Add test coverage for SCT validation.

Of note, the public APIs for this mean that the only way you can add a CTLOG is by reading a configuration file from disk - there is no programmatic way to do this.
author: jsing <> 2022-01-06 04:42:00 +0000
committer: jsing <> 2022-01-06 04:42:00 +0000
commit: 852b4f187cfe1eef2690095adf0f02e42f13443c (patch)
tree: 2488bdbbdd25f8ccdc56429e41e9968c342985f8 /src/regress/lib
parent: cb6132904d89fe3bdde57b1438faf9ad96a85173 (diff)
download: openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.tar.gz
openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.tar.bz2
openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.zip
4 files changed, 116 insertions, 7 deletions
diff --git a/src/regress/lib/libcrypto/ct/Makefile b/src/regress/lib/libcrypto/ct/Makefile
index ba93566d29..ca17d824c5 100644
--- a/src/regress/lib/libcrypto/ct/Makefile
+++ b/src/regress/lib/libcrypto/ct/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.1 2021/12/05 13:01:08 jsing Exp $
+# $OpenBSD: Makefile,v 1.2 2022/01/06 04:42:00 jsing Exp $
 PROG=           cttest
 LDADD=          ${CRYPTO_INT}
@@ -14,6 +14,6 @@ REGRESS_TARGETS= \
 regress-cttest: ${PROG}
        ./cttest \
-            ${.CURDIR}/../../libcrypto/ct/libressl.org.crt
+            ${.CURDIR}/../../libcrypto/ct/
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/ct/ctlog.conf b/src/regress/lib/libcrypto/ct/ctlog.conf
new file mode 100644
index 0000000000..83a01f63ca
--- /dev/null
+++ b/src/regress/lib/libcrypto/ct/ctlog.conf
@@ -0,0 +1,5 @@
+enabled_logs = argon2022
+[argon2022]
+description = Google Argon 2022
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeIPc6fGmuBg6AJkv/z7NFckmHvf/OqmjchZJ6wm2qN200keRDg352dWpi7CHnSV51BpQYAj1CQY5JuRAwrrDwg==
diff --git a/src/regress/lib/libcrypto/ct/cttest.c b/src/regress/lib/libcrypto/ct/cttest.c
index a14ae75d89..803b976ef6 100644
--- a/src/regress/lib/libcrypto/ct/cttest.c
+++ b/src/regress/lib/libcrypto/ct/cttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cttest.c,v 1.2 2021/12/20 16:52:26 jsing Exp $ */
+/* $OpenBSD: cttest.c,v 1.3 2022/01/06 04:42:00 jsing Exp $ */
 /*
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -24,7 +24,9 @@
 #include "ct/ct.h"
-const char *test_cert_file;
+char *test_ctlog_conf_file;
+char *test_cert_file;
+char *test_issuer_file;
 const int debug = 0;
@@ -391,21 +393,93 @@ ct_sct_base64_test(void)
        return failed;
 }
+static int
+ct_sct_verify_test(void)
+{
+        STACK_OF(SCT) *scts = NULL;
+        CT_POLICY_EVAL_CTX *ct_policy = NULL;
+        CTLOG_STORE *ctlog_store = NULL;
+        X509 *cert = NULL, *issuer = NULL;
+        const uint8_t *p;
+        SCT *sct;
+        int failed = 1;
+        cert_from_file(test_cert_file, &cert);
+        cert_from_file(test_issuer_file, &issuer);
+        if ((ctlog_store = CTLOG_STORE_new()) == NULL)
+                goto failure;
+        if (!CTLOG_STORE_load_file(ctlog_store, test_ctlog_conf_file))
+                goto failure;
+        if ((ct_policy = CT_POLICY_EVAL_CTX_new()) == NULL)
+                goto failure;
+        CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ct_policy, ctlog_store);
+        CT_POLICY_EVAL_CTX_set_time(ct_policy, 1641393117000);
+        if (!CT_POLICY_EVAL_CTX_set1_cert(ct_policy, cert))
+                goto failure;
+        if (!CT_POLICY_EVAL_CTX_set1_issuer(ct_policy, issuer))
+                goto failure;
+        p = scts_asn1;
+        if ((scts = d2i_SCT_LIST(NULL, &p, sizeof(scts_asn1))) == NULL) {
+                fprintf(stderr, "FAIL: failed to decode SCTS from ASN.1\n");
+                ERR_print_errors_fp(stderr);
+                goto failure;
+        }
+        sct = sk_SCT_value(scts, 0);
+        if (!SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT))
+                goto failure;
+        if (!SCT_validate(sct, ct_policy)) {
+                fprintf(stderr, "FAIL: SCT_validate failed\n");
+                ERR_print_errors_fp(stderr);
+                goto failure;
+        }
+        failed = 0;
+ failure:
+        CT_POLICY_EVAL_CTX_free(ct_policy);
+        CTLOG_STORE_free(ctlog_store);
+        X509_free(cert);
+        X509_free(issuer);
+        return failed;
+}
 int
