|
@@ -50608,7 +50608,7 @@ static int test_X509_STORE_No_SSL_CTX(void)
|
|
|
const char cliCrlPem[] = "./certs/crl/cliCrl.pem";
|
|
|
const char srvCert[] = "./certs/server-cert.pem";
|
|
|
const char caCert[] = "./certs/ca-cert.pem";
|
|
|
- const char caDir[] = "./certs/crl";
|
|
|
+ const char caDir[] = "./certs/crl/hash_pem/";
|
|
|
XFILE fp;
|
|
|
X509_LOOKUP *lookup;
|
|
|
|
|
@@ -50622,7 +50622,8 @@ static int test_X509_STORE_No_SSL_CTX(void)
|
|
|
AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
|
|
|
|
|
|
/* Add CRL lookup directory to store
|
|
|
- NOTE: test uses ./certs/crl/0fdb2da4.r0, which is a copy of crl.pem */
|
|
|
+ NOTE: test uses ./certs/crl/hash_pem/0fdb2da4.r0, which is a copy
|
|
|
+ of crl.pem */
|
|
|
AssertNotNull((lookup = X509_STORE_add_lookup(store,
|
|
|
X509_LOOKUP_hash_dir())));
|
|
|
AssertIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, caDir,
|
|
@@ -50663,6 +50664,121 @@ static int test_X509_STORE_No_SSL_CTX(void)
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+/* Basically the same test as test_X509_STORE_No_SSL_CTX, but with
|
|
|
+ * X509_LOOKUP_add_dir and X509_FILETYPE_ASN1. */
|
|
|
+static int test_X509_LOOKUP_add_dir(void)
|
|
|
+{
|
|
|
+#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && \
|
|
|
+ !defined(NO_WOLFSSL_DIR) && defined(HAVE_CRL) && \
|
|
|
+ (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
|
|
|
+ (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
|
|
|
+
|
|
|
+ X509_STORE * store;
|
|
|
+ X509_STORE_CTX * storeCtx;
|
|
|
+ X509_CRL * crl;
|
|
|
+ X509 *ca, * cert;
|
|
|
+ const char cliCrlPem[] = "./certs/crl/cliCrl.pem";
|
|
|
+ const char srvCert[] = "./certs/server-cert.pem";
|
|
|
+ const char caCert[] = "./certs/ca-cert.pem";
|
|
|
+ const char caDir[] = "./certs/crl/hash_der/";
|
|
|
+ XFILE fp;
|
|
|
+ X509_LOOKUP * lookup;
|
|
|
+
|
|
|
+ printf(testingFmt, "test_X509_LOOKUP_add_dir");
|
|
|
+
|
|
|
+ AssertNotNull(store = (X509_STORE *)X509_STORE_new());
|
|
|
+
|
|
|
+ /* Set up store with CA */
|
|
|
+ AssertNotNull((ca = wolfSSL_X509_load_certificate_file(caCert,
|
|
|
+ SSL_FILETYPE_PEM)));
|
|
|
+ AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
|
|
|
+
|
|
|
+ /* Add CRL lookup directory to store.
