1 /* 2 * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include <openssl/opensslconf.h> 13 #include <openssl/crypto.h> 14 #include <openssl/ocsp.h> 15 #include <openssl/x509.h> 16 #include <openssl/asn1.h> 17 #include <openssl/pem.h> 18 19 #include "testutil.h" 20 21 static const char *certstr; 22 static const char *privkeystr; 23 24 #ifndef OPENSSL_NO_OCSP 25 static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out) 26 { 27 BIO *certbio, *keybio; 28 X509 *cert = NULL; 29 EVP_PKEY *key = NULL; 30 31 if (!TEST_ptr(certbio = BIO_new_file(certstr, "r"))) 32 return 0; 33 cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 34 BIO_free(certbio); 35 if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r"))) 36 goto end; 37 key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL); 38 BIO_free(keybio); 39 if (!TEST_ptr(cert) || !TEST_ptr(key)) 40 goto end; 41 *cert_out = cert; 42 *key_out = key; 43 return 1; 44 end: 45 X509_free(cert); 46 EVP_PKEY_free(key); 47 return 0; 48 } 49 50 static int get_cert(X509 **cert_out) 51 { 52 BIO *certbio; 53 X509 *cert = NULL; 54 55 if (!TEST_ptr(certbio = BIO_new_file(certstr, "r"))) 56 return 0; 57 cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); 58 BIO_free(certbio); 59 if (!TEST_ptr(cert)) 60 goto end; 61 *cert_out = cert; 62 return 1; 63 end: 64 X509_free(cert); 65 return 0; 66 } 67 68 static OCSP_BASICRESP *make_dummy_resp(void) 69 { 70 const unsigned char namestr[] = "openssl.example.com"; 71 unsigned char keybytes[128] = {7}; 72 OCSP_BASICRESP *bs = OCSP_BASICRESP_new(); 73 OCSP_BASICRESP *bs_out = NULL; 74 OCSP_CERTID *cid = NULL; 75 ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL)); 76 ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200); 77 X509_NAME *name = X509_NAME_new(); 78 ASN1_BIT_STRING *key = ASN1_BIT_STRING_new(); 79 ASN1_INTEGER *serial = ASN1_INTEGER_new(); 80 81 if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, 82 namestr, -1, -1, 1) 83 || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)) 84 || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)) 85 goto err; 86 cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial); 87 if (!TEST_ptr(bs) 88 || !TEST_ptr(thisupd) 89 || !TEST_ptr(nextupd) 90 || !TEST_ptr(cid) 91 || !TEST_true(OCSP_basic_add1_status(bs, cid, 92 V_OCSP_CERTSTATUS_UNKNOWN, 93 0, NULL, thisupd, nextupd))) 94 goto err; 95 bs_out = bs; 96 bs = NULL; 97 err: 98 ASN1_TIME_free(thisupd); 99 ASN1_TIME_free(nextupd); 100 ASN1_BIT_STRING_free(key); 101 ASN1_INTEGER_free(serial); 102 OCSP_CERTID_free(cid); 103 OCSP_BASICRESP_free(bs); 104 X509_NAME_free(name); 105 return bs_out; 106 } 107 108 static int test_resp_signer(void) 109 { 110 OCSP_BASICRESP *bs = NULL; 111 X509 *signer = NULL, *tmp; 112 EVP_PKEY *key = NULL; 113 STACK_OF(X509) *extra_certs = NULL; 114 int ret = 0; 115 116 /* 117 * Test a response with no certs at all; get the signer from the 118 * extra certs given to OCSP_resp_get0_signer(). 119 */ 120 bs = make_dummy_resp(); 121 extra_certs = sk_X509_new_null(); 122 if (!TEST_ptr(bs) 123 || !TEST_ptr(extra_certs) 124 || !TEST_true(get_cert_and_key(&signer, &key)) 125 || !TEST_true(sk_X509_push(extra_certs, signer)) 126 || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(), 127 NULL, OCSP_NOCERTS))) 128 goto err; 129 if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs)) 130 || !TEST_int_eq(X509_cmp(tmp, signer), 0)) 131 goto err; 132 OCSP_BASICRESP_free(bs); 133 134 /* Do it again but include the signer cert */ 135 bs = make_dummy_resp(); 136 tmp = NULL; 137 if (!TEST_ptr(bs) 138 || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(), 139 NULL, 0))) 140 goto err; 141 if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL)) 142 || !TEST_int_eq(X509_cmp(tmp, signer), 0)) 143 goto err; 144 ret = 1; 145 err: 146 OCSP_BASICRESP_free(bs); 147 sk_X509_free(extra_certs); 148 X509_free(signer); 149 EVP_PKEY_free(key); 150 return ret; 151 } 152 153 static int test_access_description(int testcase) 154 { 155 ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new(); 156 int ret = 0; 157 158 if (!TEST_ptr(ad)) 159 goto err; 160 161 switch (testcase) { 162 case 0: /* no change */ 163 break; 164 case 1: /* check and release current location */ 165 if (!TEST_ptr(ad->location)) 166 goto err; 167 GENERAL_NAME_free(ad->location); 168 ad->location = NULL; 169 break; 170 case 2: /* replace current location */ 171 GENERAL_NAME_free(ad->location); 172 ad->location = GENERAL_NAME_new(); 173 if (!TEST_ptr(ad->location)) 174 goto err; 175 break; 176 } 177 ACCESS_DESCRIPTION_free(ad); 178 ret = 1; 179 err: 180 return ret; 181 } 182 183 static int test_ocsp_url_svcloc_new(void) 184 { 185 static const char * urls[] = { 186 "www.openssl.org", 187 "www.openssl.net", 188 NULL 189 }; 190 191 X509 *issuer = NULL; 192 X509_EXTENSION * ext = NULL; 193 int ret = 0; 194 195 if (!TEST_true(get_cert(&issuer))) 196 goto err; 197 198 /* 199 * Test calling this ocsp method to catch any memory leak 200 */ 201 ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls); 202 if (!TEST_ptr(ext)) 203 goto err; 204 205 X509_EXTENSION_free(ext); 206 ret = 1; 207 err: 208 X509_free(issuer); 209 return ret; 210 } 211 212 #endif /* OPENSSL_NO_OCSP */ 213 214 int setup_tests(void) 215 { 216 if (!TEST_ptr(certstr = test_get_argument(0)) 217 || !TEST_ptr(privkeystr = test_get_argument(1))) 218 return 0; 219 #ifndef OPENSSL_NO_OCSP 220 ADD_TEST(test_resp_signer); 221 ADD_ALL_TESTS(test_access_description, 3); 222 ADD_TEST(test_ocsp_url_svcloc_new); 223 #endif 224 return 1; 225 } 226