Add test coverage for SCT validation.

author jsing <jsing@openbsd.org>

Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)

committer jsing <jsing@openbsd.org>

Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)
author jsing <jsing@openbsd.org>
Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)
committer jsing <jsing@openbsd.org>
Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)
diff --git a/regress/lib/libcrypto/ct/Makefile b/regress/lib/libcrypto/ct/Makefile

index ba93566..ca17d82 100644 (file)
--- a/regress/lib/libcrypto/ct/Makefile
+++ b/regress/lib/libcrypto/ct/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.1 2021/12/05 13:01:08 jsing Exp $
+# $OpenBSD: Makefile,v 1.2 2022/01/06 04:42:00 jsing Exp $
  
  PROG=          cttest
  LDADD=         ${CRYPTO_INT}
@@ -14,6 +14,6 @@ REGRESS_TARGETS= \
  
  regress-cttest: ${PROG}
         ./cttest \
-           ${.CURDIR}/../../libcrypto/ct/libressl.org.crt
+           ${.CURDIR}/../../libcrypto/ct/
  
  .include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/ct/ctlog.conf b/regress/lib/libcrypto/ct/ctlog.conf

new file mode 100644 (file)

index 0000000..83a01f6
--- /dev/null
+++ b/regress/lib/libcrypto/ct/ctlog.conf
@@ -0,0 +1,5 @@
+enabled_logs = argon2022
+
+[argon2022]
+description = Google Argon 2022
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeIPc6fGmuBg6AJkv/z7NFckmHvf/OqmjchZJ6wm2qN200keRDg352dWpi7CHnSV51BpQYAj1CQY5JuRAwrrDwg==
diff --git a/regress/lib/libcrypto/ct/cttest.c b/regress/lib/libcrypto/ct/cttest.c

index a14ae75..803b976 100644 (file)
--- a/regress/lib/libcrypto/ct/cttest.c
+++ b/regress/lib/libcrypto/ct/cttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cttest.c,v 1.2 2021/12/20 16:52:26 jsing Exp $ */
+/* $OpenBSD: cttest.c,v 1.3 2022/01/06 04:42:00 jsing Exp $ */
  /*
   * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
   *
@@ -24,7 +24,9 @@
  
  #include "ct/ct.h"
  
-const char *test_cert_file;
+char *test_ctlog_conf_file;
+char *test_cert_file;
+char *test_issuer_file;
  
  const int debug = 0;
  
@@ -391,21 +393,93 @@ ct_sct_base64_test(void)
         return failed;
  }
  
+static int
+ct_sct_verify_test(void)
+{
+       STACK_OF(SCT) *scts = NULL;
+       CT_POLICY_EVAL_CTX *ct_policy = NULL;
+       CTLOG_STORE *ctlog_store = NULL;
+       X509 *cert = NULL, *issuer = NULL;
+       const uint8_t *p;
+       SCT *sct;
+       int failed = 1;
+
+       cert_from_file(test_cert_file, &cert);
+       cert_from_file(test_issuer_file, &issuer);
+
+       if ((ctlog_store = CTLOG_STORE_new()) == NULL)
+               goto failure;
+       if (!CTLOG_STORE_load_file(ctlog_store, test_ctlog_conf_file))
+               goto failure;
+
+       if ((ct_policy = CT_POLICY_EVAL_CTX_new()) == NULL)
+               goto failure;
+
+       CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ct_policy, ctlog_store);
+       CT_POLICY_EVAL_CTX_set_time(ct_policy, 1641393117000);
+
+       if (!CT_POLICY_EVAL_CTX_set1_cert(ct_policy, cert))
+               goto failure;
+       if (!CT_POLICY_EVAL_CTX_set1_issuer(ct_policy, issuer))
+               goto failure;
+
+       p = scts_asn1;
+       if ((scts = d2i_SCT_LIST(NULL, &p, sizeof(scts_asn1))) == NULL) {
+               fprintf(stderr, "FAIL: failed to decode SCTS from ASN.1\n");
+               ERR_print_errors_fp(stderr);
+               goto failure;
+       }
+       sct = sk_SCT_value(scts, 0);
+
+       if (!SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT))
+               goto failure;
+       if (!SCT_validate(sct, ct_policy)) {
+               fprintf(stderr, "FAIL: SCT_validate failed\n");
+               ERR_print_errors_fp(stderr);
+               goto failure;
+       }
+
+       failed = 0;
+
+ failure:
+       CT_POLICY_EVAL_CTX_free(ct_policy);
+       CTLOG_STORE_free(ctlog_store);
+       X509_free(cert);
+       X509_free(issuer);
+
+       return failed;
+}
+
  int
  main(int argc, char **argv)
  {
+       const char *ctpath;
         int failed = 0;
  
          if (argc != 2) {
-               fprintf(stderr, "usage: %s certfile\n", argv[0]);
+               fprintf(stderr, "usage: %s ctpath\n", argv[0]);
                 exit(1);
         }
-
-       test_cert_file = argv[1];
+       ctpath = argv[1];
+
+       if (asprintf(&test_cert_file, "%s/%s", ctpath,
+           "libressl.org.crt") == -1)
+               errx(1, "asprintf test_cert_file");
+       if (asprintf(&test_issuer_file, "%s/%s", ctpath,
+           "letsencrypt-r3.crt") == -1)
+               errx(1, "asprintf test_issuer_file");
+       if (asprintf(&test_ctlog_conf_file, "%s/%s", ctpath,
+           "ctlog.conf") == -1)
+               errx(1, "asprintf test_ctlog_conf_file");
  
         failed |= ct_cert_test();
         failed |= ct_sct_test();
         failed |= ct_sct_base64_test();
+       failed |= ct_sct_verify_test();
+
+       free(test_cert_file);
+       free(test_issuer_file);
+       free(test_ctlog_conf_file);
  
         return (failed);
  }
diff --git a/regress/lib/libcrypto/ct/letsencrypt-r3.crt b/regress/lib/libcrypto/ct/letsencrypt-r3.crt

new file mode 100644 (file)

index 0000000..43b222a
--- /dev/null
+++ b/regress/lib/libcrypto/ct/letsencrypt-r3.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
author	jsing <jsing@openbsd.org>
	Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)
committer	jsing <jsing@openbsd.org>
	Thu, 6 Jan 2022 04:42:00 +0000 (04:42 +0000)
regress/lib/libcrypto/ct/Makefile		patch \| blob \| history
regress/lib/libcrypto/ct/ctlog.conf	[new file with mode: 0644]	patch \| blob
regress/lib/libcrypto/ct/cttest.c		patch \| blob \| history
regress/lib/libcrypto/ct/letsencrypt-r3.crt	[new file with mode: 0644]	patch \| blob