diff options
author | erbsland-dev <github@erbsland.dev> | 2024-06-19 14:02:53 +0200 |
---|---|---|
committer | Neil Horman <nhorman@openssl.org> | 2024-06-21 15:40:45 -0400 |
commit | 895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4 (patch) | |
tree | f9f8f5a4fcc615e785369491f86da458921f3f5e /test | |
parent | 7fab3c7d61b0064dcf50db39fb490970c60d9a34 (diff) | |
download | openssl-895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4.zip openssl-895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4.tar.gz openssl-895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4.tar.bz2 |
Add Test for Verification Failure on Incorrect X509 Version
Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either early when reading from data or later when `X509_REQ_verify` is called.
Adding a new test recipe `60-test_x509_req.t`
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)
Diffstat (limited to 'test')
-rw-r--r-- | test/build.info | 6 | ||||
-rw-r--r-- | test/recipes/60-test_x509_req.t | 11 | ||||
-rw-r--r-- | test/x509_req_test.c | 76 |
3 files changed, 92 insertions, 1 deletions
diff --git a/test/build.info b/test/build.info index e2b09ae..8039408 100644 --- a/test/build.info +++ b/test/build.info @@ -64,7 +64,7 @@ IF[{- !$disabled{tests} -}] ca_internals_test bio_tfo_test membio_test bio_dgram_test list_test \ fips_version_test x509_test hpke_test pairwise_fail_test \ nodefltctxtest evp_xof_test x509_load_cert_file_test bio_meth_test \ - x509_acert_test + x509_acert_test x509_req_test IF[{- !$disabled{'rpk'} -}] PROGRAMS{noinst}=rpktest @@ -1211,6 +1211,10 @@ ENDIF INCLUDE[x509_acert_test]=../include ../apps/include DEPEND[x509_acert_test]=../libcrypto libtestutil.a + SOURCE[x509_req_test]=x509_req_test.c + INCLUDE[x509_req_test]=../include ../apps/include + DEPEND[x509_req_test]=../libcrypto libtestutil.a + {- use File::Spec::Functions; use File::Basename; diff --git a/test/recipes/60-test_x509_req.t b/test/recipes/60-test_x509_req.t new file mode 100644 index 0000000..5f8b664 --- /dev/null +++ b/test/recipes/60-test_x509_req.t @@ -0,0 +1,11 @@ +#! /usr/bin/env perl +# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Simple; + +simple_test("test_x509_req_test", "x509_req_test", "x509_req"); diff --git a/test/x509_req_test.c b/test/x509_req_test.c new file mode 100644 index 0000000..7a839d1 --- /dev/null +++ b/test/x509_req_test.c @@ -0,0 +1,76 @@ +/* + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/pem.h> +#include <openssl/x509.h> + +#include "testutil.h" + +static const char bad_csr_version_6[] = + "-----BEGIN CERTIFICATE REQUEST-----\n" + "MIICoTCCAYkCAQUwXDELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBEJlcm4xDTALBgNV\n" + "BAcMBEJlcm4xFDASBgNVBAoMC0VyYnNsYW5kREVWMRkwFwYDVQQDDBB0ZXN0Lm9w\n" + "ZW5zc2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgnKT31X7\n" + "GG1doZXQ0cHY32OjExJT5z/AhZNHt44AdZmrGDwcANBa68mK1pJ4zbLStsa0ABfC\n" + "clPnoq4jqPcoMqPu5SNGR29lBWSQr8AzzHFOalHfYmdsTwRxy2fM56WVfrmi/HY5\n" + "8pZ0LgAuF7Kb8hjUkqBbWzAo0GJaYqWitkrDdproLMLz65GJYYlxXcPd79yt+SHk\n" + "TdfRANcjinRK/EKgkWYVu5yE/lqWl9lwgxY9YAeDp6/WZ7K5wGueiMNYsKoud0MP\n" + "al00AgaBgicIBMfVPdN19p8ZC4u2BuJlM1oq2eZbaP35rAlB1InbPtFIGL0c0h0o\n" + "6prLD6FgYHd1PQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADQIUWrf2wnUlKK4\n" + "Q2kuK6EtC2CYblmUqV8kUx/sWkfaG2zD7ekyTVJg80IhnsrVJ3VQwOUtbWltgskF\n" + "ZzrwXbIIVkHzeI51jrt/jUXzskCjyDkxjeRgCxSJ1bIlN+OkIeXf/jjDJ+ebyeJl\n" + "oRgg/KtbaJVb9niFjbxdyMNEI5qZAmocFpE2t5S9GlosTEIPNbowZAe8+AeUXGJB\n" + "7SPJZ3U+Rk7Yx6cW2Hc5litIDzJlIN8D86v26lgJ1VEoYGD81wPEhIjHTkRBWhp6\n" + "kGV0EojP8ntSjDFHIH184MQAJYyr6YlEM3DcCYPwydLN/rkEHQVAxKKuSCrpcUMH\n" + "hfcdPO4=\n" + "-----END CERTIFICATE REQUEST-----"; + +/* + * Test for the missing X509 version check discussed in issue #5738 and + * added in PR #24677. + * This test tries to verify a malformed CSR with the X509 version set + * version 6, instead of 1. As this request is malformed, even its + * signature is valid, the verification must fail. + */ +static int test_x509_req_detect_invalid_version(void) +{ + BIO *bio = NULL; + EVP_PKEY *pkey = NULL; + X509_REQ *req = NULL; + int ret = 0; + + if (!TEST_ptr(bio = BIO_new_mem_buf(bad_csr_version_6, sizeof(bad_csr_version_6) - 1))) + goto err; + req = PEM_read_bio_X509_REQ(bio, NULL, 0, NULL); + if (req == NULL) { + ret = 1; /* success, reading PEM with invalid CSR data is allowed to fail. */ + goto err; + } + if (!TEST_ptr(pkey = X509_REQ_get_pubkey(req))) + goto err; + /* Verification MUST fail at this point. ret != 1. */ + if (!TEST_int_ne(X509_REQ_verify(req, pkey), 1)) + goto err; + ret = 1; /* success */ +err: + EVP_PKEY_free(pkey); + X509_REQ_free(req); + BIO_free(bio); + return ret; +} + +int setup_tests(void) +{ + ADD_TEST(test_x509_req_detect_invalid_version); + return 1; +} + +void cleanup_tests(void) +{ +} |