1*e0c4386eSCy Schubert /*
2*e0c4386eSCy Schubert * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
3*e0c4386eSCy Schubert *
4*e0c4386eSCy Schubert * Licensed under the Apache License 2.0 (the "License"). You may not use
5*e0c4386eSCy Schubert * this file except in compliance with the License. You can obtain a copy
6*e0c4386eSCy Schubert * in the file LICENSE in the source distribution or at
7*e0c4386eSCy Schubert * https://www.openssl.org/source/license.html
8*e0c4386eSCy Schubert */
9*e0c4386eSCy Schubert
10*e0c4386eSCy Schubert #include <string.h>
11*e0c4386eSCy Schubert
12*e0c4386eSCy Schubert #include <openssl/opensslconf.h>
13*e0c4386eSCy Schubert #include <openssl/crypto.h>
14*e0c4386eSCy Schubert #include <openssl/ocsp.h>
15*e0c4386eSCy Schubert #include <openssl/x509.h>
16*e0c4386eSCy Schubert #include <openssl/asn1.h>
17*e0c4386eSCy Schubert #include <openssl/pem.h>
18*e0c4386eSCy Schubert
19*e0c4386eSCy Schubert #include "testutil.h"
20*e0c4386eSCy Schubert
21*e0c4386eSCy Schubert static const char *certstr;
22*e0c4386eSCy Schubert static const char *privkeystr;
23*e0c4386eSCy Schubert
24*e0c4386eSCy Schubert #ifndef OPENSSL_NO_OCSP
get_cert_and_key(X509 ** cert_out,EVP_PKEY ** key_out)25*e0c4386eSCy Schubert static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
26*e0c4386eSCy Schubert {
27*e0c4386eSCy Schubert BIO *certbio, *keybio;
28*e0c4386eSCy Schubert X509 *cert = NULL;
29*e0c4386eSCy Schubert EVP_PKEY *key = NULL;
30*e0c4386eSCy Schubert
31*e0c4386eSCy Schubert if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
32*e0c4386eSCy Schubert return 0;
33*e0c4386eSCy Schubert cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
34*e0c4386eSCy Schubert BIO_free(certbio);
35*e0c4386eSCy Schubert if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r")))
36*e0c4386eSCy Schubert goto end;
37*e0c4386eSCy Schubert key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
38*e0c4386eSCy Schubert BIO_free(keybio);
39*e0c4386eSCy Schubert if (!TEST_ptr(cert) || !TEST_ptr(key))
40*e0c4386eSCy Schubert goto end;
41*e0c4386eSCy Schubert *cert_out = cert;
42*e0c4386eSCy Schubert *key_out = key;
43*e0c4386eSCy Schubert return 1;
44*e0c4386eSCy Schubert end:
45*e0c4386eSCy Schubert X509_free(cert);
46*e0c4386eSCy Schubert EVP_PKEY_free(key);
47*e0c4386eSCy Schubert return 0;
48*e0c4386eSCy Schubert }
49*e0c4386eSCy Schubert
get_cert(X509 ** cert_out)50*e0c4386eSCy Schubert static int get_cert(X509 **cert_out)
51*e0c4386eSCy Schubert {
52*e0c4386eSCy Schubert BIO *certbio;
53*e0c4386eSCy Schubert X509 *cert = NULL;
54*e0c4386eSCy Schubert
55*e0c4386eSCy Schubert if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
56*e0c4386eSCy Schubert return 0;
57*e0c4386eSCy Schubert cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
58*e0c4386eSCy Schubert BIO_free(certbio);
59*e0c4386eSCy Schubert if (!TEST_ptr(cert))
60*e0c4386eSCy Schubert goto end;
61*e0c4386eSCy Schubert *cert_out = cert;
62*e0c4386eSCy Schubert return 1;
63*e0c4386eSCy Schubert end:
64*e0c4386eSCy Schubert X509_free(cert);
65*e0c4386eSCy Schubert return 0;
66*e0c4386eSCy Schubert }
67*e0c4386eSCy Schubert
make_dummy_resp(void)68*e0c4386eSCy Schubert static OCSP_BASICRESP *make_dummy_resp(void)
69*e0c4386eSCy Schubert {
70*e0c4386eSCy Schubert const unsigned char namestr[] = "openssl.example.com";
71*e0c4386eSCy Schubert unsigned char keybytes[128] = {7};
72*e0c4386eSCy Schubert OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
73*e0c4386eSCy Schubert OCSP_BASICRESP *bs_out = NULL;
74*e0c4386eSCy Schubert OCSP_CERTID *cid = NULL;
75*e0c4386eSCy Schubert ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
76*e0c4386eSCy Schubert ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
77*e0c4386eSCy Schubert X509_NAME *name = X509_NAME_new();
