From patchwork Wed Mar 15 01:35:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3134 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700398dye; Tue, 14 Mar 2023 18:36:25 -0700 (PDT) X-Google-Smtp-Source: AK7set+OUdOqX3ipmqyXMDsqnVvzO2JBH9fA2S+KRB8xL7o0rCtptEn96q7nebcXD+dJihR6Yfsq X-Received: by 2002:a62:3885:0:b0:624:1ab3:da1c with SMTP id f127-20020a623885000000b006241ab3da1cmr6599463pfa.22.1678844185606; Tue, 14 Mar 2023 18:36:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678844185; cv=none; d=google.com; s=arc-20160816; b=viNzjruWbXKyUsZuWFqJA60La2W0sVThq3nm/ZNVGYEzpYR7ItfYBodUSA3luxBNDp ZQNlabQcQx9RVEa+He7vZUwGRflBaIA58CSEEp+3MMp3b0xQLu2BEMFRSAuqRxkSW79W AIW/OgK7Nenv1rUAV+QgFOT532+78RewnvZ/jSE4fSoj6ihxSPGbaKfWCkuMbORPlIVY d/786Guh3iMhEcCaf+LTKO2a+4Q974MLfgc3jKQLlk2iS38UF0WidUoC3De/PA5mvF/O 0YKpKzOh5O3eVkm0uj8hiBjGZgaaFWWJmxfUe6Hf7MCYvBGA+96P3ISXj1XaUsRh9b4F CaTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=GXP8/m3qf/tBG3XJjXjhZxea1O7Gkd8JqHdovf3YBFg=; b=gaG2P/eYxS9pNaM0e9Eb58bGWblvZNfd3esOAK8bFoGOhFu1sEP2ZC0RXNFwRTwImd cJS2CqCW7MIMa4HwFDiouOQ+UhAs/60t6w0e9fyeIsWnq8MqZwVzvFfdcuj1BpgCBsi1 /ucXszEwqzk8MayEkv6YkZR42XFE8f/TmcERd1bSJefRUK15oUpioY8QtMHKOso3FpsV Q76eysupLKiu5PzbmnFDXaxZ+e6dCtVrFz/pJ8ZOHo6CjKmZdfW3BzEOQrG2LkFAEjqQ wIjikNUpZmCuGwGJz3JTp9fBNWQ3jWL4ZQ08AuEMTpkU+/eAd/dQM2Jg1kPuTRIRCzvo /mUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YQX5AZQO; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FH9SAmtL; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=i8QOy5Ex; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 85-20020a621958000000b005a8ef5a4becsi3404230pfz.311.2023.03.14.18.36.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 18:36:25 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YQX5AZQO; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FH9SAmtL; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=i8QOy5Ex; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pcG3A-0002rD-M3; Wed, 15 Mar 2023 01:35:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pcG38-0002r6-Er for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AcMGc46RmrBylv2YpVs0ScWL1dK9Kk9CvyOZmngYnTI=; b=YQX5AZQON4BncCUoi1SgQY3O+Y jm7RajvfyPfP168bq6dRXe7gx61uSwhXeT8a80X/QIlFcuS+wucARdf+MFmnrDE6AJ51wkvXPJmci 0fmJZUZ/XZSV42I/SxZnOFcB22mbH+XzKn5EEgg7tePavRnhzocjmybSwEcmsZyNx2mg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AcMGc46RmrBylv2YpVs0ScWL1dK9Kk9CvyOZmngYnTI=; b=FH9SAmtLdxOwc1nu0qEelTeyR2 1hHU1wzAt0qRmDKmkxZzEzNB/W7vgtwLYsl/ACYr7sMmPLtxurMf7E/LbMFuWymCzkREYvke4pKEX PT+hFbkDfoOO6wq63wh3HIATiFEYHOa+PnXXR3oOwUIVuj80bS8c9zu6ex39QwtfCwS8=; Received: from mail-io1-f47.google.com ([209.85.166.47]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pcG37-008tLG-L4 for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:31 +0000 Received: by mail-io1-f47.google.com with SMTP id g6so7189352iov.13 for ; Tue, 14 Mar 2023 18:35:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678844124; x=1681436124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AcMGc46RmrBylv2YpVs0ScWL1dK9Kk9CvyOZmngYnTI=; b=i8QOy5Ex4HVGnMNBzcTXeeb1PuXQtobFdO5GikSoAoOsJWUab6MrYBem2jnkTS3tv8 f03m4x1kccfwAWebhas7XNmRBUrp3LBGUjS39m4syiJg5oEhKn+uz+3+MU2Y41zuwElT 2iGt81SDPV7oiHTFYf7YkOqEWxENoKl8YupV/BBtvyi4+OwZ3K2ssUMQM+BV1evWH7bK