1 files changed, 7 insertions, 82 deletions
diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c
index 2fc484e4e3..1bb03d1faf 100644
--- a/src/regress/lib/libcrypto/x509/policy/policy.c
+++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.5 2023/04/28 08:45:50 beck Exp $ */
+/* $OpenBSD: policy.c,v 1.6 2023/04/28 08:50:08 beck Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -31,7 +31,6 @@
 #define MODE_MODERN_VFY         0
 #define MODE_MODERN_VFY_DIR     1
 #define MODE_LEGACY_VFY         2
-#define MODE_VERIFY             3
 static int verbose = 1;
@@ -154,7 +153,6 @@ verify_cert(const char *roots_file, const char *intermediate_file,
        int flags = X509_V_FLAG_POLICY_CHECK;
        flags |= verify_flags;
-        //      flags |= X509_V_FLAG_INHIBIT_MAP;
        if (mode == MODE_LEGACY_VFY)
                flags |=  X509_V_FLAG_LEGACY_VERIFY;
        X509_STORE_CTX_set_flags(xsc, flags);
@@ -198,72 +196,6 @@ verify_cert(const char *roots_file, const char *intermediate_file,
        X509_free(leaf);
 }
-static void
-verify_cert_new(const char *roots_file, const char *intermediate_file,
-    const char*leaf_file, int *chains)
-{
-        STACK_OF(X509) *roots = NULL, *bundle = NULL;
-        X509_STORE_CTX *xsc = NULL;
-        X509 *leaf = NULL;
-        struct x509_verify_ctx *ctx;
-        *chains = 0;
-        if (!certs_from_file(roots_file, &roots))
-                errx(1, "failed to load roots from '%s'", roots_file);
-        if (!certs_from_file(leaf_file, &bundle))
-                errx(1, "failed to load leaf from '%s'", leaf_file);
-        if (intermediate_file != NULL && !certs_from_file(intermediate_file,
-            &bundle))
-                errx(1, "failed to load intermediate from '%s'",
-                    intermediate_file);
-        if (sk_X509_num(bundle) < 1)
-                errx(1, "not enough certs in bundle");
-        leaf = sk_X509_shift(bundle);
-        if ((xsc = X509_STORE_CTX_new()) == NULL)
-                errx(1, "X509_STORE_CTX");
-        if (!X509_STORE_CTX_init(xsc, NULL, leaf, bundle)) {
-                ERR_print_errors_fp(stderr);
-                errx(1, "failed to init store context");
-        }
-        if (verbose)
-                X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
-        if ((ctx = x509_verify_ctx_new(roots)) == NULL)
-                errx(1, "failed to create ctx");
-        if (!x509_verify_ctx_set_intermediates(ctx, bundle))
-                errx(1, "failed to set intermediates");
-        if ((*chains = x509_verify(ctx, leaf, NULL)) == 0) {
-                fprintf(stderr, "failed to verify at %lu: %s\n",
-                    x509_verify_ctx_error_depth(ctx),
-                    x509_verify_ctx_error_string(ctx));
-        } else {
-                int c;
-                for (c = 0; verbose && c < *chains; c++) {
-                        STACK_OF(X509) *chain;
-                        int i;
-                        fprintf(stderr, "Chain %d\n--------\n", c);
-                        chain = x509_verify_ctx_chain(ctx, c);
-                        for (i = 0; i < sk_X509_num(chain); i++) {
-                                X509 *cert = sk_X509_value(chain, i);
-                                X509_NAME_print_ex_fp(stderr,
-                                    X509_get_subject_name(cert), 0,
-                                    XN_FLAG_ONELINE);
-                                fprintf(stderr, "\n");
-                        }
-                }
-        }
-        sk_X509_pop_free(roots, X509_free);
-        sk_X509_pop_free(bundle, X509_free);
