| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include "internal/nelem.h" |
| 11 | #include <string.h> |
| 12 | #include <openssl/bio.h> |
| 13 | #include <openssl/crypto.h> |
| 14 | #include <openssl/err.h> |
| 15 | #include <openssl/pem.h> |
| 16 | #include <openssl/x509.h> |
| 17 | |
| 18 | #include "testutil.h" |
| 19 | |
| 20 | #define PARAM_TIME 1474934400 /* Sep 27th, 2016 */ |
| 21 | |
| 22 | static const char *kCRLTestRoot[] = { |
| 23 | "-----BEGIN CERTIFICATE-----\n", |
| 24 | "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n", |
| 25 | "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n", |
| 26 | "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n", |
| 27 | "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n", |
| 28 | "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n", |
| 29 | "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n", |
| 30 | "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n", |
| 31 | "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n", |
| 32 | "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n", |
| 33 | "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n", |
| 34 | "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n", |
| 35 | "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n", |
| 36 | "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n", |
| 37 | "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n", |
| 38 | "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n", |
| 39 | "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n", |
| 40 | "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n", |
| 41 | "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n", |
| 42 | "amd8GKMZQvP0ufGnUn7D7uartA==\n", |
| 43 | "-----END CERTIFICATE-----\n", |
| 44 | NULL |
| 45 | }; |
| 46 | |
| 47 | static const char *kCRLTestLeaf[] = { |
| 48 | "-----BEGIN CERTIFICATE-----\n", |
| 49 | "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n", |
| 50 | "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n", |
| 51 | "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n", |
| 52 | "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n", |
| 53 | "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n", |
| 54 | "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n", |
| 55 | "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n", |
| 56 | "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n", |
| 57 | "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n", |
| 58 | "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n", |
| 59 | "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n", |
| 60 | "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n", |
| 61 | "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n", |
| 62 | "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n", |
| 63 | "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n", |
| 64 | "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n", |
| 65 | "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n", |
| 66 | "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n", |
| 67 | "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n", |
| 68 | "tjJMFw==\n", |
| 69 | "-----END CERTIFICATE-----\n", |
| 70 | NULL |
| 71 | }; |
| 72 | |
| 73 | static const char *kBasicCRL[] = { |
| 74 | "-----BEGIN X509 CRL-----\n", |
| 75 | "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 76 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", |
| 77 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n", |
| 78 | "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n", |
| 79 | "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n", |
| 80 | "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n", |
| 81 | "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n", |
| 82 | "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n", |
| 83 | "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n", |
| 84 | "-----END X509 CRL-----\n", |
| 85 | NULL |
| 86 | }; |
| 87 | |
| 88 | static const char *kRevokedCRL[] = { |
| 89 | "-----BEGIN X509 CRL-----\n", |
| 90 | "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 91 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", |
| 92 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n", |
| 93 | "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n", |
| 94 | "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n", |
| 95 | "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n", |
| 96 | "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n", |
| 97 | "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n", |
| 98 | "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n", |
| 99 | "xzfKY2TzxLiOmctG0hXFkH5J\n", |
| 100 | "-----END X509 CRL-----\n", |
| 101 | NULL |
| 102 | }; |
| 103 | |
| 104 | static const char *kBadIssuerCRL[] = { |
| 105 | "-----BEGIN X509 CRL-----\n", |
| 106 | "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 107 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n", |
| 108 | "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n", |
| 109 | "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n", |
| 110 | "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n", |
| 111 | "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n", |