NRe71tXawQ91dYCKePGcnnpn3r9gpdGO7T3vzBctl1bHGhAJWwy+MQzy1kcmOZIkuwKm Ebv/sWa458a1qNMcKfKXzjL/gZIRXGEcDibTLR/S7SPSeEV35sr1UH0SwnNIaofOPPsT 8gGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678844124; x=1681436124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AcMGc46RmrBylv2YpVs0ScWL1dK9Kk9CvyOZmngYnTI=; b=1K9HQMFUgkI6v4WzgMLuKfu6ymBIgOHC+KCsM93tYO7L3SLs6Tr/F9m4PNb1rS37q1 fVXxodaJ0FgpLTK/axQiNcKMpBcBAUsDtX4l6oZAqD3xQAXCMhugBl0ytb4bOjLfwtJ/ kN4I0I7zSKaJGLKrE0XDyFq57SfAnF56E7b6kcYiNLkQpvyTrwT/xEYC+qtP9ioSi1PK HV+FBMVzTspzr/QHxhyS7mfWzfc6PObgMXWChE47B6EiX73/rfYdzX2GB7bL5jLk0lN3 8fhM66wuh06gqVBLXWl3M/+j2ODgTp0P39iJnWr88DHV38wVig/5ypGPI1+0hGnCpdM0 iZKA== X-Gm-Message-State: AO0yUKWQXyPbb2gspDmvs2yVhNJK7sS1/OAAgpJ2ywzwr7i9C749u+Zm pHPcWW/GaIHRthWlqgn2wxM7m/d7C3U= X-Received: by 2002:a6b:14d2:0:b0:72c:f57a:a37b with SMTP id 201-20020a6b14d2000000b0072cf57aa37bmr875584iou.2.1678844123756; Tue, 14 Mar 2023 18:35:23 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Mar 2023 18:35:23 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Mar 2023 21:35:13 -0400 Message-Id: <20230315013516.1256700-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com> References: <20230315013516.1256700-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - A few sample certificates are defined and imported into Windows certificate store (user store). This only tests the import process. Use of these certs to test the core functionality of 'cryptoapicer [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.47 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.47 listed in list.dnswl.org] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1pcG37-008tLG-L4 Subject: [Openvpn-devel] [PATCH 1/4] Import some sample certificates into Windows store for testing X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760395720372029468?= X-GMAIL-MSGID: =?utf-8?q?1760395720372029468?= From: Selva Nair - A few sample certificates are defined and imported into Windows certificate store (user store). This only tests the import process. Use of these certs to test the core functionality of 'cryptoapicert' are in following commits. Change-Id: Ida5fc12c5bad5fde202da0bf0e8cdc71efe548c2 Signed-off-by: Selva Nair Acked-by: Gert Doering --- tests/unit_tests/openvpn/cert_data.h | 166 ++++++++++++++++++++++ tests/unit_tests/openvpn/test_cryptoapi.c | 160 ++++++++++++++++++++- 2 files changed, 324 insertions(+), 2 deletions(-) create mode 100644 tests/unit_tests/openvpn/cert_data.h diff --git a/tests/unit_tests/openvpn/cert_data.h b/tests/unit_tests/openvpn/cert_data.h new file mode 100644 index 00000000..33de35ec --- /dev/null +++ b/tests/unit_tests/openvpn/cert_data.h @@ -0,0 +1,166 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 2 of the License, + * or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef CERT_DATA_H +#define CERT_DATA_H + +/* Some certificates and their private keys for testing cryptoapi.c. + * Two certificates, cert1 (EC) and cert3 (RSA) are signed by one CA + * and the other two, cert2 (EC) and cert4 (RSA), by another to have a + * different issuer name. The common name of cert4 is the same as + * that of cert3 but the former has expired. It is used to test + * retrieval of valid certificate by name when an expired one with same + * common name