-        X509_free(leaf);
-        X509_STORE_CTX_free(xsc);
-        x509_verify_ctx_free(ctx);
-}
 struct verify_cert_test {
        const char *id;
        const char *root_file;
@@ -647,16 +579,11 @@ verify_cert_test(int mode)
                error_depth = 0;
                fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
-                if (mode == MODE_VERIFY)
+                verify_cert(vct->root_file, vct->intermediate_file,
-                        verify_cert_new(vct->root_file, vct->intermediate_file,
+                    vct->leaf_file, &chains, &error, &error_depth,
-                            vct->leaf_file, &chains);
+                    mode, policy_oid, policy_oid2, vct->verify_flags);
-                else
-                        verify_cert(vct->root_file, vct->intermediate_file,
+                if ((chains == 0 && vct->want_chains == 0) ||
-                            vct->leaf_file, &chains, &error, &error_depth,
-                            mode, policy_oid, policy_oid2, vct->verify_flags);
-                if ((mode == MODE_VERIFY && chains == vct->want_chains) ||
-                    (chains == 0 && vct->want_chains == 0) ||
                    (chains == 1 && vct->want_chains > 0)) {
                        fprintf(stderr, "INFO: Succeeded with %d chains%s\n",
                            chains, vct->failing ? " (legacy failure)" : "");
@@ -699,9 +626,7 @@ main(int argc, char **argv)
        failed |= verify_cert_test(MODE_LEGACY_VFY);
        fprintf(stderr, "\n\nTesting modern x509_vfy\n");
        failed |= verify_cert_test(MODE_MODERN_VFY);
-        // New does not support policy goo at the moment.
+        /* New verifier does not do policy goop at the moment */
-        //      fprintf(stderr, "\n\nTestin x509_verify\n");
-        //      failed |= verify_cert_test(MODE_VERIFY);
        return (failed);
 }

diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c index 2fc484e4e3..1bb03d1faf 100644 --- a/src/regress/lib/libcrypto/x509/policy/policy.c +++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: policy.c,v 1.5 2023/04/28 08:45:50 beck Exp $ */	1	/* $OpenBSD: policy.c,v 1.6 2023/04/28 08:50:08 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -31,7 +31,6 @@
31	#define MODE_MODERN_VFY 0	31	#define MODE_MODERN_VFY 0
32	#define MODE_MODERN_VFY_DIR 1	32	#define MODE_MODERN_VFY_DIR 1
33	#define MODE_LEGACY_VFY 2	33	#define MODE_LEGACY_VFY 2
34	#define MODE_VERIFY 3
35		34
36	static int verbose = 1;	35	static int verbose = 1;
37		36
@@ -154,7 +153,6 @@ verify_cert(const char roots_file, const char intermediate_file,
154		153
155	int flags = X509_V_FLAG_POLICY_CHECK;	154	int flags = X509_V_FLAG_POLICY_CHECK;
156	flags \|= verify_flags;	155	flags \|= verify_flags;
157	// flags \|= X509_V_FLAG_INHIBIT_MAP;
158	if (mode == MODE_LEGACY_VFY)	156	if (mode == MODE_LEGACY_VFY)
159	flags \|= X509_V_FLAG_LEGACY_VERIFY;	157	flags \|= X509_V_FLAG_LEGACY_VERIFY;
160	X509_STORE_CTX_set_flags(xsc, flags);	158	X509_STORE_CTX_set_flags(xsc, flags);
@@ -198,72 +196,6 @@ verify_cert(const char roots_file, const char intermediate_file,
198	X509_free(leaf);	196	X509_free(leaf);
199	}	197	}
200		198
201	static void
202	verify_cert_new(const char roots_file, const char intermediate_file,
203	const charleaf_file, int chains)
204	{
205	STACK_OF(X509) roots = NULL, bundle = NULL;
206	X509_STORE_CTX *xsc = NULL;
207	X509 *leaf = NULL;
208	struct x509_verify_ctx *ctx;
209
210	*chains = 0;
211
212	if (!certs_from_file(roots_file, &roots))
213	errx(1, "failed to load roots from '%s'", roots_file);
