From de963b96929b9da61916a0c43b4ac4c34a39e238 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 29 Mar 2018 21:32:24 +0200 Subject: [PATCH] trust: add unit test for the "edk2-cacerts" extractor Add a multi-cert test case for the edk2 extractor, heavily based on the "/openssl/test_file_multiple" test case. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1559580 Signed-off-by: Laszlo Ersek --- trust/Makefile.am | 5 + trust/fixtures/multiple.edk2 | Bin 0 -> 2549 bytes trust/test-edk2.c | 209 +++++++++++++++++++++++++++++++++++ 3 files changed, 214 insertions(+) create mode 100644 trust/fixtures/multiple.edk2 create mode 100644 trust/test-edk2.c diff --git a/trust/Makefile.am b/trust/Makefile.am index 147675f..791c8d8 100644 --- a/trust/Makefile.am +++ b/trust/Makefile.am @@ -172,6 +172,7 @@ c_tests += \ test-cer \ test-bundle \ test-openssl \ + test-edk2 \ $(NULL) test_asn1_SOURCES = trust/test-asn1.c @@ -218,6 +219,10 @@ test_openssl_SOURCES = trust/test-openssl.c test_openssl_LDADD = $(trust_LIBS) test_openssl_CFLAGS = $(trust_CFLAGS) +test_edk2_SOURCES = trust/test-edk2.c +test_edk2_LDADD = $(trust_LIBS) +test_edk2_CFLAGS = $(trust_CFLAGS) + test_parser_SOURCES = trust/test-parser.c test_parser_LDADD = $(trust_LIBS) test_parser_CFLAGS = $(trust_CFLAGS) diff --git a/trust/fixtures/multiple.edk2 b/trust/fixtures/multiple.edk2 new file mode 100644 index 0000000000000000000000000000000000000000..cbb9d0d8e379ef14ccc4d695e41f9802437c721c GIT binary patch literal 2549 zcmc(geLR%u8pr3E7n;#z7$a$_CsBEcXN-}NU5yE|+D}6Jqw9Jf|@fMYtlPS!| zTL`V!BJYJoBCTv~DJio;EqSXbb($!u?aa__KIinu`R9Dj{m=cm?)$#3`*%OjbzR>= z&-OE88Kq9g8Y&1r#xHpZs<4F-s+gU(J$!(A{ehm@)=EClcZ`5Us-BPtMJqtS0XQ6i zp(R3C6||9`eZ_`BrQmDQJNZ^ro0{ehRrnnvb@Cu z3-XAN?xH;WCog)4Kc5ehLFM}(5nONSHvmvDgb1z~xU(Yq;L3RX~K>rkfV8kur+RB(2WTit>N86Eo zQe23>+&{1VRm%K#6EiG;*`e+};$+u7vO{99xvVo9eaN9XQT|kJVYtkGjF^8j14$H? zY1L&1UZp?VC6c0hTFbqqX?LFek$grQ+jDoNxQ}>LXFTP_Gnk_~jPh20jqKRBNe^d~xZ9%?QPoy&ihu4~ z&ghdJ>NSe-nRh@sk9DoE^OigxeAWFvGktha!_qat!s^6wzuawE?p9UuyWU9!-jlmB zn_~N91!C^@d#Q$vMK)D4l9q1Ww8SxsnD+Z2d!J%{=_mzryoOACU3@M&%5q=mZ{}Ko zX0juO?H6c>;IyvcysoUB_Ajh)m*)(rou0x&B{BcUDiZ-PNL?us4*(yLC1H z^Bg9hYx=pW%%IJGAA*aCOB%zHGfaO|CQkr4DenW3bchDoE;u0pVTuz(hDd*ffCJhF zUk<@y?+c7FFD#O-O>^adL4g7=niI|g zIgxBo*-TjbSxkRHAh@5y107uK?M=WS4k+M&U(~g!dXc95TzY=*rM#-V@M*8C)h8bdwh+~8 zO|tUeog-5ZK1NulCF{*fuw(s)u@O3NfVmf$nMH2=cAK#JHM;Kf#tw{>_kIM2R-@gP zWE9LHK7{diCVo#IPZk^|0I-QJC*tEHCs%FhJhMEhrQvyeozK0Yrsh{Su3-VKO0Gwz zL`v>Gy}wx3`Q(Q8jA0eJX8)~HG1bhHR~&~MdnE6<>8;y77MBx?=d0`p$b`4J5B@GwX2u(va`B<#WW= zIwC#G>$Ry?gGPnvRBusz{g|P8emqUx){kNQAgv|#1(JY;6{7D>#NnJ5- zWl-aATr|!vE6CON#jfiLWG}D1<9<}`Dv#7! z^qsH>I*z`jr7^P0-kr5B3LZD`z%kXZ#qu|%Pv>yomSZu6jpns6&_yFNQu%ao(7@nA z_g^Yc@kK%Id@ZZ!rtGm zqF>)`STkhQIzA}Q3pN;sVt-B`{2A0!^~kx>CN^N_iHk@3GzqKM-SAbv;*w#cacUr@ od$}cEMtOi+ + * Laszlo Ersek + */ + +#define P11_KIT_DISABLE_DEPRECATED + +#include "config.h" + +#include "test-trust.h" /* test_cacert3_ca_der */ + +#include "attrs.h" /* p11_attrs_build() */ +#include "extract.h" /* p11_extract_edk2_cacerts() */ +#include "mock.h" /* mock_module_reset() */ +#include "pkcs11.h" /* CK_FUNCTION_LIST */ +#include "pkcs11x.h" /* CKO_X_CERTIFICATE_EXTENSION */ +#include "oid.h" /* P11_OID_EXTENDED_KEY_USAGE */ +#include "test.h" /* p11_test() */ + +#include /* va_list */ +#include /* asprintf() */ +#include /* free() */ +#include /* memcpy() */ +#include /* rmdir() */ + +struct { + CK_FUNCTION_LIST module; + p11_enumerate ex; + char *directory; +} test; + +static void +setup (void *unused) +{ + CK_RV rv; + + mock_module_reset (); + memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST)); + rv = test.module.C_Initialize (NULL); + assert_num_eq (CKR_OK, rv); + + p11_enumerate_init (&test.ex); + test.ex.flags |= P11_ENUMERATE_CORRELATE; + + test.directory = p11_test_directory ("test-extract"); +} + +static void +teardown (void *unused) +{ + CK_RV rv; + + if (rmdir (test.directory) < 0) + assert_not_reached (); + free (test.directory); + + p11_enumerate_cleanup (&test.ex); + p11_kit_iter_free (test.ex.iter); + + rv = test.module.C_Finalize (NULL); + assert_num_eq (CKR_OK, rv); +} + +static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE; +static CK_OBJECT_CLASS extension_class = CKO_X_CERTIFICATE_EXTENSION; +static CK_CERTIFICATE_TYPE x509_type = CKC_X_509; +static CK_BBOOL vtrue = CK_TRUE; + +static CK_ATTRIBUTE cacert3_authority_attrs[] = { + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, + { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_INVALID }, +}; + +static CK_ATTRIBUTE verisign_v1_attrs[] = { + { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, + { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, + { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_SUBJECT, (void *)verisign_v1_ca_subject, sizeof (verisign_v1_ca_subject) }, + { CKA_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) }, + { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_INVALID }, +}; + +static CK_ATTRIBUTE extension_eku_server[] = { + { CKA_CLASS, &extension_class, sizeof (extension_class) }, + { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 21 }, + { CKA_INVALID }, +}; + +static CK_ATTRIBUTE extension_reject_email[] = { + { CKA_CLASS, &extension_class, sizeof (extension_class) }, + { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, + { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 }, + { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_INVALID }, +}; + +static CK_ATTRIBUTE certificate_filter[] = { + { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, + { CKA_INVALID }, +}; + +static void +setup_objects (const CK_ATTRIBUTE *attrs, + ...) GNUC_NULL_TERMINATED; + +static void +setup_objects (const CK_ATTRIBUTE *attrs, + ...) +{ + static CK_ULONG id_value = 8888; + + CK_ATTRIBUTE id = { CKA_ID, &id_value, sizeof (id_value) }; + CK_ATTRIBUTE *copy; + va_list va; + + va_start (va, attrs); + while (attrs != NULL) { + copy = p11_attrs_build (p11_attrs_dup (attrs), &id, NULL); + assert (copy != NULL); + mock_module_take_object (MOCK_SLOT_ONE_ID, copy); + attrs = va_arg (va, const CK_ATTRIBUTE *); + } + va_end (va); + + id_value++; +} + +static void +test_file_multiple (void) +{ + char *destination; + bool ret; + + setup_objects (cacert3_authority_attrs, + extension_eku_server, + extension_reject_email, + NULL); + + setup_objects (verisign_v1_attrs, + NULL); + + p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); + p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); + + if (asprintf (&destination, "%s/%s", test.directory, "extract.edk2") < 0) + assert_not_reached (); + + ret = p11_extract_edk2_cacerts (&test.ex, destination); + assert_num_eq (true, ret); + + test_check_file (test.directory, "extract.edk2", SRCDIR "/trust/fixtures/multiple.edk2"); + free (destination); +} + +int +main (int argc, + char *argv[]) +{ + mock_module_init (); + + p11_fixture (setup, teardown); + p11_test (test_file_multiple, "/edk2/test_file_multiple"); + + return p11_test_run (argc, argv); +} + +#include "enumerate.c" /* p11_enumerate_init() */ +#include "extract-edk2.c" /* p11_extract_edk2_cacerts() */ -- 2.50.1