Add libctx/provider support to cmp_client_test

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)

7 files changed, 66 insertions, 33 deletions

diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index f5c3fd7..9fb3050 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -33,6 +33,9 @@ typedef struct test_fixture {
     STACK_OF(X509) *caPubs;
 } CMP_SES_TEST_FIXTURE;
 
+static OPENSSL_CTX *libctx = NULL;
+static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL;
+
 static EVP_PKEY *server_key = NULL;
 static X509 *server_cert = NULL;
 static EVP_PKEY *client_key = NULL;
@@ -62,7 +65,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
     if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
         return NULL;
     fixture->test_case_name = test_case_name;
-    if (!TEST_ptr(fixture->srv_ctx = ossl_cmp_mock_srv_new(NULL, NULL))
+    if (!TEST_ptr(fixture->srv_ctx = ossl_cmp_mock_srv_new(libctx, NULL))
             || !OSSL_CMP_SRV_CTX_set_accept_unprotected(fixture->srv_ctx, 1)
             || !ossl_cmp_mock_srv_set1_certOut(fixture->srv_ctx, client_cert)
             || (srv_cmp_ctx =
@@ -70,7 +73,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
             || !OSSL_CMP_CTX_set1_cert(srv_cmp_ctx, server_cert)
             || !OSSL_CMP_CTX_set1_pkey(srv_cmp_ctx, server_key))
         goto err;
-    if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new(NULL, NULL))
+    if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new(libctx, NULL))
             || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)
             || !OSSL_CMP_CTX_set_transfer_cb(ctx, OSSL_CMP_CTX_server_perform)
             || !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, fixture->srv_ctx)
@@ -343,9 +346,13 @@ void cleanup_tests(void)
     EVP_PKEY_free(server_key);
     X509_free(client_cert);
     EVP_PKEY_free(client_key);
+    OPENSSL_CTX_free(libctx);
     return;
 }
 
+#define USAGE "server.key server.crt client.key client.crt client.csr module_name [module_conf_file]\n"
+OPT_TEST_DECLARE_USAGE(USAGE)
+
 int setup_tests(void)
 {
     if (!test_skip_common_options()) {
@@ -358,15 +365,18 @@ int setup_tests(void)
             || !TEST_ptr(client_key_f = test_get_argument(2))
             || !TEST_ptr(client_cert_f = test_get_argument(3))
             || !TEST_ptr(pkcs10_f = test_get_argument(4))) {
-        TEST_error("usage: cmp_client_test server.key server.crt client.key client.crt client.csr\n");
+        TEST_error("usage: cmp_client_test %s", USAGE);
         return 0;
     }
 
+    if (!test_get_libctx(&libctx, &default_null_provider, &provider, 5, USAGE))
+        return 0;
+
     if (!TEST_ptr(server_key = load_pem_key(server_key_f))
-            || !TEST_ptr(server_cert = load_pem_cert(server_cert_f))
+            || !TEST_ptr(server_cert = load_pem_cert(server_cert_f, libctx))
             || !TEST_ptr(client_key = load_pem_key(client_key_f))
-            || !TEST_ptr(client_cert = load_pem_cert(client_cert_f))
-            || !TEST_int_eq(1, RAND_bytes(ref, sizeof(ref)))) {
+            || !TEST_ptr(client_cert = load_pem_cert(client_cert_f, libctx))
+            || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) {
         cleanup_tests();
         return 0;
     }
diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c
index 1a090a6..78eea31 100644
--- a/test/cmp_msg_test.c
+++ b/test/cmp_msg_test.c
@@ -554,7 +554,7 @@ int setup_tests(void)
     }
 
     if (!TEST_ptr(newkey = gen_rsa())
-            || !TEST_ptr(cert = load_pem_cert(server_cert_f))
+            || !TEST_ptr(cert = load_pem_cert(server_cert_f, NULL))
             || !TEST_int_eq(1, RAND_bytes(ref, sizeof(ref)))) {
         cleanup_tests();
         return 0;
diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c
index 1be29cd..680d707 100644
--- a/test/cmp_protect_test.c
+++ b/test/cmp_protect_test.c
@@ -514,7 +514,7 @@ int setup_tests(void)
         return 0;
     }
     if (!TEST_ptr(loadedkey = load_pem_key(server_key_f))
-            || !TEST_ptr(cert = load_pem_cert(server_cert_f)))
+            || !TEST_ptr(cert = load_pem_cert(server_cert_f, NULL)))
         return 0;
 
     if (!TEST_ptr(loadedprivkey = load_pem_key(server_f)))
@@ -524,10 +524,10 @@ int setup_tests(void)
     if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f))
             || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)))
         return 0;
-    if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f))
-            || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f))
-            || !TEST_ptr(root = load_pem_cert(root_f))
-            || !TEST_ptr(intermediate = load_pem_cert(intermediate_f)))
+    if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, NULL))
+            || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, NULL))
+            || !TEST_ptr(root = load_pem_cert(root_f, NULL))
+            || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, NULL)))
         return 0;
     if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
         return 0;
diff --git a/test/cmp_testlib.c b/test/cmp_testlib.c
index ef33aa8..1956704 100644
--- a/test/cmp_testlib.c
+++ b/test/cmp_testlib.c
@@ -28,15 +28,16 @@ EVP_PKEY *load_pem_key(const char *file)
     return key;
 }
 