214	if (!certs_from_file(leaf_file, &bundle))
215	errx(1, "failed to load leaf from '%s'", leaf_file);
216	if (intermediate_file != NULL && !certs_from_file(intermediate_file,
217	&bundle))
218	errx(1, "failed to load intermediate from '%s'",
219	intermediate_file);
220	if (sk_X509_num(bundle) < 1)
221	errx(1, "not enough certs in bundle");
222	leaf = sk_X509_shift(bundle);
223
224	if ((xsc = X509_STORE_CTX_new()) == NULL)
225	errx(1, "X509_STORE_CTX");
226	if (!X509_STORE_CTX_init(xsc, NULL, leaf, bundle)) {
227	ERR_print_errors_fp(stderr);
228	errx(1, "failed to init store context");
229	}
230	if (verbose)
231	X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
232
233	if ((ctx = x509_verify_ctx_new(roots)) == NULL)
234	errx(1, "failed to create ctx");
235	if (!x509_verify_ctx_set_intermediates(ctx, bundle))
236	errx(1, "failed to set intermediates");
237
238	if ((*chains = x509_verify(ctx, leaf, NULL)) == 0) {
239	fprintf(stderr, "failed to verify at %lu: %s\n",
240	x509_verify_ctx_error_depth(ctx),
241	x509_verify_ctx_error_string(ctx));
242	} else {
243	int c;
244
245	for (c = 0; verbose && c < *chains; c++) {
246	STACK_OF(X509) *chain;
247	int i;
248
249	fprintf(stderr, "Chain %d\n--------\n", c);
250	chain = x509_verify_ctx_chain(ctx, c);
251	for (i = 0; i < sk_X509_num(chain); i++) {
252	X509 *cert = sk_X509_value(chain, i);
253	X509_NAME_print_ex_fp(stderr,
254	X509_get_subject_name(cert), 0,
255	XN_FLAG_ONELINE);
256	fprintf(stderr, "\n");
257	}
258	}
259	}
260	sk_X509_pop_free(roots, X509_free);
261	sk_X509_pop_free(bundle, X509_free);
262	X509_free(leaf);
263	X509_STORE_CTX_free(xsc);
264	x509_verify_ctx_free(ctx);
265	}
266
267	struct verify_cert_test {	199	struct verify_cert_test {
268	const char *id;	200	const char *id;
269	const char *root_file;	201	const char *root_file;
@@ -647,16 +579,11 @@ verify_cert_test(int mode)
647	error_depth = 0;	579	error_depth = 0;
648		580
649	fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);	581	fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
650	if (mode == MODE_VERIFY)	582	verify_cert(vct->root_file, vct->intermediate_file,
651	verify_cert_new(vct->root_file, vct->intermediate_file,	583	vct->leaf_file, &chains, &error, &error_depth,
652	vct->leaf_file, &chains);	584	mode, policy_oid, policy_oid2, vct->verify_flags);
653	else	585
654	verify_cert(vct->root_file, vct->intermediate_file,	586	if ((chains == 0 && vct->want_chains == 0) \|\|
655	vct->leaf_file, &chains, &error, &error_depth,
656	mode, policy_oid, policy_oid2, vct->verify_flags);
657
658	if ((mode == MODE_VERIFY && chains == vct->want_chains) \|\|
659	(chains == 0 && vct->want_chains == 0) \|\|
660	(chains == 1 && vct->want_chains > 0)) {	587	(chains == 1 && vct->want_chains > 0)) {
661	fprintf(stderr, "INFO: Succeeded with %d chains%s\n",	588	fprintf(stderr, "INFO: Succeeded with %d chains%s\n",
662	chains, vct->failing ? " (legacy failure)" : "");	589	chains, vct->failing ? " (legacy failure)" : "");
@@ -699,9 +626,7 @@ main(int argc, char **argv)
699	failed \|= verify_cert_test(MODE_LEGACY_VFY);	626	failed \|= verify_cert_test(MODE_LEGACY_VFY);
700	fprintf(stderr, "\n\nTesting modern x509_vfy\n");	627	fprintf(stderr, "\n\nTesting modern x509_vfy\n");
701	failed \|= verify_cert_test(MODE_MODERN_VFY);	628	failed \|= verify_cert_test(MODE_MODERN_VFY);
702	// New does not support policy goo at the moment.	629	/* New verifier does not do policy goop at the moment */
703	// fprintf(stderr, "\n\nTestin x509_verify\n");
704	// failed \|= verify_cert_test(MODE_VERIFY);
705		630
706	return (failed);	631	return (failed);
707	}	632	}