tests(argv[0]);
584
585     OPENSSL_free(ct_dir);
586     OPENSSL_free(certs_dir);
587
588     return result;
589 }
590 #else
591 int test_main(int argc, char *argv[])
592 {
593     printf("No CT support\n");
594     return 0;
595 }
596 #endif
Unnamed repository; edit this file 'description' to name the repository.