1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <ctype.h> 11e1051a39Sopenharmony_ci#include <stdio.h> 12e1051a39Sopenharmony_ci#include <stdlib.h> 13e1051a39Sopenharmony_ci#include <string.h> 14e1051a39Sopenharmony_ci 15e1051a39Sopenharmony_ci#include <openssl/ct.h> 16e1051a39Sopenharmony_ci#include <openssl/err.h> 17e1051a39Sopenharmony_ci#include <openssl/pem.h> 18e1051a39Sopenharmony_ci#include <openssl/x509.h> 19e1051a39Sopenharmony_ci#include <openssl/x509v3.h> 20e1051a39Sopenharmony_ci#include "testutil.h" 21e1051a39Sopenharmony_ci#include <openssl/crypto.h> 22e1051a39Sopenharmony_ci 23e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_CT 24e1051a39Sopenharmony_ci 25e1051a39Sopenharmony_ci/* Used when declaring buffers to read text files into */ 26e1051a39Sopenharmony_ci# define CT_TEST_MAX_FILE_SIZE 8096 27e1051a39Sopenharmony_ci 28e1051a39Sopenharmony_cistatic char *certs_dir = NULL; 29e1051a39Sopenharmony_cistatic char *ct_dir = NULL; 30e1051a39Sopenharmony_ci 31e1051a39Sopenharmony_citypedef struct ct_test_fixture { 32e1051a39Sopenharmony_ci const char *test_case_name; 33e1051a39Sopenharmony_ci /* The current time in milliseconds */ 34e1051a39Sopenharmony_ci uint64_t epoch_time_in_ms; 35e1051a39Sopenharmony_ci /* The CT log store to use during tests */ 36e1051a39Sopenharmony_ci CTLOG_STORE* ctlog_store; 37e1051a39Sopenharmony_ci /* Set the following to test handling of SCTs in X509 certificates */ 38e1051a39Sopenharmony_ci const char *certs_dir; 39e1051a39Sopenharmony_ci char *certificate_file; 40e1051a39Sopenharmony_ci char *issuer_file; 41e1051a39Sopenharmony_ci /* Expected number of SCTs */ 42e1051a39Sopenharmony_ci int expected_sct_count; 43e1051a39Sopenharmony_ci /* Expected number of valid SCTS */ 44e1051a39Sopenharmony_ci int expected_valid_sct_count; 45e1051a39Sopenharmony_ci /* Set the following to test handling of SCTs in TLS format */ 46e1051a39Sopenharmony_ci const unsigned char *tls_sct_list; 47e1051a39Sopenharmony_ci size_t tls_sct_list_len; 48e1051a39Sopenharmony_ci STACK_OF(SCT) *sct_list; 49e1051a39Sopenharmony_ci /* 50e1051a39Sopenharmony_ci * A file to load the expected SCT text from. 51e1051a39Sopenharmony_ci * This text will be compared to the actual text output during the test. 52e1051a39Sopenharmony_ci * A maximum of |CT_TEST_MAX_FILE_SIZE| bytes will be read of this file. 53e1051a39Sopenharmony_ci */ 54e1051a39Sopenharmony_ci const char *sct_dir; 55e1051a39Sopenharmony_ci const char *sct_text_file; 56e1051a39Sopenharmony_ci /* Whether to test the validity of the SCT(s) */ 57e1051a39Sopenharmony_ci int test_validity; 58e1051a39Sopenharmony_ci} CT_TEST_FIXTURE; 59e1051a39Sopenharmony_ci 60e1051a39Sopenharmony_cistatic CT_TEST_FIXTURE *set_up(const char *const test_case_name) 61e1051a39Sopenharmony_ci{ 62e1051a39Sopenharmony_ci CT_TEST_FIXTURE *fixture = NULL; 63e1051a39Sopenharmony_ci 64e1051a39Sopenharmony_ci if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) 65e1051a39Sopenharmony_ci goto end; 66e1051a39Sopenharmony_ci fixture->test_case_name = test_case_name; 67e1051a39Sopenharmony_ci fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ 68e1051a39Sopenharmony_ci if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) 69e1051a39Sopenharmony_ci || !TEST_int_eq( 70e1051a39Sopenharmony_ci CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) 71e1051a39Sopenharmony_ci