2
0

ocspapitest.c 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. /*
  2. * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/opensslconf.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/ocsp.h>
  13. #include <openssl/x509.h>
  14. #include <openssl/asn1.h>
  15. #include <openssl/pem.h>
  16. #include "testutil.h"
  17. static const char *certstr;
  18. static const char *privkeystr;
  19. #ifndef OPENSSL_NO_OCSP
  20. static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
  21. {
  22. BIO *certbio, *keybio;
  23. X509 *cert = NULL;
  24. EVP_PKEY *key = NULL;
  25. if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
  26. return 0;
  27. cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  28. BIO_free(certbio);
  29. if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r")))
  30. goto end;
  31. key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
  32. BIO_free(keybio);
  33. if (!TEST_ptr(cert) || !TEST_ptr(key))
  34. goto end;
  35. *cert_out = cert;
  36. *key_out = key;
  37. return 1;
  38. end:
  39. X509_free(cert);
  40. EVP_PKEY_free(key);
  41. return 0;
  42. }
  43. static int get_cert(X509 **cert_out)
  44. {
  45. BIO *certbio;
  46. X509 *cert = NULL;
  47. if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
  48. return 0;
  49. cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  50. BIO_free(certbio);
  51. if (!TEST_ptr(cert))
  52. goto end;
  53. *cert_out = cert;
  54. return 1;
  55. end:
  56. X509_free(cert);
  57. return 0;
  58. }
  59. static OCSP_BASICRESP *make_dummy_resp(void)
  60. {
  61. const unsigned char namestr[] = "openssl.example.com";
  62. unsigned char keybytes[128] = {7};
  63. OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
  64. OCSP_BASICRESP *bs_out = NULL;
  65. OCSP_CERTID *cid = NULL;
  66. ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
  67. ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
  68. X509_NAME *name = X509_NAME_new();
  69. ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
  70. ASN1_INTEGER *serial = ASN1_INTEGER_new();
  71. if (!TEST_ptr(name)
  72. || !TEST_ptr(key)
  73. || !TEST_ptr(serial)
  74. || !TEST_true(X509_NAME_add_entry_by_NID(name, NID_commonName,
  75. MBSTRING_ASC,
  76. namestr, -1, -1, 1))
  77. || !TEST_true(ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)))
  78. || !TEST_true(ASN1_INTEGER_set_uint64(serial, (uint64_t)1)))
  79. goto err;
  80. cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
  81. if (!TEST_ptr(bs)
  82. || !TEST_ptr(thisupd)
  83. || !TEST_ptr(nextupd)
  84. || !TEST_ptr(cid)
  85. || !TEST_true(OCSP_basic_add1_status(bs, cid,
  86. V_OCSP_CERTSTATUS_UNKNOWN,
  87. 0, NULL, thisupd, nextupd)))
  88. goto err;
  89. bs_out = bs;
  90. bs = NULL;
  91. err:
  92. ASN1_TIME_free(thisupd);
  93. ASN1_TIME_free(nextupd);
  94. ASN1_BIT_STRING_free(key);
  95. ASN1_INTEGER_free(serial);
  96. OCSP_CERTID_free(cid);
  97. OCSP_BASICRESP_free(bs);
  98. X509_NAME_free(name);
  99. return bs_out;
  100. }
  101. static int test_resp_signer(void)
  102. {
  103. OCSP_BASICRESP *bs = NULL;
  104. X509 *signer = NULL, *tmp;
  105. EVP_PKEY *key = NULL;
  106. STACK_OF(X509) *extra_certs = NULL;
  107. int ret = 0;
  108. /*
  109. * Test a response with no certs at all; get the signer from the
  110. * extra certs given to OCSP_resp_get0_signer().
  111. */
  112. bs = make_dummy_resp();
  113. extra_certs = sk_X509_new_null();
  114. if (!TEST_ptr(bs)
  115. || !TEST_ptr(extra_certs)
  116. || !TEST_true(get_cert_and_key(&signer, &key))
  117. || !TEST_true(sk_X509_push(extra_certs, signer))
  118. || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
  119. NULL, OCSP_NOCERTS)))
  120. goto err;
  121. if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
  122. || !TEST_int_eq(X509_cmp(tmp, signer), 0))
  123. goto err;
  124. OCSP_BASICRESP_free(bs);
  125. /* Do it again but include the signer cert */
  126. bs = make_dummy_resp();
  127. tmp = NULL;
  128. if (!TEST_ptr(bs)
  129. || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
  130. NULL, 0)))
  131. goto err;
  132. if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
  133. || !TEST_int_eq(X509_cmp(tmp, signer), 0))
  134. goto err;
  135. ret = 1;
  136. err:
  137. OCSP_BASICRESP_free(bs);
  138. sk_X509_free(extra_certs);
  139. X509_free(signer);
  140. EVP_PKEY_free(key);
  141. return ret;
  142. }
  143. static int test_access_description(int testcase)
  144. {
  145. ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new();
  146. int ret = 0;
  147. if (!TEST_ptr(ad))
  148. goto err;
  149. switch (testcase) {
  150. case 0: /* no change */
  151. break;
  152. case 1: /* check and release current location */
  153. if (!TEST_ptr(ad->location))
  154. goto err;
  155. GENERAL_NAME_free(ad->location);
  156. ad->location = NULL;
  157. break;
  158. case 2: /* replace current location */
  159. GENERAL_NAME_free(ad->location);
  160. ad->location = GENERAL_NAME_new();
  161. if (!TEST_ptr(ad->location))
  162. goto err;
  163. break;
  164. }
  165. ACCESS_DESCRIPTION_free(ad);
  166. ret = 1;
  167. err:
  168. return ret;
  169. }
  170. static int test_ocsp_url_svcloc_new(void)
  171. {
  172. static const char *urls[] = {
  173. "www.openssl.org",
  174. "www.openssl.net",
  175. NULL
  176. };
  177. X509 *issuer = NULL;
  178. X509_EXTENSION * ext = NULL;
  179. int ret = 0;
  180. if (!TEST_true(get_cert(&issuer)))
  181. goto err;
  182. /*
  183. * Test calling this ocsp method to catch any memory leak
  184. */
  185. ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls);
  186. if (!TEST_ptr(ext))
  187. goto err;
  188. X509_EXTENSION_free(ext);
  189. ret = 1;
  190. err:
  191. X509_free(issuer);
  192. return ret;
  193. }
  194. #endif /* OPENSSL_NO_OCSP */
  195. OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n")
  196. int setup_tests(void)
  197. {
  198. if (!test_skip_common_options()) {
  199. TEST_error("Error parsing test options\n");
  200. return 0;
  201. }
  202. if (!TEST_ptr(certstr = test_get_argument(0))
  203. || !TEST_ptr(privkeystr = test_get_argument(1)))
  204. return 0;
  205. #ifndef OPENSSL_NO_OCSP
  206. ADD_TEST(test_resp_signer);
  207. ADD_ALL_TESTS(test_access_description, 3);
  208. ADD_TEST(test_ocsp_url_svcloc_new);
  209. #endif
  210. return 1;
  211. }