From patchwork Wed Mar 15 01:35:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 3131
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700193dye;
        Tue, 14 Mar 2023 18:35:56 -0700 (PDT)
X-Google-Smtp-Source: 
 AK7set9zN2Vgr12mJYIzrX2zWHVWPo/vKtCft+PD5Jprq0kTzB/XUnOOUJRa3qmaXwjDK937cRcf
X-Received: by 2002:a05:6a20:7d88:b0:cc:fa4b:3a6a with SMTP id
 v8-20020a056a207d8800b000ccfa4b3a6amr51768729pzj.58.1678844156379;
        Tue, 14 Mar 2023 18:35:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1678844156; cv=none;
        d=google.com; s=arc-20160816;
        b=0H2Jg7twtChqufXDtsc44qgC9IUHhJNJ46VoKv7VyGcYpBy1WjQorubOqv5evbHocP
         6AsmgbE9WnYSRoQDgKmwhSAt/m1iZz9a9NnzP5AzsPkamNdMXT9iypuamOeqlrsqZrCu
         hxwd2IOmv7EZ/AzlH4p0/KKOhmVAtSY5KuFxsfmLz1lPpSX/smfPPD6MlPV+XnjFHBVo
         axBigR6ElimT3nbmqGPSsDV7pfY1cgRgnxYaKYqFukieG270icxB/rdDbh3ND105BJuZ
         RdxMqclUH+d8ChQ+LBJDoiMQQLUvDb8jb+F+ZvkLgA7LBw6PJ2cyYsr1kxUgeDNob2GR
         221A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=xIGTnBCINWnVjQh/RsHOcEL74wiH/z3B5pwUU/fjRo0=;
        b=PwkFWvSd8fOrsrv6+2J2P3PUELBcnlkY/lHPDbTr30NMT/Y8kR8urOrbQXxRVHuajF
         ylx1jwOaWPq0WvuLNMGfjTehocb+fZUNK5j4+OA6AfS+EdkZedpopffTE9Ja7BqObQ/+
         GGFnfonCiNlcjuSirWplJ1rpsfc0AbzVh8K92NxsJqOmETi1purLJVx/fgu7m+DqizE9
         NyYtOoSyuV8kivmZ7wte0U8q7JVe3YPnIf/DUUW+Q5SbtIJFe9JOKNmGXzI0ux0wplUl
         vCDc7UofgziHrYif5AdZv3Doult0n15PIRDgW6ER0ReOuJUJR1uK2lc+mYSRbtaBPy8C
         RNpA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ij2BAzHP;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=jJZu5pbL;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=Y2AmWmxb;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 f18-20020aa79d92000000b005a91144267asi3151292pfq.247.2023.03.14.18.35.55
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 14 Mar 2023 18:35:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ij2BAzHP;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=jJZu5pbL;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=Y2AmWmxb;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1pcG3B-0008QF-Li;
	Wed, 15 Mar 2023 01:35:34 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <selva.nair@gmail.com>) id 1pcG3A-0008Q7-AS
 for openvpn-devel@lists.sourceforge.net;
 Wed, 15 Mar 2023 01:35:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=ij2BAzHP92pJdL29BF7Qy+yvyZ
 MaurUBho+NYtpvVKUnfsTzkZ+eWeGMOxasSGXpn9mooLIWz/WiMvshdxIEe2AsvzQ0qB50AdloQXe
 L2bL7Jrsgc3GPTuR+dK7gq5hPW6JwJWfLu5AsGJeIkPq7P5Xkk5guSWQvDrwS/1QIxfM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=jJZu5pbLBHatJTP2v2YDCHDgQh
 RjNhb956HexYnbiN+U0/77EQNa6tRr79O0x1BEuW+skj6WyL7qtIjsaPCdG94JfsR4IuFyJdhVw9b
 QAeHG4LiL8lAe5ttY/QfBZ1WkehJiUYpVoS2i5SVwErPq/gcNmXLLg13RKEGIFgPryb0=;
