From: jan <jan@openbsd.org>
Date: Tue, 16 Feb 2021 21:39:17 +0000 (+0000)
Subject: Add x509 certificate validation regression tests
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6ae4596101d4f88c04fc02271c3c0786a4007fbf;p=openbsd

Add x509 certificate validation regression tests

The validation tests are originaly createtd by Steffen Ullrich.

OK tb@
No objection jsing@
---

diff --git a/regress/usr.bin/openssl/Makefile b/regress/usr.bin/openssl/Makefile
index 0ef7928ea4f..d41b65a3f43 100644
--- a/regress/usr.bin/openssl/Makefile
+++ b/regress/usr.bin/openssl/Makefile
@@ -1,6 +1,6 @@
-#	$OpenBSD: Makefile,v 1.6 2018/03/19 03:41:40 beck Exp $
+#	$OpenBSD: Makefile,v 1.7 2021/02/16 21:39:17 jan Exp $
 
-SUBDIR= options
+SUBDIR= options x509
 
 CLEANFILES+= testdsa.key testdsa.pem rsakey.pem rsacert.pem dsa512.pem
 CLEANFILES+= appstest_dir
diff --git a/regress/usr.bin/openssl/x509/Makefile b/regress/usr.bin/openssl/x509/Makefile
new file mode 100644
index 00000000000..b20cb1d9bdd
--- /dev/null
+++ b/regress/usr.bin/openssl/x509/Makefile
@@ -0,0 +1,129 @@
+# $OpenBSD: Makefile,v 1.1 2021/02/16 21:39:17 jan Exp $
+
+# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# This regression test is based on manual test descriptions from:
+# https://github.com/noxxi/libressl-tests
+
+# The following port must be installed for the regression tests:
+# p5-IO-Socket-SSL	perl interface to SSL sockets
+
+PERL =		perl
+OPENSSL ?=	openssl
+
+PKG_REQUIRE != pkg_info -e 'p5-IO-Socket-SSL-*'
+.if empty (PKG_REQUIRE)
+regress:
+	@echo "missing package p5-IO-Socket-SSL"
+	@echo SKIPPED
+.endif
+
+REGRESS_TARGETS +=	test-inlabel-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=	test-inlabel-wildcard-cert-CA-client
+REGRESS_TARGETS +=	test-common-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=	test-common-wildcard-cert-CA-client
+REGRESS_TARGETS +=	test-verify-unusual-wildcard-cert
+REGRESS_TARGETS +=	test-openssl-verify-common-wildcard-cert
+REGRESS_TARGETS +=	test-chain-certificates-s_server
+REGRESS_TARGETS +=	test-alternative-chain
+REGRESS_CLEANUP =	cleanup-ssl
+REGRESS_SETUP_ONCE =	create-libressl-test-certs
+
+REGRESS_EXPECTED_FAILURES +=	test-unusual-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=	test-common-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=	test-common-wildcard-cert-CA-client
+REGRESS_EXPECTED_FAILURES +=	test-verify-unusual-wildcard-cert
+
+create-libressl-test-certs: create-libressl-test-certs.pl
+	${PERL} ${.CURDIR}/$@.pl
+
+cleanup-ssl:
+	rm *.pem *.key
+
+test-inlabel-wildcard-cert-no-CA-client:
+	# unusual wildcard cert, no CA given to client
+	# start server
+	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+	    -key server-unusual-wildcard.pem & \
+	    timeout=$$(($$(date +%s) + 5)); \
+	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+		do test $$(date +%s) -lt $$timeout || exit 1; done
+	# start client
+	echo "Q" | ${OPENSSL} s_client -verify_return_error \
+	    | grep "Verify return code: 21"
+
+test-inlabel-wildcard-cert-CA-client:
+	# unusual wildcard cert, CA given to client
+	# start server
+	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+	    -key server-unusual-wildcard.pem & \
+	    timeout=$$(($$(date +%s) + 5)); \
+	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+		do test $$(date +%s) -lt $$timeout || exit 1; done
+	# start client
+	echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+	    | grep "Verify return code: 0"
+
+test-common-wildcard-cert-no-CA-client:
+	# common wildcard cert, no CA given to client
+	# start server
+	${OPENSSL} s_server -cert server-common-wildcard.pem \
+	    -key server-common-wildcard.pem & \
+	    timeout=$$(($$(date +%s) + 5)); \
+	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+		do test $$(date +%s) -lt $$timeout || exit 1; done
+	# start client
+	echo "Q" | ${OPENSSL} s_client \
+	    | grep "Verify return code: 21"
+
+test-common-wildcard-cert-CA-client:
+	# common wildcard cert, CA given to client
+	# start server
+	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+	    -key server-unusual-wildcard.pem & \
+	    timeout=$$(($$(date +%s) + 5)); \
+	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+		do test $$(date +%s) -lt $$timeout || exit 1; done