78*e0c4386eSCy Schubert ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
79*e0c4386eSCy Schubert ASN1_INTEGER *serial = ASN1_INTEGER_new();
80*e0c4386eSCy Schubert
81*e0c4386eSCy Schubert if (!TEST_ptr(name)
82*e0c4386eSCy Schubert || !TEST_ptr(key)
83*e0c4386eSCy Schubert || !TEST_ptr(serial)
84*e0c4386eSCy Schubert || !TEST_true(X509_NAME_add_entry_by_NID(name, NID_commonName,
85*e0c4386eSCy Schubert MBSTRING_ASC,
86*e0c4386eSCy Schubert namestr, -1, -1, 1))
87*e0c4386eSCy Schubert || !TEST_true(ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)))
88*e0c4386eSCy Schubert || !TEST_true(ASN1_INTEGER_set_uint64(serial, (uint64_t)1)))
89*e0c4386eSCy Schubert goto err;
90*e0c4386eSCy Schubert cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
91*e0c4386eSCy Schubert if (!TEST_ptr(bs)
92*e0c4386eSCy Schubert || !TEST_ptr(thisupd)
93*e0c4386eSCy Schubert || !TEST_ptr(nextupd)
94*e0c4386eSCy Schubert || !TEST_ptr(cid)
95*e0c4386eSCy Schubert || !TEST_true(OCSP_basic_add1_status(bs, cid,
96*e0c4386eSCy Schubert V_OCSP_CERTSTATUS_UNKNOWN,
97*e0c4386eSCy Schubert 0, NULL, thisupd, nextupd)))
98*e0c4386eSCy Schubert goto err;
99*e0c4386eSCy Schubert bs_out = bs;
100*e0c4386eSCy Schubert bs = NULL;
101*e0c4386eSCy Schubert err:
102*e0c4386eSCy Schubert ASN1_TIME_free(thisupd);
103*e0c4386eSCy Schubert ASN1_TIME_free(nextupd);
104*e0c4386eSCy Schubert ASN1_BIT_STRING_free(key);
105*e0c4386eSCy Schubert ASN1_INTEGER_free(serial);
106*e0c4386eSCy Schubert OCSP_CERTID_free(cid);
107*e0c4386eSCy Schubert OCSP_BASICRESP_free(bs);
108*e0c4386eSCy Schubert X509_NAME_free(name);
109*e0c4386eSCy Schubert return bs_out;
110*e0c4386eSCy Schubert }
111*e0c4386eSCy Schubert
test_resp_signer(void)112*e0c4386eSCy Schubert static int test_resp_signer(void)
113*e0c4386eSCy Schubert {
114*e0c4386eSCy Schubert OCSP_BASICRESP *bs = NULL;
115*e0c4386eSCy Schubert X509 *signer = NULL, *tmp;
116*e0c4386eSCy Schubert EVP_PKEY *key = NULL;
117*e0c4386eSCy Schubert STACK_OF(X509) *extra_certs = NULL;
118*e0c4386eSCy Schubert int ret = 0;
119*e0c4386eSCy Schubert
120*e0c4386eSCy Schubert /*
121*e0c4386eSCy Schubert * Test a response with no certs at all; get the signer from the
122*e0c4386eSCy Schubert * extra certs given to OCSP_resp_get0_signer().
123*e0c4386eSCy Schubert */
124*e0c4386eSCy Schubert bs = make_dummy_resp();
125*e0c4386eSCy Schubert extra_certs = sk_X509_new_null();
126*e0c4386eSCy Schubert if (!TEST_ptr(bs)
127*e0c4386eSCy Schubert || !TEST_ptr(extra_certs)
128*e0c4386eSCy Schubert || !TEST_true(get_cert_and_key(&signer, &key))
129*e0c4386eSCy Schubert || !TEST_true(sk_X509_push(extra_certs, signer))
130*e0c4386eSCy Schubert || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
131*e0c4386eSCy Schubert NULL, OCSP_NOCERTS)))
132*e0c4386eSCy Schubert goto err;
133*e0c4386eSCy Schubert if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
134*e0c4386eSCy Schubert || !TEST_int_eq(X509_cmp(tmp, signer), 0))
135*e0c4386eSCy Schubert goto err;
136*e0c4386eSCy Schubert OCSP_BASICRESP_free(bs);
137*e0c4386eSCy Schubert
138*e0c4386eSCy Schubert /* Do it again but include the signer cert */
139*e0c4386eSCy Schubert bs = make_dummy_resp();
140*e0c4386eSCy Schubert tmp = NULL;
141*e0c4386eSCy Schubert if (!TEST_ptr(bs)
142*e0c4386eSCy Schubert || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
143*e0c4386eSCy Schubert NULL, 0)))
144*e0c4386eSCy Schubert goto err;
145*e0c4386eSCy Schubert if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
146*e0c4386eSCy Schubert || !TEST_int_eq(X509_cmp(tmp, signer), 0))
147*e0c4386eSCy Schubert goto err;
148*e0c4386eSCy Schubert ret = 1;
149*e0c4386eSCy Schubert err:
150*e0c4386eSCy Schubert OCSP_BASICRESP_free(bs);