goto end; 72e1051a39Sopenharmony_ci return fixture; 73e1051a39Sopenharmony_ci 74e1051a39Sopenharmony_ciend: 75e1051a39Sopenharmony_ci if (fixture != NULL) 76e1051a39Sopenharmony_ci CTLOG_STORE_free(fixture->ctlog_store); 77e1051a39Sopenharmony_ci OPENSSL_free(fixture); 78e1051a39Sopenharmony_ci TEST_error("Failed to setup"); 79e1051a39Sopenharmony_ci return NULL; 80e1051a39Sopenharmony_ci} 81e1051a39Sopenharmony_ci 82e1051a39Sopenharmony_cistatic void tear_down(CT_TEST_FIXTURE *fixture) 83e1051a39Sopenharmony_ci{ 84e1051a39Sopenharmony_ci if (fixture != NULL) { 85e1051a39Sopenharmony_ci CTLOG_STORE_free(fixture->ctlog_store); 86e1051a39Sopenharmony_ci SCT_LIST_free(fixture->sct_list); 87e1051a39Sopenharmony_ci } 88e1051a39Sopenharmony_ci OPENSSL_free(fixture); 89e1051a39Sopenharmony_ci} 90e1051a39Sopenharmony_ci 91e1051a39Sopenharmony_cistatic X509 *load_pem_cert(const char *dir, const char *file) 92e1051a39Sopenharmony_ci{ 93e1051a39Sopenharmony_ci X509 *cert = NULL; 94e1051a39Sopenharmony_ci char *file_path = test_mk_file_path(dir, file); 95e1051a39Sopenharmony_ci 96e1051a39Sopenharmony_ci if (file_path != NULL) { 97e1051a39Sopenharmony_ci BIO *cert_io = BIO_new_file(file_path, "r"); 98e1051a39Sopenharmony_ci 99e1051a39Sopenharmony_ci if (cert_io != NULL) 100e1051a39Sopenharmony_ci cert = PEM_read_bio_X509(cert_io, NULL, NULL, NULL); 101e1051a39Sopenharmony_ci BIO_free(cert_io); 102e1051a39Sopenharmony_ci } 103e1051a39Sopenharmony_ci 104e1051a39Sopenharmony_ci OPENSSL_free(file_path); 105e1051a39Sopenharmony_ci return cert; 106e1051a39Sopenharmony_ci} 107e1051a39Sopenharmony_ci 108e1051a39Sopenharmony_cistatic int read_text_file(const char *dir, const char *file, 109e1051a39Sopenharmony_ci char *buffer, int buffer_length) 110e1051a39Sopenharmony_ci{ 111e1051a39Sopenharmony_ci int len = -1; 112e1051a39Sopenharmony_ci char *file_path = test_mk_file_path(dir, file); 113e1051a39Sopenharmony_ci 114e1051a39Sopenharmony_ci if (file_path != NULL) { 115e1051a39Sopenharmony_ci BIO *file_io = BIO_new_file(file_path, "r"); 116e1051a39Sopenharmony_ci 117e1051a39Sopenharmony_ci if (file_io != NULL) 118e1051a39Sopenharmony_ci len = BIO_read(file_io, buffer, buffer_length); 119e1051a39Sopenharmony_ci BIO_free(file_io); 120e1051a39Sopenharmony_ci } 121e1051a39Sopenharmony_ci 122e1051a39Sopenharmony_ci OPENSSL_free(file_path); 123e1051a39Sopenharmony_ci return len; 124e1051a39Sopenharmony_ci} 125e1051a39Sopenharmony_ci 126e1051a39Sopenharmony_cistatic int compare_sct_list_printout(STACK_OF(SCT) *sct, 127e1051a39Sopenharmony_ci const char *expected_output) 128e1051a39Sopenharmony_ci{ 129e1051a39Sopenharmony_ci BIO *text_buffer = NULL; 130e1051a39Sopenharmony_ci char *actual_output = NULL; 131e1051a39Sopenharmony_ci int result = 0; 132e1051a39Sopenharmony_ci 133e1051a39Sopenharmony_ci if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem()))) 134e1051a39Sopenharmony_ci goto end; 135e1051a39Sopenharmony_ci 136e1051a39Sopenharmony_ci SCT_LIST_print(sct, text_buffer, 0, "\n", NULL); 137e1051a39Sopenharmony_ci 138e1051a39Sopenharmony_ci /* Append \0 because we're about to use the buffer contents as a string. */ 139e1051a39Sopenharmony_ci if (!TEST_true(BIO_write(text_buffer, "\0", 1))) 140e1051a39Sopenharmony_ci goto end; 141e1051a39Sopenharmony_ci 142e1051a39Sopenharmony_ci BIO_get_mem_data(text_buffer, &actual_output); 