|
|
|
+ Test uses ./certs/crl/hash_der/0fdb2da4.r0, which is a copy
|
|
|
+ of crl.der */
|
|
|
+ AssertNotNull((lookup = X509_STORE_add_lookup(store,
|
|
|
+ X509_LOOKUP_hash_dir())));
|
|
|
+
|
|
|
+ AssertIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_ASN1),
|
|
|
+ SSL_SUCCESS);
|
|
|
+
|
|
|
+ AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),
|
|
|
+ SSL_SUCCESS);
|
|
|
+
|
|
|
+ /* Add CRL to store NOT containing the verified certificate, which
|
|
|
+ forces use of the CRL lookup directory */
|
|
|
+ fp = XFOPEN(cliCrlPem, "rb");
|
|
|
+ AssertTrue((fp != XBADFILE));
|
|
|
+ AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
|
|
|
+ NULL, NULL));
|
|
|
+ XFCLOSE(fp);
|
|
|
+ AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
|
|
|
+
|
|
|
+ /* Create verification context outside of an SSL session */
|
|
|
+ AssertNotNull((storeCtx = X509_STORE_CTX_new()));
|
|
|
+ AssertNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert,
|
|
|
+ SSL_FILETYPE_PEM)));
|
|
|
+ AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
|
|
|
+
|
|
|
+ /* Perform verification, which should NOT return CRL missing */
|
|
|
+ AssertIntNE(X509_verify_cert(storeCtx), CRL_MISSING);
|
|
|
+
|
|
|
+ X509_CRL_free(crl);
|
|
|
+ X509_STORE_free(store);
|
|
|
+ X509_STORE_CTX_free(storeCtx);
|
|
|
+ X509_free(cert);
|
|
|
+ X509_free(ca);
|
|
|
+
|
|
|
+ /* Now repeat the same, but look for X509_FILETYPE_PEM.
|
|
|
+ * We should get CRL_MISSING at the end, because the lookup
|
|
|
+ * dir has only ASN1 CRLs. */
|
|
|
+
|
|
|
+ AssertNotNull(store = (X509_STORE *)X509_STORE_new());
|
|
|
+
|
|
|
+ AssertNotNull((ca = wolfSSL_X509_load_certificate_file(caCert,
|
|
|
+ SSL_FILETYPE_PEM)));
|
|
|
+ AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS);
|
|
|
+
|
|
|
+ AssertNotNull((lookup = X509_STORE_add_lookup(store,
|
|
|
+ X509_LOOKUP_hash_dir())));
|
|
|
+
|
|
|
+ AssertIntEQ(X509_LOOKUP_add_dir(lookup, caDir, X509_FILETYPE_PEM),
|
|
|
+ SSL_SUCCESS);
|
|
|
+
|
|
|
+ AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),
|
|
|
+ SSL_SUCCESS);
|
|
|
+
|
|
|
+ fp = XFOPEN(cliCrlPem, "rb");
|
|
|
+ AssertTrue((fp != XBADFILE));
|
|
|
+ AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
|
|
|
+ NULL, NULL));
|
|
|
+ XFCLOSE(fp);
|
|
|
+ AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
|
|
|
+
|
|
|
+ AssertNotNull((storeCtx = X509_STORE_CTX_new()));
|
|
|
+ AssertNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert,
|
|
|
+ SSL_FILETYPE_PEM)));
|
|
|
+ AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
|
|
|
+
|
|
|
+ /* Now we SHOULD get CRL_MISSING, because we looked for PEM
|
|
|
+ in dir containing only ASN1/DER. */
|
|
|
+ AssertIntEQ(X509_verify_cert(storeCtx), CRL_MISSING);
|
|
|
+
|
|
|
+ X509_CRL_free(crl);
|
|
|
+ X509_STORE_free(store);
|
|
|
+ X509_STORE_CTX_free(storeCtx);
|
|
|
+ X509_free(cert);
|
|
|
+ X509_free(ca);
|
|
|
+
|
|
|
+ printf(resultFmt, passed);
|
|
|
+
|
|
|
+#endif
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
/*----------------------------------------------------------------------------*
|
|
|
| Certificate Failure Checks
|
|
|
*----------------------------------------------------------------------------*/
|
|
@@ -60801,6 +60917,7 @@ TEST_CASE testCases[] = {
|
|
|
|
|
|
/* OpenSSL compatibility outside SSL context w/ CRL lookup directory */
|
|
|
TEST_DECL(test_X509_STORE_No_SSL_CTX),
|
|
|
+ TEST_DECL(test_X509_LOOKUP_add_dir),
|
|
|
|
|
|
/* wolfCrypt ASN tests */
|
|
|
TEST_DECL(test_wc_CreateEncryptedPKCS8Key),
|