+	# start client
+	echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+	    | grep "Verify return code: 21"
+
+test-verify-unusual-wildcard-cert:
+	# openssl verify, unusual wildcard cert
+	${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
+	    | grep "server-unusual-wildcard.pem: OK"
+
+test-openssl-verify-common-wildcard-cert:
+	# openssl verify, common wildcard cert
+	${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
+	    | grep "server-common-wildcard.pem: OK"
+
+test-chain-certificates-s_server:
+	# Not all chain certificates are sent in s_server
+	# start server
+	# ${OPENSSL} s_server -cert server-subca.pem        -CAfile subcaR.pem
+	${OPENSSL} s_server -cert server-subca-chainS.pem -CAfile subcaR.pem & \
+	    timeout=$$(($$(date +%s) + 5)); \
+	    while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+		do test $$(date +%s) -lt $$timeout || exit 1; done
+	# start client
+	 ${OPENSSL} s_client -CAfile caR.pem | grep "Verify return code: 0"
+
+test-alternative-chain:
+	# alternative chain not found
+	${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
+	   server-subca.pem | grep "server-subca.pem: OK"
+
+.include <bsd.regress.mk>
diff --git a/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl b/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl
new file mode 100755
index 00000000000..fdb718aadcd
--- /dev/null
+++ b/regress/usr.bin/openssl/x509/create-libressl-test-certs.pl
@@ -0,0 +1,111 @@
+#!/usr/bin/perl
+
+# Copyright (c) 2021 Steffen Ullrich <sullr@cpan.org>
+# Public Domain
+
+use strict;
+use warnings;
+use IO::Socket::SSL::Utils;
+
+# primitive CA - ROOT
+my @ca = cert(
+    CA => 1,
+    subject => { CN => 'ROOT' }
+);
+out('caR.pem', pem(crt => $ca[0]));
+out('caR.key', pem(key => $ca[1]));
+
+# server certificate where SAN contains in-label wildcards, which a
+# client MAY choose to accept as per RFC 6125 section 6.4.3.
+my @leafcert = cert(
+    issuer => \@ca,
+    purpose => 'server',
+    subject => { CN => 'server.local' },
+    subjectAltNames => [ 
+	[ DNS => 'bar.server.local' ],
+	[ DNS => 'www*.server.local'], 
+	[ DNS => '*.www.server.local'], 
+	[ DNS => 'foo.server.local' ],
+	[ DNS => 'server.local' ],
+    ]
+);
+out('server-unusual-wildcard.pem', pem(@leafcert));
+
+@leafcert = cert(
+    issuer => \@ca,
+    purpose => 'server',
+    subject => { CN => 'server.local' },
+    subjectAltNames => [ 
+	[ DNS => 'bar.server.local' ],
+	[ DNS => '*.www.server.local'], 
+	[ DNS => 'foo.server.local' ],
+	[ DNS => 'server.local' ],
+    ]
+);
+out('server-common-wildcard.pem', pem(@leafcert));
+
+# alternative CA - OLD_ROOT
+my @caO = cert(
+    CA => 1,
+    subject => { CN => 'OLD_ROOT' }
+);
+out('caO.pem', pem(crt => $caO[0]));
+out('caO.key', pem(key => $caO[1]));
+
+# alternative ROOT CA, signed by OLD_ROOT, same key as other ROOT CA
+my @caX = cert(
+    issuer => \@caO,
+    CA => 1,
+    subject => { CN => 'ROOT' },
+    key => $ca[1],
+);
+out('caX.pem', pem(crt => $caX[0]));
+out('caX.key', pem(key => $caX[1]));
+
+# subCA below ROOT
+my @subcaR = cert(
+    issuer => \@ca,
+    CA => 1,
+    subject => { CN => 'SubCA.of.ROOT' }
+);
+out('subcaR.pem', pem(crt => $subcaR[0]));
+out('subcaR.key', pem(key => $subcaR[1]));
+out('chainSX.pem', pem($subcaR[0]), pem($caX[0]));
+
+@leafcert = cert(
+    issuer => \@subcaR,
+    purpose => 'server',
+    subject => { CN => 'server.subca.local' },
+    subjectAltNames => [ 
+	[ DNS => 'server.subca.local' ],
+    ]
+);
+out('server-subca.pem', pem(@leafcert));
+out('server-subca-chainSX.pem', pem(@leafcert, $subcaR[0], $caX[0]));
+out('server-subca-chainS.pem', pem(@leafcert, $subcaR[0]));
+
+
+sub cert { CERT_create(not_after => 10*365*86400+time(), @_) }
+sub pem {
+    my @default = qw(crt key);
+    my %m = (key => \&PEM_key2string, crt => \&PEM_cert2string);
+    my $result = '';
+    while (my $f = shift(@_)) {
+	my $v;
+	if ($f =~m{^(key|crt)$}) {
+	    $v = shift(@_);
+	} else {
+	    $v = $f;
+	    $f = shift(@default) || 'crt';
+	}
+	$f = $m{$f} || die "wrong key $f";
+	$result .= $f->($v);
+    }
+    return $result;
+}
+    
+sub out {
+    my $file = shift;
+    open(my $fh,'>',"$file") or die "failed to create $file: $!";
+    print $fh @_
+}