143e1051a39Sopenharmony_ci if (!TEST_str_eq(actual_output, expected_output)) 144e1051a39Sopenharmony_ci goto end; 145e1051a39Sopenharmony_ci result = 1; 146e1051a39Sopenharmony_ci 147e1051a39Sopenharmony_ciend: 148e1051a39Sopenharmony_ci BIO_free(text_buffer); 149e1051a39Sopenharmony_ci return result; 150e1051a39Sopenharmony_ci} 151e1051a39Sopenharmony_ci 152e1051a39Sopenharmony_cistatic int compare_extension_printout(X509_EXTENSION *extension, 153e1051a39Sopenharmony_ci const char *expected_output) 154e1051a39Sopenharmony_ci{ 155e1051a39Sopenharmony_ci BIO *text_buffer = NULL; 156e1051a39Sopenharmony_ci char *actual_output = NULL; 157e1051a39Sopenharmony_ci int result = 0; 158e1051a39Sopenharmony_ci 159e1051a39Sopenharmony_ci if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())) 160e1051a39Sopenharmony_ci || !TEST_true(X509V3_EXT_print(text_buffer, extension, 161e1051a39Sopenharmony_ci X509V3_EXT_DEFAULT, 0))) 162e1051a39Sopenharmony_ci goto end; 163e1051a39Sopenharmony_ci 164e1051a39Sopenharmony_ci /* Append \n because it's easier to create files that end with one. */ 165e1051a39Sopenharmony_ci if (!TEST_true(BIO_write(text_buffer, "\n", 1))) 166e1051a39Sopenharmony_ci goto end; 167e1051a39Sopenharmony_ci 168e1051a39Sopenharmony_ci /* Append \0 because we're about to use the buffer contents as a string. */ 169e1051a39Sopenharmony_ci if (!TEST_true(BIO_write(text_buffer, "\0", 1))) 170e1051a39Sopenharmony_ci goto end; 171e1051a39Sopenharmony_ci 172e1051a39Sopenharmony_ci BIO_get_mem_data(text_buffer, &actual_output); 173e1051a39Sopenharmony_ci if (!TEST_str_eq(actual_output, expected_output)) 174e1051a39Sopenharmony_ci goto end; 175e1051a39Sopenharmony_ci 176e1051a39Sopenharmony_ci result = 1; 177e1051a39Sopenharmony_ci 178e1051a39Sopenharmony_ciend: 179e1051a39Sopenharmony_ci BIO_free(text_buffer); 180e1051a39Sopenharmony_ci return result; 181e1051a39Sopenharmony_ci} 182e1051a39Sopenharmony_ci 183e1051a39Sopenharmony_cistatic int assert_validity(CT_TEST_FIXTURE *fixture, STACK_OF(SCT) *scts, 184e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX *policy_ctx) 185e1051a39Sopenharmony_ci{ 186e1051a39Sopenharmony_ci int invalid_sct_count = 0; 187e1051a39Sopenharmony_ci int valid_sct_count = 0; 188e1051a39Sopenharmony_ci int i; 189e1051a39Sopenharmony_ci 190e1051a39Sopenharmony_ci if (!TEST_int_ge(SCT_LIST_validate(scts, policy_ctx), 0)) 191e1051a39Sopenharmony_ci return 0; 192e1051a39Sopenharmony_ci 193e1051a39Sopenharmony_ci for (i = 0; i < sk_SCT_num(scts); ++i) { 194e1051a39Sopenharmony_ci SCT *sct_i = sk_SCT_value(scts, i); 195e1051a39Sopenharmony_ci 196e1051a39Sopenharmony_ci switch (SCT_get_validation_status(sct_i)) { 197e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_VALID: 198e1051a39Sopenharmony_ci ++valid_sct_count; 199e1051a39Sopenharmony_ci break; 200e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_INVALID: 201e1051a39Sopenharmony_ci ++invalid_sct_count; 202e1051a39Sopenharmony_ci break; 203e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_NOT_SET: 204e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_UNKNOWN_LOG: 205e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_UNVERIFIED: 206e1051a39Sopenharmony_ci case SCT_VALIDATION_STATUS_UNKNOWN_VERSION: 207e1051a39Sopenharmony_ci /* Ignore other validation statuses. */ 208e1051a39Sopenharmony_ci break; 