exists. + * To reduce data volume, certs of same keytype use the same private key. + */ + +/* sample-ec.crt */ +static const char *const cert1 = + "-----BEGIN CERTIFICATE-----\n" + "MIIClzCCAX+gAwIBAgIRAIJr3cy95V63CPEtaAA8JN4wDQYJKoZIhvcNAQELBQAw\n" + "GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjExMjhaGA8yMTIz\n" + "MDIxNzE2MTEyOFowGDEWMBQGA1UEAwwNb3Zwbi10ZXN0LWVjMTBZMBMGByqGSM49\n" + "AgEGCCqGSM49AwEHA0IABHhJG+dK4Z0mY+K0pupwVtyDLOwwGWHjBY6u3LgjRmUh\n" + "fFjaoSfJvdgrPg50wbOkrsUt9Bl6EeDosZuVwuzgRbujgaQwgaEwCQYDVR0TBAIw\n" + "ADAdBgNVHQ4EFgQUPWeU5BEmD8VEOSKeNf9kAvhcVuowUwYDVR0jBEwwSoAU3MLD\n" + "NDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9WUE4gVEVTVCBDQTGC\n" + "FD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud\n" + "DwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAhH/wOFqP4R+FK5QvU+oW/XacFMku\n" + "+qT8lL9J7BG28WhZ0ZcAy/AmtnyynkDyuZSwnlzGgJ5m4L/RfwTzJKhEHiSU3BvB\n" + "5C1Z1Q8k67MHSfb565iCn8GzPUQLK4zsILCoTkJPvimv2bJ/RZmNaD+D4LWiySD4\n" + "tuOEdHKrxIrbJ5eAaN0WxRrvDdwGlyPvbMFvfhXzd/tbkP4R2xvlm7S2DPeSTJ8s\n" + "srXMaPe0lAea4etMSZsjIRPwGRMXBrwbRmb6iN2Cq40867HdaJoAryYig7IiDwSX\n" + "htCbOA6sX+60+FEOYDEx5cmkogl633Pw7LJ3ICkyzIrUSEt6BOT1Gsc1eQ==\n" + "-----END CERTIFICATE-----\n"; +static const char *const key1 = + "-----BEGIN PRIVATE KEY-----\n" + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5Xpw/lLvBrWjAWDq\n" + "L6dm/4a1or6AQ6O3yXYgw78B23ihRANCAAR4SRvnSuGdJmPitKbqcFbcgyzsMBlh\n" + "4wWOrty4I0ZlIXxY2qEnyb3YKz4OdMGzpK7FLfQZehHg6LGblcLs4EW7\n" + "-----END PRIVATE KEY-----\n"; +static const char *const hash1 = "A4B74F1D68AF50691F62CBD675E24C8655369567"; +static const char *const cname1 = "ovpn-test-ec1"; + +static const char *const cert2 = + "-----BEGIN CERTIFICATE-----\n" + "MIIClzCCAX+gAwIBAgIRAN9fIkTDOjX0Bd9adHVcLx8wDQYJKoZIhvcNAQELBQAw\n" + "GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMjAgFw0yMzAzMTMxODAzMzFaGA8yMTIz\n" + "MDIxNzE4MDMzMVowGDEWMBQGA1UEAwwNb3Zwbi10ZXN0LWVjMjBZMBMGByqGSM49\n" + "AgEGCCqGSM49AwEHA0IABHhJG+dK4Z0mY+K0pupwVtyDLOwwGWHjBY6u3LgjRmUh\n" + "fFjaoSfJvdgrPg50wbOkrsUt9Bl6EeDosZuVwuzgRbujgaQwgaEwCQYDVR0TBAIw\n" + "ADAdBgNVHQ4EFgQUPWeU5BEmD8VEOSKeNf9kAvhcVuowUwYDVR0jBEwwSoAUyX3c\n" + "tpRP5cKlESsG80rOGhEphsGhHKQaMBgxFjAUBgNVBAMMDU9WUE4gVEVTVCBDQTKC\n" + "FBc8ra53hwYrlIkdY3Ay1WCrrHJ8MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud\n" + "DwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAWmA40BvEgBbKb1ReKlKzk64xi2ak\n" + "4tyr3sW9wIYQ2N1zkSomwEV6wGEawLqPADRbXiYdjtAqLz12OJvBnBwgxN3dVmqL\n" + "6UN4ZIwMWJ4fSW9vK/Nt+JNwebN+Jgw/nIXvSdK95ha4iusZZOIZ4qDj3DWwjhjV\n" + "L5/m6zP09L9G9/79j1Tsu4Stl5SI1XxtYc0eVn29vJEMBfpsS7pPD6V9JpY3Y1f3\n" + "HeTsAlHjfFEReVDiNCI9vMQLKFKKWnAorT2+iyRueA3bt2gchf863BBhZvJddL7Q\n" + "KBa0osXw+eGBRAwsm7m1qCho3b3fN2nFAa+k07ptRkOeablmFdXE81nVlA==\n" + "-----END CERTIFICATE-----\n"; +static const char *const key2 = key1; +static const char *const hash2 = "FA18FD34BAABE47D6E2910E080F421C109CA97F5"; +static const char *const cname2 = "ovpn-test-ec2"; + +static const char *const cert3 = + "-----BEGIN