From c547447debec9cb744334591b54777140f82cf36 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 27 Jan 2023 21:06:39 +0000 Subject: [PATCH] pkcs7/test: Let verify take dynamic number of certs Previously there were two test functions for verify. One allowed for the verification of one certificate and the other allowed for verification of two certificates. Merge these two functions into one function that can take any number of certificates as an argument. Signed-off-by: Nick Child --- tests/suites/test_suite_pkcs7.data | 6 +- tests/suites/test_suite_pkcs7.function | 140 +++++++++---------------- 2 files changed, 55 insertions(+), 91 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 22dd8a446..5991e40d8 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -76,15 +76,15 @@ pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIG PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Hash Verify with multiple signers #17 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 +pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 PKCS7 Signed Data Hash Verify Fail with multiple signers #18 depends_on:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL +pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL PKCS7 Signed Data Verify Fail Expired Cert #19 depends_on:MBEDTLS_SHA256_C diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index f799c8fb5..168ac6c21 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -55,96 +55,53 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash_alg, +void pkcs7_verify(char *pkcs7_file, + char *crt_files, + char *filetobesigned, + int do_hash_alg, int res_expect) { unsigned char *pkcs7_buf = NULL; - size_t buflen; + size_t buflen, i, k, cnt = 0, n_crts = 1; unsigned char *data = NULL; + char **crt_files_arr = NULL; unsigned char hash[64]; struct stat st; size_t datalen; int res; FILE *file; const mbedtls_md_info_t *md_info; - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; + mbedtls_x509_crt **crts = NULL; - mbedtls_pkcs7_init(&pkcs7); - mbedtls_x509_crt_init(&x509); - USE_PSA_INIT(); - - res = mbedtls_x509_crt_parse_file(&x509, crt); - TEST_EQUAL(res, 0); - - res = mbedtls_pk_load_file(pkcs7_file, &pkcs7_buf, &buflen); - TEST_EQUAL(res, 0); - - res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen); - TEST_EQUAL(res, MBEDTLS_PKCS7_SIGNED_DATA); - - res = stat(filetobesigned, &st); - TEST_EQUAL(res, 0); - - file = fopen(filetobesigned, "rb"); - TEST_ASSERT(file != NULL); - - datalen = st.st_size; - ASSERT_ALLOC(data, datalen); - TEST_ASSERT(data != NULL); - - buflen = fread((void *) data, sizeof(unsigned char), datalen, file); - TEST_EQUAL(buflen, datalen); - fclose(file); - - if (do_hash_alg) { - md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg); - - res = mbedtls_md(md_info, data, datalen, hash); - TEST_EQUAL(res, 0); - - res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, mbedtls_md_get_size(md_info)); - } else { - res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509, data, datalen); + /* crt_files are space seprated list */ + for (i = 0; i < strlen(crt_files); i++) { + if (crt_files[i] == ' ') { + n_crts++; + } } - TEST_EQUAL(res, res_expect); -exit: - mbedtls_x509_crt_free(&x509); - mbedtls_free(data); - mbedtls_pkcs7_free(&pkcs7); - mbedtls_free(pkcs7_buf); - USE_PSA_DONE(); -} -/* END_CASE */ + ASSERT_ALLOC(crts, sizeof(*crts)*n_crts); + ASSERT_ALLOC(crt_files_arr, sizeof(*crt_files_arr)*n_crts); -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_multiple_signers(char *pkcs7_file, - char *crt1, - char *crt2, - char *filetobesigned, - int do_hash_alg, - int res_expect) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - unsigned char hash[64]; - struct stat st; - size_t datalen; - int res; - FILE *file; - const mbedtls_md_info_t *md_info; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509_1; - mbedtls_x509_crt x509_2; + for (i = 0; i < strlen(crt_files); i++) { + for (k = i; k < strlen(crt_files); k++) { + if (crt_files[k] == ' ') { + break; + } + } + ASSERT_ALLOC(crt_files_arr[cnt], (k-i)+1); + crt_files_arr[cnt][k-i] = '\0'; + memcpy(crt_files_arr[cnt++], crt_files + i, k-i); + i = k; + } mbedtls_pkcs7_init(&pkcs7); - mbedtls_x509_crt_init(&x509_1); - mbedtls_x509_crt_init(&x509_2); + for (i = 0; i < n_crts; i++) { + ASSERT_ALLOC(crts[i], sizeof(*crts[i])); + mbedtls_x509_crt_init(crts[i]); + } USE_PSA_INIT(); @@ -154,13 +111,12 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file, res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen); TEST_EQUAL(res, MBEDTLS_PKCS7_SIGNED_DATA); - TEST_EQUAL(pkcs7.signed_data.no_of_signers, 2); + TEST_EQUAL(pkcs7.signed_data.no_of_signers, n_crts); - res = mbedtls_x509_crt_parse_file(&x509_1, crt1); - TEST_EQUAL(res, 0); - - res = mbedtls_x509_crt_parse_file(&x509_2, crt2); - TEST_EQUAL(res, 0); + for (i = 0; i < n_crts; i++) { + res = mbedtls_x509_crt_parse_file(crts[i], crt_files_arr[i]); + TEST_EQUAL(res, 0); + } res = stat(filetobesigned, &st); TEST_EQUAL(res, 0); @@ -181,21 +137,29 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file, res = mbedtls_md(md_info, data, datalen, hash); TEST_EQUAL(res, 0); - res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, mbedtls_md_get_size(md_info)); - TEST_EQUAL(res, res_expect); - res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_2, hash, mbedtls_md_get_size(md_info)); - TEST_EQUAL(res, res_expect); + for (i = 0; i < n_crts; i++) { + res = + mbedtls_pkcs7_signed_hash_verify(&pkcs7, crts[i], hash, + mbedtls_md_get_size(md_info)); + TEST_EQUAL(res, res_expect); + } } else { - res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_1, data, datalen); - TEST_EQUAL(res, res_expect); - res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen); - TEST_EQUAL(res, res_expect); + for (i = 0; i < n_crts; i++) { + res = mbedtls_pkcs7_signed_data_verify(&pkcs7, crts[i], data, datalen); + TEST_EQUAL(res, res_expect); + } } exit: - mbedtls_x509_crt_free(&x509_1); - mbedtls_x509_crt_free(&x509_2); + for (i = 0; i < n_crts; i++) { + mbedtls_x509_crt_free(crts[i]); + mbedtls_free(crts[i]); + mbedtls_free(crt_files_arr[i]); + } + mbedtls_pkcs7_free(&pkcs7); + mbedtls_free(crt_files_arr); + mbedtls_free(crts); mbedtls_free(data); mbedtls_free(pkcs7_buf); USE_PSA_DONE();