209e1051a39Sopenharmony_ci } 210e1051a39Sopenharmony_ci } 211e1051a39Sopenharmony_ci 212e1051a39Sopenharmony_ci if (!TEST_int_eq(valid_sct_count, fixture->expected_valid_sct_count)) { 213e1051a39Sopenharmony_ci int unverified_sct_count = sk_SCT_num(scts) - 214e1051a39Sopenharmony_ci invalid_sct_count - valid_sct_count; 215e1051a39Sopenharmony_ci 216e1051a39Sopenharmony_ci TEST_info("%d SCTs failed, %d SCTs unverified", 217e1051a39Sopenharmony_ci invalid_sct_count, unverified_sct_count); 218e1051a39Sopenharmony_ci return 0; 219e1051a39Sopenharmony_ci } 220e1051a39Sopenharmony_ci 221e1051a39Sopenharmony_ci return 1; 222e1051a39Sopenharmony_ci} 223e1051a39Sopenharmony_ci 224e1051a39Sopenharmony_cistatic int execute_cert_test(CT_TEST_FIXTURE *fixture) 225e1051a39Sopenharmony_ci{ 226e1051a39Sopenharmony_ci int success = 0; 227e1051a39Sopenharmony_ci X509 *cert = NULL, *issuer = NULL; 228e1051a39Sopenharmony_ci STACK_OF(SCT) *scts = NULL; 229e1051a39Sopenharmony_ci SCT *sct = NULL; 230e1051a39Sopenharmony_ci char expected_sct_text[CT_TEST_MAX_FILE_SIZE]; 231e1051a39Sopenharmony_ci int sct_text_len = 0; 232e1051a39Sopenharmony_ci unsigned char *tls_sct_list = NULL; 233e1051a39Sopenharmony_ci size_t tls_sct_list_len = 0; 234e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new(); 235e1051a39Sopenharmony_ci 236e1051a39Sopenharmony_ci if (fixture->sct_text_file != NULL) { 237e1051a39Sopenharmony_ci sct_text_len = read_text_file(fixture->sct_dir, fixture->sct_text_file, 238e1051a39Sopenharmony_ci expected_sct_text, 239e1051a39Sopenharmony_ci CT_TEST_MAX_FILE_SIZE - 1); 240e1051a39Sopenharmony_ci 241e1051a39Sopenharmony_ci if (!TEST_int_ge(sct_text_len, 0)) 242e1051a39Sopenharmony_ci goto end; 243e1051a39Sopenharmony_ci expected_sct_text[sct_text_len] = '\0'; 244e1051a39Sopenharmony_ci } 245e1051a39Sopenharmony_ci 246e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE( 247e1051a39Sopenharmony_ci ct_policy_ctx, fixture->ctlog_store); 248e1051a39Sopenharmony_ci 249e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_set_time(ct_policy_ctx, fixture->epoch_time_in_ms); 250e1051a39Sopenharmony_ci 251e1051a39Sopenharmony_ci if (fixture->certificate_file != NULL) { 252e1051a39Sopenharmony_ci int sct_extension_index; 253e1051a39Sopenharmony_ci int i; 254e1051a39Sopenharmony_ci X509_EXTENSION *sct_extension = NULL; 255e1051a39Sopenharmony_ci 256e1051a39Sopenharmony_ci if (!TEST_ptr(cert = load_pem_cert(fixture->certs_dir, 257e1051a39Sopenharmony_ci fixture->certificate_file))) 258e1051a39Sopenharmony_ci goto end; 259e1051a39Sopenharmony_ci 260e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert); 261e1051a39Sopenharmony_ci 262e1051a39Sopenharmony_ci if (fixture->issuer_file != NULL) { 263e1051a39Sopenharmony_ci if (!TEST_ptr(issuer = load_pem_cert(fixture->certs_dir, 264e1051a39Sopenharmony_ci fixture->issuer_file))) 265e1051a39Sopenharmony_ci goto end; 266e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer); 267e1051a39Sopenharmony_ci } 268e1051a39Sopenharmony_ci 269e1051a39Sopenharmony_ci sct_extension_index = 270e1051a39Sopenharmony_ci X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1); 271e1051a39Sopenharmony_ci sct_extension = X509_get_ext(cert, sct_extension_index); 272e1051a39Sopenharmony_ci if (fixture->expected_sct_count > 0) { 273e1051a39Sopenharmony_ci if (!TEST_ptr(sct_extension)) 274e1051a39Sopenharmony_ci