CERTIFICATE-----\n" + "MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n" + "GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n" + "MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n" + "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n" + "Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n" + "GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n" + "pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n" + "0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n" + "u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n" + "gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n" + "VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n" + "UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n" + "AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n" + "sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n" + "ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n" + "yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n" + "e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n" + "F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n" + "Y8aO7dvDlw==\n" + "-----END CERTIFICATE-----\n"; +static const char *const key3 = + "-----BEGIN PRIVATE KEY-----\n" + "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n" + "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n" + "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n" + "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n" + "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n" + "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n" + "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n" + "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n" + "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n" + "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n" + "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n" + "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n" + "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n" + "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n" + "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n" + "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n" + "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n" + "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n" + "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n" + "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n" + "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n" + "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n" + "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n" + "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n" + "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n" + "ZbX6nKcJ7jciJVKJds59Jg==\n" + "-----END PRIVATE KEY-----\n"; +static const char *const hash3 = "2463628674E362578113F508BA05F29EF142E979"; +static const char *const cname3 = "ovpn-test-rsa1"; + +static const char *const cert4 = + "-----BEGIN CERTIFICATE-----\n" + "MIIDYTCCAkmgAwIBAgIRAPTJucQy27qoIv0oYoE71z8wDQYJKoZIhvcNAQELBQAw\n" + "GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMjAeFw0yMzAzMTMxNzQ2MDNaFw0yMzAz\n" + "MTQxNzQ2MDNaMBkxFzAVBgNVBAMMDm92cG4tdGVzdC1yc2ExMIIBIjANBgkqhkiG\n" + "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8RaEen5qMn7CSEAyioG2IBcNDM1bgwJqUce\n" + "ikxIoYE3IZEMfXx3XVmyojlG3BJ0Ityzbsez+EFZf+HUUd7JIrAboOlXeS13gRma\n" + "pqbuV2YheA4C89ZV9tRtGjqIBVpIntqhhHLKONNefcfRQQ5eQN7Cz9fLm3nsdKXf\n" + "wcwxb+kizk8lVjvxgjXPCF/4tLjeJi76FVNNEnqsEz50vgkV60quCYxgyS7F5dPz\n" + "5cZI7IFNMjjgNGdnfBc5N8ApcD+h3OPQTjFirLVCIS2xtg3CL/JdvRLhI9sN47v+\n" + "4JHsKJfel0NrcKT76aFQGolYf5u4UFHEDkUAg+niXA4zmVQgKwIDAQABo4GkMIGh\n" + "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFKmJ0WgR62Zii7TGREuQLsKsyZBmMFMGA1Ud\n" + "IwRMMEqAFMl93LaUT+XCpRErBvNKzhoRKYbBoRykGjAYMRYwFAYDVQQDDA1PVlBO\n" + "IFRFU1QgQ0EyghQXPK2ud4cGK5SJHWNwMtVgq6xyfDATBgNVHSUEDDAKBggrBgEF\n" + "BQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFjJvZFwhY77UOWu\n" + "O6n5yLxcG6/VNWMbD0CazZP8pBqCGJRU9Rq0vXxZ00E0WSYTJLZoq1aFmeWIX0vZ\n" + "sudVkdbfWLdiwuQZDWBS+qC4SkIcnNe5FYSSUlXlvpSUN2CgGCLmryP+SZKHp8YV\n" + "e37pQxDjImXCu5Jdk5AhK6pkFm5IMskdTKfWJjjR69lBgWHPoM2WAwkV8vxKdpy8\n" + "0Bqef8MZZM+qVYw7OguAFos2Am7waLpa3q9SYqCRYctq4Q2++p2WjINv3nkXIwYS\n" + "353PpJJ9s2b/Fqoc4d7udqhQogA7jqbayTKhJxbT134l2NzqDROzuS0kXbX8bXCi\n" + "mXSa4c8=\n" + "-----END CERTIFICATE-----\n"; +static const char *const key4 = key3; +static const char *const hash4 = "E1401D4497C944783E3D62CDBD2A1F69F5E5071E"; +static const char *const cname4 = cname3; /* same CN as that of cert3 */ + +#endif /* CERT_DATA_H */ diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index 73ef34e9..54dbd094 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -32,6 +32,7 @@ #include "manage.h" #include "integer.h" #include "xkey_common.h" +#include "cert_data.h" #if defined(HAVE_XKEY_PROVIDER) && defined (ENABLE_CRYPTOAPI) #include @@ -40,6 +41,7 @@ #include #include #include +#include #include #include /* pull-in the whole file to test static functions */ @@ -84,6 +86,157 @@ static const char *invalid_str[] = { "7738x5001e9648c6570baec0b796f9664d5fd0b7", /* non hex character */ }; +/* Test certificate database: data for cert1, cert2 .. key1, key2 etc. + * are stashed away in cert_data.h + */ +static struct test_cert +{ + const char *const cert; /* certificate as PEM */ + const char *const key; /* key as unencrypted PEM */ + const char *const cname; /* common-name */ + const char *const issuer; /* issuer common-name */ + const char *const friendly_name; /* identifies certs loaded to the store -- keep unique */ + const char *hash; /* SHA1 fingerprint */ + int valid; /* nonzero if certificate has not expired */ +} certs[] = { + {cert1, key1, cname1, "OVPN TEST CA1", "OVPN Test Cert 1", hash1, 1}, + {cert2, key2, cname2, "OVPN TEST CA2", "OVPN Test Cert 2", hash2, 1}, + {cert3, key3, cname3, "OVPN TEST CA1", "OVPN Test Cert 3", hash3, 1}, + {cert4, key4, cname4, "OVPN TEST CA2", "OVPN Test Cert 4", hash4, 0}, + {} +}; + +static bool certs_loaded; +static HCERTSTORE user_store; + +/* Lookup a certificate in our certificate/key db */ +static struct test_cert * +lookup_cert(const char *friendly_name) +{ + struct test_cert *c = certs; + while (c->cert && strcmp(c->friendly_name, friendly_name)) + { + c++; + } + return c->cert ? c : NULL; +} + +/* import sample certificates into windows cert store */ +static void +import_certs(void **state) +{ + (void) state; + if (certs_loaded) + { + return; + } + user_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER + |CERT_STORE_OPEN_EXISTING_FLAG, L"MY"); + assert_non_null(user_store); + for (struct test_cert *c = certs; c->cert; c++) + { + /* Convert PEM cert & key to pkcs12 and import */ + const char *pass = "opensesame"; /* some password */ + const wchar_t *wpass = L"opensesame"; /* same as a wide