 main(int argc, char **argv)
 {
+        const char *ctpath;
        int failed = 0;
        if (argc != 2) {
-                fprintf(stderr, "usage: %s certfile\n", argv[0]);
+                fprintf(stderr, "usage: %s ctpath\n", argv[0]);
                exit(1);
        }
+        ctpath = argv[1];
-        test_cert_file = argv[1];
+        if (asprintf(&test_cert_file, "%s/%s", ctpath,
+            "libressl.org.crt") == -1)
+                errx(1, "asprintf test_cert_file");
+        if (asprintf(&test_issuer_file, "%s/%s", ctpath,
+            "letsencrypt-r3.crt") == -1)
+                errx(1, "asprintf test_issuer_file");
+        if (asprintf(&test_ctlog_conf_file, "%s/%s", ctpath,
+            "ctlog.conf") == -1)
+                errx(1, "asprintf test_ctlog_conf_file");
        failed |= ct_cert_test();
        failed |= ct_sct_test();
        failed |= ct_sct_base64_test();
+        failed |= ct_sct_verify_test();
+        free(test_cert_file);
+        free(test_issuer_file);
+        free(test_ctlog_conf_file);
        return (failed);
 }
diff --git a/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt b/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt
new file mode 100644
index 0000000000..43b222a60a
--- /dev/null
+++ b/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
author	jsing <>	2022-01-06 04:42:00 +0000
committer	jsing <>	2022-01-06 04:42:00 +0000
commit	852b4f187cfe1eef2690095adf0f02e42f13443c (patch)
tree	2488bdbbdd25f8ccdc56429e41e9968c342985f8 /src/regress/lib
parent	cb6132904d89fe3bdde57b1438faf9ad96a85173 (diff)
download	openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.tar.gz openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.tar.bz2 openbsd-852b4f187cfe1eef2690095adf0f02e42f13443c.zip

diff --git a/src/regress/lib/libcrypto/ct/Makefile b/src/regress/lib/libcrypto/ct/Makefile index ba93566d29..ca17d824c5 100644 --- a/src/regress/lib/libcrypto/ct/Makefile +++ b/src/regress/lib/libcrypto/ct/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.1 2021/12/05 13:01:08 jsing Exp $	1	# $OpenBSD: Makefile,v 1.2 2022/01/06 04:42:00 jsing Exp $
2		2
3	PROG= cttest	3	PROG= cttest
4	LDADD= ${CRYPTO_INT}	4	LDADD= ${CRYPTO_INT}
@@ -14,6 +14,6 @@ REGRESS_TARGETS= \
14		14
15	regress-cttest: ${PROG}	15	regress-cttest: ${PROG}
16	./cttest \	16	./cttest \
17	${.CURDIR}/../../libcrypto/ct/libressl.org.crt	17	${.CURDIR}/../../libcrypto/ct/
18		18
19	.include <bsd.regress.mk>	19	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/ct/ctlog.conf b/src/regress/lib/libcrypto/ct/ctlog.conf new file mode 100644 index 0000000000..83a01f63ca --- /dev/null +++ b/src/regress/lib/libcrypto/ct/ctlog.conf
@@ -0,0 +1,5 @@
		1	enabled_logs = argon2022
		2
		3	[argon2022]
		4	description = Google Argon 2022
		5	key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeIPc6fGmuBg6AJkv/z7NFckmHvf/OqmjchZJ6wm2qN200keRDg352dWpi7CHnSV51BpQYAj1CQY5JuRAwrrDwg==


diff --git a/src/regress/lib/libcrypto/ct/cttest.c b/src/regress/lib/libcrypto/ct/cttest.c index a14ae75d89..803b976ef6 100644 --- a/src/regress/lib/libcrypto/ct/cttest.c +++ b/src/regress/lib/libcrypto/ct/cttest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: cttest.c,v 1.2 2021/12/20 16:52:26 jsing Exp $ */	1	/* $OpenBSD: cttest.c,v 1.3 2022/01/06 04:42:00 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -24,7 +24,9 @@
24		24
25	#include "ct/ct.h"	25	#include "ct/ct.h"
26		26
27	const char *test_cert_file;	27	char *test_ctlog_conf_file;
		28	char *test_cert_file;
		29	char *test_issuer_file;
28		30
29	const int debug = 0;	31	const int debug = 0;
30		32
@@ -391,21 +393,93 @@ ct_sct_base64_test(void)
391	return failed;	393	return failed;
392	}	394	}
393		395
		396	static int
		397	ct_sct_verify_test(void)
		398	{
		399	STACK_OF(SCT) *scts = NULL;
		400	CT_POLICY_EVAL_CTX *ct_policy = NULL;
		401	CTLOG_STORE *ctlog_store = NULL;
		402	X509 cert = NULL, issuer = NULL;
		403	const uint8_t *p;
		404	SCT *sct;
		405	int failed = 1;
		406
		407	cert_from_file(test_cert_file, &cert);
		408	cert_from_file(test_issuer_file, &issuer);
		409
		410	if ((ctlog_store = CTLOG_STORE_new()) == NULL)
		411	goto failure;
		412	if (!CTLOG_STORE_load_file(ctlog_store, test_ctlog_conf_file))
		413	goto failure;
		414