-X509 *load_pem_cert(const char *file)
+X509 *load_pem_cert(const char *file, OPENSSL_CTX *libctx)
 {
     X509 *cert = NULL;
     BIO *bio = NULL;
 
     if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
         return NULL;
-    if (TEST_int_gt(BIO_read_filename(bio, file), 0))
-        (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
+    if (TEST_int_gt(BIO_read_filename(bio, file), 0)
+            && TEST_ptr(cert = X509_new_with_libctx(libctx, NULL)))
+        (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL));
 
     BIO_free(bio);
     return cert;
diff --git a/test/cmp_testlib.h b/test/cmp_testlib.h
index 9277510..7828cea 100644
--- a/test/cmp_testlib.h
+++ b/test/cmp_testlib.h
@@ -15,6 +15,7 @@
 # include <openssl/cmp.h>
 # include <openssl/pem.h>
 # include <openssl/rand.h>
+# include "crypto/x509.h" /* for x509_set0_libctx() and x509_dup_with_libctx() */
 
 # include "../crypto/cmp/cmp_local.h"
 
@@ -23,7 +24,7 @@
 # ifndef OPENSSL_NO_CMP
 #  define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */
 EVP_PKEY *load_pem_key(const char *file);
-X509 *load_pem_cert(const char *file);
+X509 *load_pem_cert(const char *file, OPENSSL_CTX *libctx);
 X509_REQ *load_csr(const char *file);
 OSSL_CMP_MSG *load_pkimsg(const char *file);
 int valid_asn1_encoding(const OSSL_CMP_MSG *msg);
diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c
index b14398a..778aa5a 100644
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@@ -594,19 +594,19 @@ int setup_tests(void)
     }
 
     /* Load certificates for cert chain */
-    if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f))
-            || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f))
-            || !TEST_ptr(root = load_pem_cert(root_f))
-            || !TEST_ptr(intermediate = load_pem_cert(intermediate_f)))
+    if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, NULL))
+            || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, NULL))
+            || !TEST_ptr(root = load_pem_cert(root_f, NULL))
+            || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, NULL)))
         goto err;
 
-    if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f))
-            || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f)))
+    if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f, NULL))
+            || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f, NULL)))
         goto err;
 
     /* Load certificates for message validation */
-    if (!TEST_ptr(srvcert = load_pem_cert(server_f))
-            || !TEST_ptr(clcert = load_pem_cert(client_f)))
+    if (!TEST_ptr(srvcert = load_pem_cert(server_f, NULL))
+            || !TEST_ptr(clcert = load_pem_cert(client_f, NULL)))
         goto err;
     if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
         goto err;
diff --git a/test/recipes/65-test_cmp_client.t b/test/recipes/65-test_cmp_client.t
index 1b54940..de60599 100644
--- a/test/recipes/65-test_cmp_client.t
+++ b/test/recipes/65-test_cmp_client.t
@@ -9,19 +9,40 @@
 # https://www.openssl.org/source/license.html
 
 use strict;
-use OpenSSL::Test qw/:DEFAULT data_file/;
+use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/;
 use OpenSSL::Test::Utils;
 
-setup("test_cmp_client");
+BEGIN {
+    setup("test_cmp_client");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan skip_all => "This test is not supported in a no-cmp or no-ec build"
     if disabled("cmp") || disabled("ec");
 
-plan tests => 1;
+plan tests => 2 + ($no_fips ? 0 : 2); #fips install + fips test
+
+my @basic_cmd = ("cmp_client_test",
+                 data_file("server.key"),
+                 data_file("server.crt"),
+                 data_file("client.key"),
+                 data_file("client.crt"),
+                 data_file("client.csr"));
+
+ok(run(test([@basic_cmd, "none"])));
+
+ok(run(test([@basic_cmd, "default", srctop_file("test", "default.cnf")])));
+
+unless ($no_fips) {
+    ok(run(app(['openssl', 'fipsinstall',
+                '-out', bldtop_file('providers', 'fipsmodule.cnf'),
+                '-module', bldtop_file('providers', platform->dso('fips'))])),
+       "fipsinstall");
 
-ok(run(test(["cmp_client_test",
-             data_file("server.key"),
-             data_file("server.crt"),
-             data_file("client.key"),
-             data_file("client.crt"),
-             data_file("client.csr")])));
+    ok(run(test([@basic_cmd, "fips", srctop_file("test", "fips.cnf")])));
+}