151*e0c4386eSCy Schubert sk_X509_free(extra_certs);
152*e0c4386eSCy Schubert X509_free(signer);
153*e0c4386eSCy Schubert EVP_PKEY_free(key);
154*e0c4386eSCy Schubert return ret;
155*e0c4386eSCy Schubert }
156*e0c4386eSCy Schubert
test_access_description(int testcase)157*e0c4386eSCy Schubert static int test_access_description(int testcase)
158*e0c4386eSCy Schubert {
159*e0c4386eSCy Schubert ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new();
160*e0c4386eSCy Schubert int ret = 0;
161*e0c4386eSCy Schubert
162*e0c4386eSCy Schubert if (!TEST_ptr(ad))
163*e0c4386eSCy Schubert goto err;
164*e0c4386eSCy Schubert
165*e0c4386eSCy Schubert switch (testcase) {
166*e0c4386eSCy Schubert case 0: /* no change */
167*e0c4386eSCy Schubert break;
168*e0c4386eSCy Schubert case 1: /* check and release current location */
169*e0c4386eSCy Schubert if (!TEST_ptr(ad->location))
170*e0c4386eSCy Schubert goto err;
171*e0c4386eSCy Schubert GENERAL_NAME_free(ad->location);
172*e0c4386eSCy Schubert ad->location = NULL;
173*e0c4386eSCy Schubert break;
174*e0c4386eSCy Schubert case 2: /* replace current location */
175*e0c4386eSCy Schubert GENERAL_NAME_free(ad->location);
176*e0c4386eSCy Schubert ad->location = GENERAL_NAME_new();
177*e0c4386eSCy Schubert if (!TEST_ptr(ad->location))
178*e0c4386eSCy Schubert goto err;
179*e0c4386eSCy Schubert break;
180*e0c4386eSCy Schubert }
181*e0c4386eSCy Schubert ACCESS_DESCRIPTION_free(ad);
182*e0c4386eSCy Schubert ret = 1;
183*e0c4386eSCy Schubert err:
184*e0c4386eSCy Schubert return ret;
185*e0c4386eSCy Schubert }
186*e0c4386eSCy Schubert
test_ocsp_url_svcloc_new(void)187*e0c4386eSCy Schubert static int test_ocsp_url_svcloc_new(void)
188*e0c4386eSCy Schubert {
189*e0c4386eSCy Schubert static const char *urls[] = {
190*e0c4386eSCy Schubert "www.openssl.org",
191*e0c4386eSCy Schubert "www.openssl.net",
192*e0c4386eSCy Schubert NULL
193*e0c4386eSCy Schubert };
194*e0c4386eSCy Schubert
195*e0c4386eSCy Schubert X509 *issuer = NULL;
196*e0c4386eSCy Schubert X509_EXTENSION * ext = NULL;
197*e0c4386eSCy Schubert int ret = 0;
198*e0c4386eSCy Schubert
199*e0c4386eSCy Schubert if (!TEST_true(get_cert(&issuer)))
200*e0c4386eSCy Schubert goto err;
201*e0c4386eSCy Schubert
202*e0c4386eSCy Schubert /*
203*e0c4386eSCy Schubert * Test calling this ocsp method to catch any memory leak
204*e0c4386eSCy Schubert */
205*e0c4386eSCy Schubert ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls);
206*e0c4386eSCy Schubert if (!TEST_ptr(ext))
207*e0c4386eSCy Schubert goto err;
208*e0c4386eSCy Schubert
209*e0c4386eSCy Schubert X509_EXTENSION_free(ext);
210*e0c4386eSCy Schubert ret = 1;
211*e0c4386eSCy Schubert err:
212*e0c4386eSCy Schubert X509_free(issuer);
213*e0c4386eSCy Schubert return ret;
214*e0c4386eSCy Schubert }
215*e0c4386eSCy Schubert
216*e0c4386eSCy Schubert #endif /* OPENSSL_NO_OCSP */
217*e0c4386eSCy Schubert
218*e0c4386eSCy Schubert OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n")
219*e0c4386eSCy Schubert
setup_tests(void)220*e0c4386eSCy Schubert int setup_tests(void)
221*e0c4386eSCy Schubert {
222*e0c4386eSCy Schubert if (!test_skip_common_options()) {
223*e0c4386eSCy Schubert TEST_error("Error parsing test options\n");
224*e0c4386eSCy Schubert return 0;
225*e0c4386eSCy Schubert }
226*e0c4386eSCy Schubert
227*e0c4386eSCy Schubert if (!TEST_ptr(certstr = test_get_argument(0))
228*e0c4386eSCy Schubert || !TEST_ptr(privkeystr = test_get_argument(1)))
229*e0c4386eSCy Schubert return 0;
230*e0c4386eSCy Schubert #ifndef OPENSSL_NO_OCSP
231*e0c4386eSCy Schubert ADD_TEST(test_resp_signer);
232*e0c4386eSCy Schubert ADD_ALL_TESTS(test_access_description, 3);
233*e0c4386eSCy Schubert ADD_TEST(test_ocsp_url_svcloc_new);
234*e0c4386eSCy Schubert #endif
235*e0c4386eSCy Schubert return 1;
236*e0c4386eSCy Schubert }
237