| 112 | "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n", |
| 113 | "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n", |
| 114 | "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n", |
| 115 | "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n", |
| 116 | "-----END X509 CRL-----\n", |
| 117 | NULL |
| 118 | }; |
| 119 | |
| 120 | /* |
| 121 | * This is kBasicCRL but with a critical issuing distribution point |
| 122 | * extension. |
| 123 | */ |
| 124 | static const char *kKnownCriticalCRL[] = { |
| 125 | "-----BEGIN X509 CRL-----\n", |
| 126 | "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 127 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", |
| 128 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n", |
| 129 | "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n", |
| 130 | "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n", |
| 131 | "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n", |
| 132 | "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n", |
| 133 | "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n", |
| 134 | "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n", |
| 135 | "o/1TpfOMSGhMyMoyPrk=\n", |
| 136 | "-----END X509 CRL-----\n", |
| 137 | NULL |
| 138 | }; |
| 139 | |
| 140 | /* |
| 141 | * kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension. |
| 142 | */ |
| 143 | static const char *kUnknownCriticalCRL[] = { |
| 144 | "-----BEGIN X509 CRL-----\n", |
| 145 | "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 146 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", |
| 147 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n", |
| 148 | "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n", |
| 149 | "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n", |
| 150 | "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n", |
| 151 | "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n", |
| 152 | "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n", |
| 153 | "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n", |
| 154 | "kwzzU2rL3G65CrZ7H0SZsQ==\n", |
| 155 | "-----END X509 CRL-----\n", |
| 156 | NULL |
| 157 | }; |
| 158 | |
| 159 | /* |
| 160 | * kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution |
| 161 | * point extension followed by an unknown critical extension |
| 162 | */ |
| 163 | static const char *kUnknownCriticalCRL2[] = { |
| 164 | "-----BEGIN X509 CRL-----\n", |
| 165 | "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", |
| 166 | "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n", |
| 167 | "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n", |
| 168 | "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n", |
| 169 | "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n", |
| 170 | "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n", |
| 171 | "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n", |
| 172 | "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n", |
| 173 | "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n", |
| 174 | "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n", |
| 175 | "-----END X509 CRL-----\n", |
| 176 | NULL |
| 177 | }; |
| 178 | |
| 179 | static const char **unknown_critical_crls[] = { |
| 180 | kUnknownCriticalCRL, kUnknownCriticalCRL2 |
| 181 | }; |
| 182 | |
| 183 | static X509 *test_root = NULL; |
| 184 | static X509 *test_leaf = NULL; |
| 185 | |
| 186 | /* |
| 187 | * Glue an array of strings together. Return a BIO and put the string |
| 188 | * into |*out| so we can free it. |
| 189 | */ |
| 190 | static BIO *glue2bio(const char **pem, char **out) |
| 191 | { |
| 192 | size_t s = 0; |
| 193 | |
| 194 | *out = glue_strings(pem, &s); |
| 195 | return BIO_new_mem_buf(*out, s); |
| 196 | } |
| 197 | |
| 198 | /* |
| 199 | * Create a CRL from an array of strings. |
| 200 | */ |
| 201 | static X509_CRL *CRL_from_strings(const char **pem) |
| 202 | { |
| 203 | char *p; |
| 204 | BIO *b = glue2bio(pem, &p); |
| 205 | X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); |
| 206 | |
| 207 | OPENSSL_free(p); |
| 208 | BIO_free(b); |
| 209 | return crl; |
| 210 | } |
| 211 | |
| 212 | /* |
| 213 | * Create an X509 from an array of strings. |
| 214 | */ |
| 215 | static X509 *X509_from_strings(const char **pem) |
| 216 | { |
| 217 | char *p; |
| 218 | BIO *b = glue2bio(pem, &p); |
| 219 | X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); |
| 220 | |
| 221 | OPENSSL_free(p); |
| 222 | BIO_free(b); |
| 223 | return x; |
| 224 | } |
| 225 | |
| 226 | /* |
| 227 | * Verify |leaf| certificate (chained up to |root|). |crls| if |
| 228 | * not NULL, is a list of CRLs to include in the verification. It is |
| 229 | * also free'd before returning, which is kinda yucky but convenient. |
| 230 | * Returns a value from X509_V_ERR_xxx or X509_V_OK. |
| 231 | */ |
| 232 | static int verify(X509 *leaf, X509 *root, STACK_OF(X509_CRL) *crls, |
| 233 | unsigned long flags) |
| 234 | { |
| 235 | X509_STORE_CTX *ctx = X509_STORE_CTX_new(); |
| 236 | X509_STORE *store = X509_STORE_new(); |
| 237 | X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); |
| 238 | STACK_OF(X509) *roots = sk_X509_new_null(); |
| 239 | int status = X509_V_ERR_UNSPECIFIED; |
| 240 | |