Received: from mail-io1-f41.google.com ([209.85.166.41])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1pcG3A-008tLL-2U for openvpn-devel@lists.sourceforge.net;
 Wed, 15 Mar 2023 01:35:32 +0000
Received: by mail-io1-f41.google.com with SMTP id t129so7185598iof.12
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 14 Mar 2023 18:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1678844126; x=1681436126;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=;
 b=Y2AmWmxbdBXAkvzYD92+7JtyDzGRIe3WzvgFPYUaJoVV+565Plomtq9mVbKSEc3ka+
 KgvFoy7DdP8C+1ZUMOmKsoR3OK5wJqut3nJ4fUW+f1nX5nirlsb1OeeeXY2ibPn9VG1e
 fobJeiSk5E0PdgfGn19ryrgWDu7e1tKb0vO3RQJ8dun0FnK8PgUb9pN8NVITQqQhQbh5
 uFuD046v6kcjc2fcQiCzdZEO7Ep1sP7tiX870QX68bITwrVmqHiyLuZnE46UtrqljE47
 xQsClDUxHtQ7sPiOScyBL84K+M1tg4Vzg+Cirlpi86QtgkaECIXV7o2DLEeDfo4cQhNo
 O7RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678844126; x=1681436126;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=;
 b=xWlyXMQNBt+HepE3PPc6shjzFLj8itQbhdWjBBvZBjwG+6fqV7Jbqww5+tZDH34LA3
 YRBmCMw0XoqXO92C2A07bttZnDXDh+E77GMkBI5I7UisfdDqD1CoG7z03ISPB9jMBPwr
 fVEMGHUQ4PoGeJgyUu380OKb7ah2LOpyDbaX+SFENZXA/XY9E75Y4dHn0ktMoUfwkeR9
 sS/AUZoBgfsvXOler7taWQBSjAbLdL9PN/+zPBsjmtk0rrKcl9CaelHONjdULBB8hQSU
 s+5kSXIIQ0KtYXU9EQ0WvO+9RLoWX1oMyh/rlbQ4+ylD1elMwgIr4n9KBatOm8seLY/t
 MGBw==
X-Gm-Message-State: AO0yUKUvqiF/DPm1xUpkfqvYoHCEFFgDXulnn4whctebX1wKiuNACwuS
 r6jPrP5a6hz9nrOTCdNZMovSgkrODwc=
X-Received: by 2002:a6b:14d2:0:b0:72c:f57a:a37b with SMTP id
 201-20020a6b14d2000000b0072cf57aa37bmr875657iou.2.1678844126233;
 Tue, 14 Mar 2023 18:35:26 -0700 (PDT)
Received: from uranus.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66])
 by smtp.gmail.com with ESMTPSA id
 g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.25
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 14 Mar 2023 18:35:26 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 14 Mar 2023 21:35:14 -0400
Message-Id: <20230315013516.1256700-3-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com>
References: <20230315013516.1256700-1-selva.nair@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Selva Nair - find_certificate_in_store tested using
 'SUBJ:',
 'THUMB:' and 'ISSUER:' select strings. Uses test certificates imported
 into the store during the import test. Change-Id:
 Ib5138465e6228538af592ca98b3d877277355f59
 Signed-off-by: Selva Nair --- tests/unit_tests/openvpn/test_cryptoapi.c |
 102 ++++++++++++++++++++++ 1 file changed, 102 insertions(+)
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.166.41 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.166.41 listed in list.dnswl.org]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
X-Headers-End: 1pcG3A-008tLL-2U
Subject: [Openvpn-devel] [PATCH 2/4] Add tests for finding certificates in
 Windows cert store
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1760395690129878879?=
X-GMAIL-MSGID: =?utf-8?q?1760395690129878879?=