		415	if ((ct_policy = CT_POLICY_EVAL_CTX_new()) == NULL)
		416	goto failure;
		417
		418	CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ct_policy, ctlog_store);
		419	CT_POLICY_EVAL_CTX_set_time(ct_policy, 1641393117000);
		420
		421	if (!CT_POLICY_EVAL_CTX_set1_cert(ct_policy, cert))
		422	goto failure;
		423	if (!CT_POLICY_EVAL_CTX_set1_issuer(ct_policy, issuer))
		424	goto failure;
		425
		426	p = scts_asn1;
		427	if ((scts = d2i_SCT_LIST(NULL, &p, sizeof(scts_asn1))) == NULL) {
		428	fprintf(stderr, "FAIL: failed to decode SCTS from ASN.1\n");
		429	ERR_print_errors_fp(stderr);
		430	goto failure;
		431	}
		432	sct = sk_SCT_value(scts, 0);
		433
		434	if (!SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT))
		435	goto failure;
		436	if (!SCT_validate(sct, ct_policy)) {
		437	fprintf(stderr, "FAIL: SCT_validate failed\n");
		438	ERR_print_errors_fp(stderr);
		439	goto failure;
		440	}
		441
		442	failed = 0;
		443
		444	failure:
		445	CT_POLICY_EVAL_CTX_free(ct_policy);
		446	CTLOG_STORE_free(ctlog_store);
		447	X509_free(cert);
		448	X509_free(issuer);
		449
		450	return failed;
		451	}
		452
394	int	453	int
395	main(int argc, char **argv)	454	main(int argc, char **argv)
396	{	455	{
		456	const char *ctpath;
397	int failed = 0;	457	int failed = 0;
398		458
399	if (argc != 2) {	459	if (argc != 2) {
400	fprintf(stderr, "usage: %s certfile\n", argv[0]);	460	fprintf(stderr, "usage: %s ctpath\n", argv[0]);
401	exit(1);	461	exit(1);
402	}	462	}
403		463	ctpath = argv[1];
404	test_cert_file = argv[1];	464
		465	if (asprintf(&test_cert_file, "%s/%s", ctpath,
		466	"libressl.org.crt") == -1)
		467	errx(1, "asprintf test_cert_file");
		468	if (asprintf(&test_issuer_file, "%s/%s", ctpath,
		469	"letsencrypt-r3.crt") == -1)
		470	errx(1, "asprintf test_issuer_file");
		471	if (asprintf(&test_ctlog_conf_file, "%s/%s", ctpath,
		472	"ctlog.conf") == -1)
		473	errx(1, "asprintf test_ctlog_conf_file");
405		474
406	failed \|= ct_cert_test();	475	failed \|= ct_cert_test();
407	failed \|= ct_sct_test();	476	failed \|= ct_sct_test();
408	failed \|= ct_sct_base64_test();	477	failed \|= ct_sct_base64_test();
		478	failed \|= ct_sct_verify_test();
		479
		480	free(test_cert_file);
		481	free(test_issuer_file);
		482	free(test_ctlog_conf_file);
409		483
410	return (failed);	484	return (failed);
411	}	485	}


diff --git a/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt b/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt new file mode 100644 index 0000000000..43b222a60a --- /dev/null +++ b/src/regress/lib/libcrypto/ct/letsencrypt-r3.crt
@@ -0,0 +1,30 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
		3	TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
		4	cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
		5	WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
		6	RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
		7	AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
		8	R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
		9	sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
		10	NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
		11	Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
		12	/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
		13	AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
		14	Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
		15	FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
		16	AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
		17	Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
		18	gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
		19	PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
		20	ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
		21	CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
		22	lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
		23	avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
		24	yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
		25	yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
		26	hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
		27	HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
		28	MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
		29	nLRbwHOoq7hHwg==
		30	-----END CERTIFICATE-----