goto end; 275e1051a39Sopenharmony_ci 276e1051a39Sopenharmony_ci if (fixture->sct_text_file 277e1051a39Sopenharmony_ci && !compare_extension_printout(sct_extension, 278e1051a39Sopenharmony_ci expected_sct_text)) 279e1051a39Sopenharmony_ci goto end; 280e1051a39Sopenharmony_ci 281e1051a39Sopenharmony_ci scts = X509V3_EXT_d2i(sct_extension); 282e1051a39Sopenharmony_ci for (i = 0; i < sk_SCT_num(scts); ++i) { 283e1051a39Sopenharmony_ci SCT *sct_i = sk_SCT_value(scts, i); 284e1051a39Sopenharmony_ci 285e1051a39Sopenharmony_ci if (!TEST_int_eq(SCT_get_source(sct_i), 286e1051a39Sopenharmony_ci SCT_SOURCE_X509V3_EXTENSION)) { 287e1051a39Sopenharmony_ci goto end; 288e1051a39Sopenharmony_ci } 289e1051a39Sopenharmony_ci } 290e1051a39Sopenharmony_ci 291e1051a39Sopenharmony_ci if (fixture->test_validity) { 292e1051a39Sopenharmony_ci if (!assert_validity(fixture, scts, ct_policy_ctx)) 293e1051a39Sopenharmony_ci goto end; 294e1051a39Sopenharmony_ci } 295e1051a39Sopenharmony_ci } else if (!TEST_ptr_null(sct_extension)) { 296e1051a39Sopenharmony_ci goto end; 297e1051a39Sopenharmony_ci } 298e1051a39Sopenharmony_ci } 299e1051a39Sopenharmony_ci 300e1051a39Sopenharmony_ci if (fixture->tls_sct_list != NULL) { 301e1051a39Sopenharmony_ci const unsigned char *p = fixture->tls_sct_list; 302e1051a39Sopenharmony_ci 303e1051a39Sopenharmony_ci if (!TEST_ptr(o2i_SCT_LIST(&scts, &p, fixture->tls_sct_list_len))) 304e1051a39Sopenharmony_ci goto end; 305e1051a39Sopenharmony_ci 306e1051a39Sopenharmony_ci if (fixture->test_validity && cert != NULL) { 307e1051a39Sopenharmony_ci if (!assert_validity(fixture, scts, ct_policy_ctx)) 308e1051a39Sopenharmony_ci goto end; 309e1051a39Sopenharmony_ci } 310e1051a39Sopenharmony_ci 311e1051a39Sopenharmony_ci if (fixture->sct_text_file 312e1051a39Sopenharmony_ci && !compare_sct_list_printout(scts, expected_sct_text)) { 313e1051a39Sopenharmony_ci goto end; 314e1051a39Sopenharmony_ci } 315e1051a39Sopenharmony_ci 316e1051a39Sopenharmony_ci tls_sct_list_len = i2o_SCT_LIST(scts, &tls_sct_list); 317e1051a39Sopenharmony_ci if (!TEST_mem_eq(fixture->tls_sct_list, fixture->tls_sct_list_len, 318e1051a39Sopenharmony_ci tls_sct_list, tls_sct_list_len)) 319e1051a39Sopenharmony_ci goto end; 320e1051a39Sopenharmony_ci } 321e1051a39Sopenharmony_ci success = 1; 322e1051a39Sopenharmony_ci 323e1051a39Sopenharmony_ciend: 324e1051a39Sopenharmony_ci X509_free(cert); 325e1051a39Sopenharmony_ci X509_free(issuer); 326e1051a39Sopenharmony_ci SCT_LIST_free(scts); 327e1051a39Sopenharmony_ci SCT_free(sct); 328e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_free(ct_policy_ctx); 329e1051a39Sopenharmony_ci OPENSSL_free(tls_sct_list); 330e1051a39Sopenharmony_ci return success; 331e1051a39Sopenharmony_ci} 332e1051a39Sopenharmony_ci 333e1051a39Sopenharmony_ci# define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up) 334e1051a39Sopenharmony_ci# define EXECUTE_CT_TEST() EXECUTE_TEST(execute_cert_test, tear_down) 335e1051a39Sopenharmony_ci 336e1051a39Sopenharmony_cistatic int test_no_scts_in_certificate(void) 337e1051a39Sopenharmony_ci{ 338e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 339e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 340e1051a39Sopenharmony_ci fixture->certificate_file = "leaf.pem"; 341e1051a39Sopenharmony_ci fixture->issuer_file = "subinterCA.pem"; 342e1051a39Sopenharmony_ci fixture->expected_sct_count = 0; 343e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 344e1051a39Sopenharmony_ci return result; 345e1051a39Sopenharmony_ci} 346e1051a39Sopenharmony_ci 347e1051a39Sopenharmony_cistatic int test_one_sct_in_certificate(void) 348e1051a39Sopenharmony_ci{ 349e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 350e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 351e1051a39Sopenharmony_ci fixture->certificate_file = "embeddedSCTs1.pem"; 352e1051a39Sopenharmony_ci fixture->issuer_file = "embeddedSCTs1_issuer.pem"; 353e1051a39Sopenharmony_ci fixture->expected_sct_count = 1; 354e1051a39Sopenharmony_ci fixture->sct_dir = certs_dir; 355e1051a39Sopenharmony_ci fixture->sct_text_file = "embeddedSCTs1.sct"; 356e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 357e1051a39Sopenharmony_ci return result; 358e1051a39Sopenharmony_ci} 359e1051a39Sopenharmony_ci 360e1051a39Sopenharmony_cistatic int test_multiple_scts_in_certificate(void) 361e1051a39Sopenharmony_ci{ 362e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 363e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 364e1051a39Sopenharmony_ci fixture->certificate_file = "embeddedSCTs3.pem"; 365e1051a39Sopenharmony_ci fixture->issuer_file = "embeddedSCTs3_issuer.pem"; 366e1051a39Sopenharmony_ci fixture->expected_sct_count = 3; 367e1051a39Sopenharmony_ci fixture->sct_dir = certs_dir; 368e1051a39Sopenharmony_ci fixture->sct_text_file = "embeddedSCTs3.sct"; 369e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 370e1051a39Sopenharmony_ci return result; 371e1051a39Sopenharmony_ci} 372e1051a39Sopenharmony_ci 373e1051a39Sopenharmony_cistatic int test_verify_one_sct(void) 374e1051a39Sopenharmony_ci{ 375e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 376e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 377e1051a39Sopenharmony_ci fixture->certificate_file = "embeddedSCTs1.pem"; 378e1051a39Sopenharmony_ci fixture->issuer_file = "embeddedSCTs1_issuer.pem"; 379e1051a39Sopenharmony_ci fixture->expected_sct_count = fixture->expected_valid_sct_count = 1; 380e1051a39Sopenharmony_ci fixture->test_validity = 1; 381e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 382e1051a39Sopenharmony_ci return result; 383e1051a39Sopenharmony_ci} 384e1051a39Sopenharmony_ci 385e1051a39Sopenharmony_cistatic int test_verify_multiple_scts(void) 386e1051a39Sopenharmony_ci{ 387e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 388e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 389e1051a39Sopenharmony_ci fixture->certificate_file = "embeddedSCTs3.pem"; 390e1051a39Sopenharmony_ci fixture->issuer_file = "embeddedSCTs3_issuer.pem"; 391e1051a39Sopenharmony_ci fixture->expected_sct_count = fixture->expected_valid_sct_count = 3; 392e1051a39Sopenharmony_ci fixture->test_validity = 1; 393e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 394e1051a39Sopenharmony_ci return result; 395e1051a39Sopenharmony_ci} 396e1051a39Sopenharmony_ci 397e1051a39Sopenharmony_cistatic int test_verify_fails_for_future_sct(void) 398e1051a39Sopenharmony_ci{ 399e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 400e1051a39Sopenharmony_ci fixture->epoch_time_in_ms = 1365094800000ULL; /* Apr 4 17:00:00 2013 GMT */ 401e1051a39Sopenharmony_ci fixture->certs_dir = certs_dir; 402e1051a39Sopenharmony_ci fixture->certificate_file = "embeddedSCTs1.pem"; 403e1051a39Sopenharmony_ci