From: Selva Nair <selva.nair@gmail.com>

- find_certificate_in_store tested using 'SUBJ:', 'THUMB:'
  and 'ISSUER:' select strings. Uses test certificates
  imported into the store during the import test.

Change-Id: Ib5138465e6228538af592ca98b3d877277355f59
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 tests/unit_tests/openvpn/test_cryptoapi.c | 102 ++++++++++++++++++++++
 1 file changed, 102 insertions(+)

diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c
index 54dbd094..ccb3207c 100644
--- a/tests/unit_tests/openvpn/test_cryptoapi.c
+++ b/tests/unit_tests/openvpn/test_cryptoapi.c
@@ -237,6 +237,105 @@ cleanup(void **state)
     return 0;
 }
 
+static void
+test_find_cert_bythumb(void **state)
+{
+    (void) state;
+    char select_string[64];
+    struct gc_arena gc = gc_new();
+    const CERT_CONTEXT *ctx;
+
+    import_certs(state); /* a no-op if already imported */
+    assert_non_null(user_store);
+
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        openvpn_snprintf(select_string, sizeof(select_string), "THUMB:%s", c->hash);
+        ctx = find_certificate_in_store(select_string, user_store);
+        if (ctx)
+        {
+            /* check we got the right certificate and is valid */
+            assert_int_equal(c->valid, 1);
+            char *friendly_name = get_cert_name(ctx, &gc);
+            assert_string_equal(c->friendly_name, friendly_name);
+            CertFreeCertificateContext(ctx);
+        }
+        else
+        {
+            /* find should fail only if the certificate has expired */
+            assert_int_equal(c->valid, 0);
+        }
+    }
+
+    gc_free(&gc);
+}
+
+static void
+test_find_cert_byname(void **state)
+{
+    (void) state;
+    char select_string[64];
+    struct gc_arena gc = gc_new();
+    const CERT_CONTEXT *ctx;
+
+    import_certs(state); /* a no-op if already imported */
+    assert_non_null(user_store);
+
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        openvpn_snprintf(select_string, sizeof(select_string), "SUBJ:%s", c->cname);
+        ctx = find_certificate_in_store(select_string, user_store);
+        /* In this case we expect a successful return as there is at least one valid
+         * cert that matches the common name. But the returned cert may not exactly match
+         * c->cert as multiple certs with same common names exist in the db. We check that
+         * the return cert is one from our db, has a matching common name and is valid.
+         */
+        assert_non_null(ctx);
+
+        char *friendly_name = get_cert_name(ctx, &gc);
+        struct test_cert *found = lookup_cert(friendly_name);
+        assert_non_null(found);
+        assert_string_equal(found->cname, c->cname);
+        assert_int_equal(found->valid, 1);
+        CertFreeCertificateContext(ctx);
+    }
+
+    gc_free(&gc);
+}
+
+static void
+test_find_cert_byissuer(void **state)
+{
+    (void) state;
+    char select_string[64];
+    struct gc_arena gc = gc_new();
+    const CERT_CONTEXT *ctx;
+
+    import_certs(state); /* a no-op if already imported */
+    assert_non_null(user_store);
+
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        openvpn_snprintf(select_string, sizeof(select_string), "ISSUER:%s", c->issuer);
+        ctx = find_certificate_in_store(select_string, user_store);
+        /* In this case we expect a successful return as there is at least one valid
+         * cert that matches the issuer. But the returned cert may not exactly match
+         * c->cert as multiple certs with same issuer exist in the db. We check that
+         * the returned cert is one from our db, has a matching issuer name and is valid.
+         */
+        assert_non_null(ctx);
+
+        char *friendly_name = get_cert_name(ctx, &gc);
+        struct test_cert *found = lookup_cert(friendly_name);
+        assert_non_null(found);
+        assert_string_equal(found->issuer, c->issuer);
+        assert_int_equal(found->valid, 1);
+        CertFreeCertificateContext(ctx);
+    }
+
+    gc_free(&gc);
+}
+
 static void
 test_parse_hexstring(void **state)
 {
@@ -264,6 +363,9 @@ main(void)
     const struct CMUnitTest tests[] = {
         cmocka_unit_test(test_parse_hexstring),
         cmocka_unit_test(import_certs),
+        cmocka_unit_test(test_find_cert_bythumb),
+        cmocka_unit_test(test_find_cert_byname),
+        cmocka_unit_test(test_find_cert_byissuer),
     };
 
     int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, cleanup);