ocspapitest.c 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232
  1. /*
  2. * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/opensslconf.h>
  11. #include <openssl/crypto.h>
  12. #include <openssl/ocsp.h>
  13. #include <openssl/x509.h>
  14. #include <openssl/asn1.h>
  15. #include <openssl/pem.h>
  16. #include "testutil.h"
  17. static const char *certstr;
  18. static const char *privkeystr;
  19. #ifndef OPENSSL_NO_OCSP
  20. static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
  21. {
  22. BIO *certbio, *keybio;
  23. X509 *cert = NULL;
  24. EVP_PKEY *key = NULL;
  25. if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
  26. return 0;
  27. cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  28. BIO_free(certbio);
  29. if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r")))
  30. goto end;
  31. key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
  32. BIO_free(keybio);
  33. if (!TEST_ptr(cert) || !TEST_ptr(key))
  34. goto end;
  35. *cert_out = cert;
  36. *key_out = key;
  37. return 1;
  38. end:
  39. X509_free(cert);
  40. EVP_PKEY_free(key);
  41. return 0;
  42. }
  43. static int get_cert(X509 **cert_out)
  44. {
  45. BIO *certbio;
  46. X509 *cert = NULL;
  47. if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
  48. return 0;
  49. cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
  50. BIO_free(certbio);
  51. if (!TEST_ptr(cert))
  52. goto end;
  53. *cert_out = cert;
  54. return 1;
  55. end:
  56. X509_free(cert);
  57. return 0;
  58. }
  59. static OCSP_BASICRESP *make_dummy_resp(void)
  60. {
  61. const unsigned char namestr[] = "openssl.example.com";
  62. unsigned char keybytes[128] = {7};
  63. OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
  64. OCSP_BASICRESP *bs_out = NULL;
  65. OCSP_CERTID *cid = NULL;
  66. ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
  67. ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
  68. X509_NAME *name = X509_NAME_new();
  69. ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
  70. ASN1_INTEGER *serial = ASN1_INTEGER_new();
  71. if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
  72. namestr, -1, -1, 1)
  73. || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
  74. || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
  75. goto err;
  76. cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
  77. if (!TEST_ptr(bs)
  78. || !TEST_ptr(thisupd)
  79. || !TEST_ptr(nextupd)
  80. || !TEST_ptr(cid)
  81. || !TEST_true(OCSP_basic_add1_status(bs, cid,
  82. V_OCSP_CERTSTATUS_UNKNOWN,
  83. 0, NULL, thisupd, nextupd)))
  84. goto err;
  85. bs_out = bs;
  86. bs = NULL;
  87. err:
  88. ASN1_TIME_free(thisupd);
  89. ASN1_TIME_free(nextupd);
  90. ASN1_BIT_STRING_free(key);
  91. ASN1_INTEGER_free(serial);
  92. OCSP_CERTID_free(cid);
  93. OCSP_BASICRESP_free(bs);
  94. X509_NAME_free(name);
  95. return bs_out;
  96. }
  97. static int test_resp_signer(void)
  98. {
  99. OCSP_BASICRESP *bs = NULL;
  100. X509 *signer = NULL, *tmp;
  101. EVP_PKEY *key = NULL;
  102. STACK_OF(X509) *extra_certs = NULL;
  103. int ret = 0;
  104. /*
  105. * Test a response with no certs at all; get the signer from the
  106. * extra certs given to OCSP_resp_get0_signer().
  107. */
  108. bs = make_dummy_resp();
  109. extra_certs = sk_X509_new_null();
  110. if (!TEST_ptr(bs)
  111. || !TEST_ptr(extra_certs)
  112. || !TEST_true(get_cert_and_key(&signer, &key))
  113. || !TEST_true(sk_X509_push(extra_certs, signer))
  114. || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
  115. NULL, OCSP_NOCERTS)))
  116. goto err;
  117. if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
  118. || !TEST_int_eq(X509_cmp(tmp, signer), 0))
  119. goto err;
  120. OCSP_BASICRESP_free(bs);
  121. /* Do it again but include the signer cert */
  122. bs = make_dummy_resp();
  123. tmp = NULL;
  124. if (!TEST_ptr(bs)
  125. || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
  126. NULL, 0)))
  127. goto err;
  128. if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
  129. || !TEST_int_eq(X509_cmp(tmp, signer), 0))
  130. goto err;
  131. ret = 1;
  132. err:
  133. OCSP_BASICRESP_free(bs);
  134. sk_X509_free(extra_certs);
  135. X509_free(signer);
  136. EVP_PKEY_free(key);
  137. return ret;
  138. }
  139. static int test_access_description(int testcase)
  140. {
  141. ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new();
  142. int ret = 0;
  143. if (!TEST_ptr(ad))
  144. goto err;
  145. switch (testcase) {
  146. case 0: /* no change */
  147. break;
  148. case 1: /* check and release current location */
  149. if (!TEST_ptr(ad->location))
  150. goto err;
  151. GENERAL_NAME_free(ad->location);
  152. ad->location = NULL;
  153. break;
  154. case 2: /* replace current location */
  155. GENERAL_NAME_free(ad->location);
  156. ad->location = GENERAL_NAME_new();
  157. if (!TEST_ptr(ad->location))
  158. goto err;
  159. break;
  160. }
  161. ACCESS_DESCRIPTION_free(ad);
  162. ret = 1;
  163. err:
  164. return ret;
  165. }
  166. static int test_ocsp_url_svcloc_new(void)
  167. {
  168. static const char *urls[] = {
  169. "www.openssl.org",
  170. "www.openssl.net",
  171. NULL
  172. };
  173. X509 *issuer = NULL;
  174. X509_EXTENSION * ext = NULL;
  175. int ret = 0;
  176. if (!TEST_true(get_cert(&issuer)))
  177. goto err;
  178. /*
  179. * Test calling this ocsp method to catch any memory leak
  180. */
  181. ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls);
  182. if (!TEST_ptr(ext))
  183. goto err;
  184. X509_EXTENSION_free(ext);
  185. ret = 1;
  186. err:
  187. X509_free(issuer);
  188. return ret;
  189. }
  190. #endif /* OPENSSL_NO_OCSP */
  191. OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n")
  192. int setup_tests(void)
  193. {
  194. if (!test_skip_common_options()) {
  195. TEST_error("Error parsing test options\n");
  196. return 0;
  197. }
  198. if (!TEST_ptr(certstr = test_get_argument(0))
  199. || !TEST_ptr(privkeystr = test_get_argument(1)))
  200. return 0;
  201. #ifndef OPENSSL_NO_OCSP
  202. ADD_TEST(test_resp_signer);
  203. ADD_ALL_TESTS(test_access_description, 3);
  204. ADD_TEST(test_ocsp_url_svcloc_new);
  205. #endif
  206. return 1;
  207. }