From e060515c093c55fb3aabf4b8204534afc6277f33 Mon Sep 17 00:00:00 2001 From: jsing Date: Thu, 6 Jan 2022 04:42:00 +0000 Subject: [PATCH] Add test coverage for SCT validation. Of note, the public APIs for this mean that the only way you can add a CTLOG is by reading a configuration file from disk - there is no programmatic way to do this. --- regress/lib/libcrypto/ct/Makefile | 4 +- regress/lib/libcrypto/ct/ctlog.conf | 5 ++ regress/lib/libcrypto/ct/cttest.c | 84 +++++++++++++++++++-- regress/lib/libcrypto/ct/letsencrypt-r3.crt | 30 ++++++++ 4 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 regress/lib/libcrypto/ct/ctlog.conf create mode 100644 regress/lib/libcrypto/ct/letsencrypt-r3.crt diff --git a/regress/lib/libcrypto/ct/Makefile b/regress/lib/libcrypto/ct/Makefile index ba93566d29c..ca17d824c56 100644 --- a/regress/lib/libcrypto/ct/Makefile +++ b/regress/lib/libcrypto/ct/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.1 2021/12/05 13:01:08 jsing Exp $ +# $OpenBSD: Makefile,v 1.2 2022/01/06 04:42:00 jsing Exp $ PROG= cttest LDADD= ${CRYPTO_INT} @@ -14,6 +14,6 @@ REGRESS_TARGETS= \ regress-cttest: ${PROG} ./cttest \ - ${.CURDIR}/../../libcrypto/ct/libressl.org.crt + ${.CURDIR}/../../libcrypto/ct/ .include diff --git a/regress/lib/libcrypto/ct/ctlog.conf b/regress/lib/libcrypto/ct/ctlog.conf new file mode 100644 index 00000000000..83a01f63ca3 --- /dev/null +++ b/regress/lib/libcrypto/ct/ctlog.conf @@ -0,0 +1,5 @@ +enabled_logs = argon2022 + +[argon2022] +description = Google Argon 2022 +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeIPc6fGmuBg6AJkv/z7NFckmHvf/OqmjchZJ6wm2qN200keRDg352dWpi7CHnSV51BpQYAj1CQY5JuRAwrrDwg== diff --git a/regress/lib/libcrypto/ct/cttest.c b/regress/lib/libcrypto/ct/cttest.c index a14ae75d898..803b976ef66 100644 --- a/regress/lib/libcrypto/ct/cttest.c +++ b/regress/lib/libcrypto/ct/cttest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cttest.c,v 1.2 2021/12/20 16:52:26 jsing Exp $ */ +/* $OpenBSD: cttest.c,v 1.3 2022/01/06 04:42:00 jsing Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -24,7 +24,9 @@ #include "ct/ct.h" -const char *test_cert_file; +char *test_ctlog_conf_file; +char *test_cert_file; +char *test_issuer_file; const int debug = 0; @@ -391,21 +393,93 @@ ct_sct_base64_test(void) return failed; } +static int +ct_sct_verify_test(void) +{ + STACK_OF(SCT) *scts = NULL; + CT_POLICY_EVAL_CTX *ct_policy = NULL; + CTLOG_STORE *ctlog_store = NULL; + X509 *cert = NULL, *issuer = NULL; + const uint8_t *p; + SCT *sct; + int failed = 1; + + cert_from_file(test_cert_file, &cert); + cert_from_file(test_issuer_file, &issuer); + + if ((ctlog_store = CTLOG_STORE_new()) == NULL) + goto failure; + if (!CTLOG_STORE_load_file(ctlog_store, test_ctlog_conf_file)) + goto failure; + + if ((ct_policy = CT_POLICY_EVAL_CTX_new()) == NULL) + goto failure; + + CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ct_policy, ctlog_store); + CT_POLICY_EVAL_CTX_set_time(ct_policy, 1641393117000); + + if (!CT_POLICY_EVAL_CTX_set1_cert(ct_policy, cert)) + goto failure; + if (!CT_POLICY_EVAL_CTX_set1_issuer(ct_policy, issuer)) + goto failure; + + p = scts_asn1; + if ((scts = d2i_SCT_LIST(NULL, &p, sizeof(scts_asn1))) == NULL) { + fprintf(stderr, "FAIL: failed to decode SCTS from ASN.1\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + sct = sk_SCT_value(scts, 0); + + if (!SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT)) + goto failure; + if (!SCT_validate(sct, ct_policy)) { + fprintf(stderr, "FAIL: SCT_validate failed\n"); + ERR_print_errors_fp(stderr); + goto failure; + } + + failed = 0; + + failure: + CT_POLICY_EVAL_CTX_free(ct_policy); + CTLOG_STORE_free(ctlog_store); + X509_free(cert); + X509_free(issuer); + + return failed; +} + int main(int argc, char **argv) { + const char *ctpath; int failed = 0; if (argc != 2) { - fprintf(stderr, "usage: %s certfile\n", argv[0]); + fprintf(stderr, "usage: %s ctpath\n", argv[0]); exit(1); } - - test_cert_file = argv[1]; + ctpath = argv[1]; + + if (asprintf(&test_cert_file, "%s/%s", ctpath, + "libressl.org.crt") == -1) + errx(1, "asprintf test_cert_file"); + if (asprintf(&test_issuer_file, "%s/%s", ctpath, + "letsencrypt-r3.crt") == -1) + errx(1, "asprintf test_issuer_file"); + if (asprintf(&test_ctlog_conf_file, "%s/%s", ctpath, + "ctlog.conf") == -1) + errx(1, "asprintf test_ctlog_conf_file"); failed |= ct_cert_test(); failed |= ct_sct_test(); failed |= ct_sct_base64_test(); + failed |= ct_sct_verify_test(); + + free(test_cert_file); + free(test_issuer_file); + free(test_ctlog_conf_file); return (failed); } diff --git a/regress/lib/libcrypto/ct/letsencrypt-r3.crt b/regress/lib/libcrypto/ct/letsencrypt-r3.crt new file mode 100644 index 00000000000..43b222a60a5 --- /dev/null +++ b/regress/lib/libcrypto/ct/letsencrypt-r3.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== +-----END CERTIFICATE----- -- 2.20.1