| 241 | if (!TEST_ptr(ctx) |
| 242 | || !TEST_ptr(store) |
| 243 | || !TEST_ptr(param) |
| 244 | || !TEST_ptr(roots)) |
| 245 | goto err; |
| 246 | |
| 247 | /* Create a stack; upref the cert because we free it below. */ |
| 248 | X509_up_ref(root); |
| 249 | if (!TEST_true(sk_X509_push(roots, root)) |
| 250 | || !TEST_true(X509_STORE_CTX_init(ctx, store, leaf, NULL))) |
| 251 | goto err; |
| 252 | X509_STORE_CTX_set0_trusted_stack(ctx, roots); |
| 253 | X509_STORE_CTX_set0_crls(ctx, crls); |
| 254 | X509_VERIFY_PARAM_set_time(param, PARAM_TIME); |
| 255 | if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), PARAM_TIME)) |
| 256 | goto err; |
| 257 | X509_VERIFY_PARAM_set_depth(param, 16); |
| 258 | if (flags) |
| 259 | X509_VERIFY_PARAM_set_flags(param, flags); |
| 260 | X509_STORE_CTX_set0_param(ctx, param); |
| 261 | param = NULL; |
| 262 | |
| 263 | ERR_clear_error(); |
| 264 | status = X509_verify_cert(ctx) == 1 ? X509_V_OK |
| 265 | : X509_STORE_CTX_get_error(ctx); |
| 266 | err: |
| 267 | sk_X509_pop_free(roots, X509_free); |
| 268 | sk_X509_CRL_pop_free(crls, X509_CRL_free); |
| 269 | X509_VERIFY_PARAM_free(param); |
| 270 | X509_STORE_CTX_free(ctx); |
| 271 | X509_STORE_free(store); |
| 272 | return status; |
| 273 | } |
| 274 | |
| 275 | /* |
| 276 | * Create a stack of CRL's. Upref each one because we call pop_free on |
| 277 | * the stack and need to keep the CRL's around until the test exits. |
| 278 | * Yes this crashes on malloc failure; it forces us to debug. |
| 279 | */ |
| 280 | static STACK_OF(X509_CRL) *make_CRL_stack(X509_CRL *x1, X509_CRL *x2) |
| 281 | { |
| 282 | STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); |
| 283 | |
| 284 | sk_X509_CRL_push(sk, x1); |
| 285 | X509_CRL_up_ref(x1); |
| 286 | if (x2 != NULL) { |
| 287 | sk_X509_CRL_push(sk, x2); |
| 288 | X509_CRL_up_ref(x2); |
| 289 | } |
| 290 | return sk; |
| 291 | } |
| 292 | |
| 293 | static int test_basic_crl(void) |
| 294 | { |
| 295 | X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); |
| 296 | X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); |
| 297 | int r; |
| 298 | |
| 299 | r = TEST_ptr(basic_crl) |
| 300 | && TEST_ptr(revoked_crl) |
| 301 | && TEST_int_eq(verify(test_leaf, test_root, |
| 302 | make_CRL_stack(basic_crl, NULL), |
| 303 | X509_V_FLAG_CRL_CHECK), X509_V_OK) |
| 304 | && TEST_int_eq(verify(test_leaf, test_root, |
| 305 | make_CRL_stack(basic_crl, revoked_crl), |
| 306 | X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); |
| 307 | X509_CRL_free(basic_crl); |
| 308 | X509_CRL_free(revoked_crl); |
| 309 | return r; |
| 310 | } |
| 311 | |
| 312 | static int test_no_crl(void) |
| 313 | { |
| 314 | return TEST_int_eq(verify(test_leaf, test_root, NULL, |
| 315 | X509_V_FLAG_CRL_CHECK), |
| 316 | X509_V_ERR_UNABLE_TO_GET_CRL); |
| 317 | } |
| 318 | |
| 319 | static int test_bad_issuer_crl(void) |
| 320 | { |
| 321 | X509_CRL *bad_issuer_crl = CRL_from_strings(kBadIssuerCRL); |
| 322 | int r; |
| 323 | |
| 324 | r = TEST_ptr(bad_issuer_crl) |
| 325 | && TEST_int_eq(verify(test_leaf, test_root, |
| 326 | make_CRL_stack(bad_issuer_crl, NULL), |
| 327 | X509_V_FLAG_CRL_CHECK), |
| 328 | X509_V_ERR_UNABLE_TO_GET_CRL); |
| 329 | X509_CRL_free(bad_issuer_crl); |
| 330 | return r; |
| 331 | } |
| 332 | |
| 333 | static int test_known_critical_crl(void) |
| 334 | { |
| 335 | X509_CRL *known_critical_crl = CRL_from_strings(kKnownCriticalCRL); |
| 336 | int r; |
| 337 | |
| 338 | r = TEST_ptr(known_critical_crl) |
| 339 | && TEST_int_eq(verify(test_leaf, test_root, |
| 340 | make_CRL_stack(known_critical_crl, NULL), |
| 341 | X509_V_FLAG_CRL_CHECK), X509_V_OK); |
| 342 | X509_CRL_free(known_critical_crl); |
| 343 | return r; |
| 344 | } |
| 345 | |
| 346 | static int test_unknown_critical_crl(int n) |
| 347 | { |
| 348 | X509_CRL *unknown_critical_crl = CRL_from_strings(unknown_critical_crls[n]); |
| 349 | int r; |
| 350 | |
| 351 | r = TEST_ptr(unknown_critical_crl) |
| 352 | && TEST_int_eq(verify(test_leaf, test_root, |
| 353 | make_CRL_stack(unknown_critical_crl, NULL), |
| 354 | X509_V_FLAG_CRL_CHECK), |
| 355 | X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION); |
| 356 | X509_CRL_free(unknown_critical_crl); |
| 357 | return r; |
| 358 | } |
| 359 | |
| 360 | static int test_reuse_crl(void) |
| 361 | { |
| 362 | X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); |
| 363 | char *p; |
| 364 | BIO *b = glue2bio(kRevokedCRL, &p); |
| 365 | |
| 366 | reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); |
| 367 | |
| 368 | OPENSSL_free(p); |
| 369 | BIO_free(b); |
| 370 | X509_CRL_free(reused_crl); |
| 371 | return 1; |
| 372 | } |
| 373 | |
| 374 | int setup_tests(void) |
| 375 | { |
| 376 | if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) |
| 377 | || !TEST_ptr(test_leaf = X509_from_strings(kCRLTestLeaf))) |
| 378 | return 0; |
| 379 | |
| 380 | ADD_TEST(test_no_crl); |
| 381 | ADD_TEST(test_basic_crl); |
| 382 | ADD_TEST(test_bad_issuer_crl); |
| 383 | ADD_TEST(test_known_critical_crl); |
| 384 | ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); |
| 385 | ADD_TEST(test_reuse_crl); |
| 386 | return 1; |
| 387 | } |
| 388 | |
| 389 | void cleanup_tests(void) |
| 390 | { |
| 391 | X509_free(test_root); |
| 392 | X509_free(test_leaf); |
| 393 | } |