fixture->issuer_file = "embeddedSCTs1_issuer.pem"; 404e1051a39Sopenharmony_ci fixture->expected_sct_count = 1; 405e1051a39Sopenharmony_ci fixture->expected_valid_sct_count = 0; 406e1051a39Sopenharmony_ci fixture->test_validity = 1; 407e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 408e1051a39Sopenharmony_ci return result; 409e1051a39Sopenharmony_ci} 410e1051a39Sopenharmony_ci 411e1051a39Sopenharmony_cistatic int test_decode_tls_sct(void) 412e1051a39Sopenharmony_ci{ 413e1051a39Sopenharmony_ci const unsigned char tls_sct_list[] = "\x00\x78" /* length of list */ 414e1051a39Sopenharmony_ci "\x00\x76" 415e1051a39Sopenharmony_ci "\x00" /* version */ 416e1051a39Sopenharmony_ci /* log ID */ 417e1051a39Sopenharmony_ci "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79" 418e1051a39Sopenharmony_ci "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64" 419e1051a39Sopenharmony_ci "\x00\x00\x01\x3D\xDB\x27\xDF\x93" /* timestamp */ 420e1051a39Sopenharmony_ci "\x00\x00" /* extensions length */ 421e1051a39Sopenharmony_ci "" /* extensions */ 422e1051a39Sopenharmony_ci "\x04\x03" /* hash and signature algorithms */ 423e1051a39Sopenharmony_ci "\x00\x47" /* signature length */ 424e1051a39Sopenharmony_ci /* signature */ 425e1051a39Sopenharmony_ci "\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6" 426e1051a39Sopenharmony_ci "\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2" 427e1051a39Sopenharmony_ci "\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB" 428e1051a39Sopenharmony_ci "\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89" 429e1051a39Sopenharmony_ci "\xED\xBF\x08"; 430e1051a39Sopenharmony_ci 431e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 432e1051a39Sopenharmony_ci fixture->tls_sct_list = tls_sct_list; 433e1051a39Sopenharmony_ci fixture->tls_sct_list_len = 0x7a; 434e1051a39Sopenharmony_ci fixture->sct_dir = ct_dir; 435e1051a39Sopenharmony_ci fixture->sct_text_file = "tls1.sct"; 436e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 437e1051a39Sopenharmony_ci return result; 438e1051a39Sopenharmony_ci} 439e1051a39Sopenharmony_ci 440e1051a39Sopenharmony_cistatic int test_encode_tls_sct(void) 441e1051a39Sopenharmony_ci{ 442e1051a39Sopenharmony_ci const char log_id[] = "3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4LvT9012Q="; 443e1051a39Sopenharmony_ci const uint64_t timestamp = 1; 444e1051a39Sopenharmony_ci const char extensions[] = ""; 445e1051a39Sopenharmony_ci const char signature[] = "BAMARzBAMiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUwKI+j5" 446e1051a39Sopenharmony_ci "eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8I"; 447e1051a39Sopenharmony_ci SCT *sct = NULL; 448e1051a39Sopenharmony_ci 449e1051a39Sopenharmony_ci SETUP_CT_TEST_FIXTURE(); 450e1051a39Sopenharmony_ci 451e1051a39Sopenharmony_ci fixture->sct_list = sk_SCT_new_null(); 452e1051a39Sopenharmony_ci if (fixture->sct_list == NULL) 453e1051a39Sopenharmony_ci return 0; 454e1051a39Sopenharmony_ci 455e1051a39Sopenharmony_ci if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id, 456e1051a39Sopenharmony_ci CT_LOG_ENTRY_TYPE_X509, timestamp, 457e1051a39Sopenharmony_ci extensions, signature))) 458e1051a39Sopenharmony_ci 459e1051a39Sopenharmony_ci return 0; 460e1051a39Sopenharmony_ci 461e1051a39Sopenharmony_ci sk_SCT_push(fixture->sct_list, sct); 462e1051a39Sopenharmony_ci fixture->sct_dir = ct_dir; 463e1051a39Sopenharmony_ci fixture->sct_text_file = "tls1.sct"; 464e1051a39Sopenharmony_ci EXECUTE_CT_TEST(); 465e1051a39Sopenharmony_ci return result; 466e1051a39Sopenharmony_ci} 467e1051a39Sopenharmony_ci 468e1051a39Sopenharmony_ci/* 469e1051a39Sopenharmony_ci * Tests that the CT_POLICY_EVAL_CTX default time is approximately now. 470e1051a39Sopenharmony_ci * Allow +-10 minutes, as it may compensate for clock skew. 471e1051a39Sopenharmony_ci */ 472e1051a39Sopenharmony_cistatic int test_default_ct_policy_eval_ctx_time_is_now(void) 473e1051a39Sopenharmony_ci{ 474e1051a39Sopenharmony_ci int success = 0; 475e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new(); 476e1051a39Sopenharmony_ci const time_t default_time = 477e1051a39Sopenharmony_ci (time_t)(CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx) / 1000); 478e1051a39Sopenharmony_ci const time_t time_tolerance = 600; /* 10 minutes */ 479e1051a39Sopenharmony_ci 480e1051a39Sopenharmony_ci if (!TEST_time_t_le(abs((int)difftime(time(NULL), default_time)), 481e1051a39Sopenharmony_ci time_tolerance)) 482e1051a39Sopenharmony_ci goto end; 483e1051a39Sopenharmony_ci 484e1051a39Sopenharmony_ci success = 1; 485e1051a39Sopenharmony_ciend: 486e1051a39Sopenharmony_ci CT_POLICY_EVAL_CTX_free(ct_policy_ctx); 487e1051a39Sopenharmony_ci return success; 488e1051a39Sopenharmony_ci} 489e1051a39Sopenharmony_ci 490e1051a39Sopenharmony_cistatic int test_ctlog_from_base64(void) 491e1051a39Sopenharmony_ci{ 492e1051a39Sopenharmony_ci CTLOG *ctlogp = NULL; 493e1051a39Sopenharmony_ci const char notb64[] = "\01\02\03\04"; 494e1051a39Sopenharmony_ci const char pad[] = "===="; 495e1051a39Sopenharmony_ci const char name[] = "name"; 496e1051a39Sopenharmony_ci 497e1051a39Sopenharmony_ci /* We expect these to both fail! */ 498e1051a39Sopenharmony_ci if (!TEST_true(!CTLOG_new_from_base64(&ctlogp, notb64, name)) 499e1051a39Sopenharmony_ci || !TEST_true(!CTLOG_new_from_base64(&ctlogp, pad, name))) 500e1051a39Sopenharmony_ci return 0; 501e1051a39Sopenharmony_ci return 1; 502e1051a39Sopenharmony_ci} 503e1051a39Sopenharmony_ci#endif 504e1051a39Sopenharmony_ci 505e1051a39Sopenharmony_ciint setup_tests(void) 506e1051a39Sopenharmony_ci{ 507e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_CT 508e1051a39Sopenharmony_ci if ((ct_dir = getenv("CT_DIR")) == NULL) 509e1051a39Sopenharmony_ci ct_dir = "ct"; 510e1051a39Sopenharmony_ci if ((certs_dir = getenv("CERTS_DIR")) == NULL) 511e1051a39Sopenharmony_ci certs_dir = "certs"; 512e1051a39Sopenharmony_ci 513e1051a39Sopenharmony_ci ADD_TEST(test_no_scts_in_certificate); 514e1051a39Sopenharmony_ci ADD_TEST(test_one_sct_in_certificate); 515e1051a39Sopenharmony_ci ADD_TEST(test_multiple_scts_in_certificate); 516e1051a39Sopenharmony_ci ADD_TEST(test_verify_one_sct); 517e1051a39Sopenharmony_ci ADD_TEST(test_verify_multiple_scts); 518e1051a39Sopenharmony_ci ADD_TEST(test_verify_fails_for_future_sct); 519e1051a39Sopenharmony_ci ADD_TEST(test_decode_tls_sct); 520e1051a39Sopenharmony_ci ADD_TEST(test_encode_tls_sct); 521e1051a39Sopenharmony_ci ADD_TEST(test_default_ct_policy_eval_ctx_time_is_now); 522e1051a39Sopenharmony_ci ADD_TEST(test_ctlog_from_base64); 523e1051a39Sopenharmony_ci#else 524e1051a39Sopenharmony_ci printf("No CT support\n"); 525e1051a39Sopenharmony_ci#endif 526e1051a39Sopenharmony_ci return 1; 527e1051a39Sopenharmony_ci} 528