1*e7be843bSPierre Pronchery /*
2*e7be843bSPierre Pronchery * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
3*e7be843bSPierre Pronchery *
4*e7be843bSPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
5*e7be843bSPierre Pronchery * this file except in compliance with the License. You can obtain a copy
6*e7be843bSPierre Pronchery * in the file LICENSE in the source distribution or at
7*e7be843bSPierre Pronchery * https://www.openssl.org/source/license.html
8*e7be843bSPierre Pronchery */
9*e7be843bSPierre Pronchery
10*e7be843bSPierre Pronchery #include <openssl/pem.h>
11*e7be843bSPierre Pronchery #include <openssl/x509.h>
12*e7be843bSPierre Pronchery
13*e7be843bSPierre Pronchery #include "testutil.h"
14*e7be843bSPierre Pronchery
15*e7be843bSPierre Pronchery static char *certsDir = NULL;
16*e7be843bSPierre Pronchery
17*e7be843bSPierre Pronchery /*
18*e7be843bSPierre Pronchery * Test for the missing X509 version check discussed in issue #5738 and
19*e7be843bSPierre Pronchery * added in PR #24677.
20*e7be843bSPierre Pronchery * This test tries to verify a malformed CSR with the X509 version set
21*e7be843bSPierre Pronchery * version 6, instead of 1. As this request is malformed, even its
22*e7be843bSPierre Pronchery * signature is valid, the verification must fail.
23*e7be843bSPierre Pronchery */
test_x509_req_detect_invalid_version(void)24*e7be843bSPierre Pronchery static int test_x509_req_detect_invalid_version(void)
25*e7be843bSPierre Pronchery {
26*e7be843bSPierre Pronchery char *certFilePath;
27*e7be843bSPierre Pronchery BIO *bio = NULL;
28*e7be843bSPierre Pronchery EVP_PKEY *pkey = NULL;
29*e7be843bSPierre Pronchery X509_REQ *req = NULL;
30*e7be843bSPierre Pronchery int ret = 0;
31*e7be843bSPierre Pronchery
32*e7be843bSPierre Pronchery certFilePath = test_mk_file_path(certsDir, "x509-req-detect-invalid-version.pem");
33*e7be843bSPierre Pronchery if (certFilePath == NULL)
34*e7be843bSPierre Pronchery goto err;
35*e7be843bSPierre Pronchery if (!TEST_ptr(bio = BIO_new_file(certFilePath, "r")))
36*e7be843bSPierre Pronchery goto err;
37*e7be843bSPierre Pronchery req = PEM_read_bio_X509_REQ(bio, NULL, 0, NULL);
38*e7be843bSPierre Pronchery if (req == NULL) {
39*e7be843bSPierre Pronchery ret = 1; /* success, reading PEM with invalid CSR data is allowed to fail. */
40*e7be843bSPierre Pronchery goto err;
41*e7be843bSPierre Pronchery }
42*e7be843bSPierre Pronchery if (!TEST_ptr(pkey = X509_REQ_get_pubkey(req)))
43*e7be843bSPierre Pronchery goto err;
44*e7be843bSPierre Pronchery /* Verification MUST fail at this point. ret != 1. */
45*e7be843bSPierre Pronchery if (!TEST_int_ne(X509_REQ_verify(req, pkey), 1))
46*e7be843bSPierre Pronchery goto err;
47*e7be843bSPierre Pronchery ret = 1; /* success */
48*e7be843bSPierre Pronchery err:
49*e7be843bSPierre Pronchery EVP_PKEY_free(pkey);
50*e7be843bSPierre Pronchery X509_REQ_free(req);
51*e7be843bSPierre Pronchery BIO_free(bio);
52*e7be843bSPierre Pronchery OPENSSL_free(certFilePath);
53*e7be843bSPierre Pronchery return ret;
54*e7be843bSPierre Pronchery }
55*e7be843bSPierre Pronchery
56*e7be843bSPierre Pronchery OPT_TEST_DECLARE_USAGE("certdir\n")
57*e7be843bSPierre Pronchery
setup_tests(void)58*e7be843bSPierre Pronchery int setup_tests(void)
59*e7be843bSPierre Pronchery {
60*e7be843bSPierre Pronchery if (!test_skip_common_options()) {
61*e7be843bSPierre Pronchery TEST_error("Error parsing test options\n");
62*e7be843bSPierre Pronchery return 0;
63*e7be843bSPierre Pronchery }
64*e7be843bSPierre Pronchery if (!TEST_ptr(certsDir = test_get_argument(0)))
65*e7be843bSPierre Pronchery return 0;
66*e7be843bSPierre Pronchery
67*e7be843bSPierre Pronchery ADD_TEST(test_x509_req_detect_invalid_version);
68*e7be843bSPierre Pronchery return 1;
69*e7be843bSPierre Pronchery }
70*e7be843bSPierre Pronchery
cleanup_tests(void)71*e7be843bSPierre Pronchery void cleanup_tests(void)
72*e7be843bSPierre Pronchery {
73*e7be843bSPierre Pronchery }
74