string */ + + X509 *x509 = NULL; + EVP_PKEY *pkey = NULL; + + BIO *buf = BIO_new_mem_buf(c->cert, -1); + if (buf) + { + x509 = PEM_read_bio_X509(buf, NULL, NULL, NULL); + } + BIO_free(buf); + + buf = BIO_new_mem_buf(c->key, -1); + if (buf) + { + pkey = PEM_read_bio_PrivateKey(buf, NULL, NULL, NULL); + } + BIO_free(buf); + + if (!x509 || !pkey) + { + fail_msg("Failed to parse certificate/key data: <%s>", c->friendly_name); + return; + } + + PKCS12 *p12 = PKCS12_create(pass, c->friendly_name, pkey, x509, NULL, 0, 0, 0, 0, 0); + X509_free(x509); + EVP_PKEY_free(pkey); + if (!p12) + { + fail_msg("Failed to convert to PKCS12: <%s>", c->friendly_name); + return; + } + + CRYPT_DATA_BLOB blob = {.cbData = 0, .pbData = NULL}; + int len = i2d_PKCS12(p12, &blob.pbData); /* pbData will be allocated by OpenSSL */ + if (len <= 0) + { + fail_msg("Failed to DER encode PKCS12: <%s>", c->friendly_name); + return; + } + blob.cbData = len; + + DWORD flags = PKCS12_ALLOW_OVERWRITE_KEY|PKCS12_ALWAYS_CNG_KSP; + HCERTSTORE tmp_store = PFXImportCertStore(&blob, wpass, flags); + PKCS12_free(p12); + OPENSSL_free(blob.pbData); + + assert_non_null(tmp_store); + + /* The cert and key get imported into a temp store. We have to move it to + * user's store to accumulate all certs in one place and use them for tests. + * It seems there is no API to directly import a p12 blob into an existing store. + * Nothing in Windows is ever easy. + */ + + const CERT_CONTEXT *ctx = CertEnumCertificatesInStore(tmp_store, NULL); + assert_non_null(ctx); + bool added = CertAddCertificateContextToStore(user_store, ctx, + CERT_STORE_ADD_REPLACE_EXISTING, NULL); + assert_true(added); + + CertFreeCertificateContext(ctx); + CertCloseStore(tmp_store, 0); + } + certs_loaded = true; +} + +static int +cleanup(void **state) +{ + (void) state; + struct gc_arena gc = gc_new(); + if (user_store) /* delete all certs we imported */ + { + const CERT_CONTEXT *ctx = NULL; + while ((ctx = CertEnumCertificatesInStore(user_store, ctx))) + { + char *friendly_name = get_cert_name(ctx, &gc); + if (!lookup_cert(friendly_name)) /* not our cert */ + { + continue; + } + + /* create a dup context to not destroy the state of loop iterator */ + const CERT_CONTEXT *ctx_dup = CertDuplicateCertificateContext(ctx); + if (ctx_dup) + { + CertDeleteCertificateFromStore(ctx_dup); + /* the above also releases ctx_dup */ + } + } + CertCloseStore(user_store, 0); + } + user_store = NULL; + certs_loaded = false; + gc_free(&gc); + return 0; +} + static void test_parse_hexstring(void **state) { @@ -108,9 +261,12 @@ test_parse_hexstring(void **state) int main(void) { - const struct CMUnitTest tests[] = { cmocka_unit_test(test_parse_hexstring) }; + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_parse_hexstring), + cmocka_unit_test(import_certs), + }; - int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, NULL); + int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, cleanup); return ret; } From patchwork Wed Mar 15 01:35:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3131 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700193dye; Tue, 14 Mar 2023 18:35:56 -0700 (PDT) X-Google-Smtp-Source: AK7set9zN2Vgr12mJYIzrX2zWHVWPo/vKtCft+PD5Jprq0kTzB/XUnOOUJRa3qmaXwjDK937cRcf X-Received: by 2002:a05:6a20:7d88:b0:cc:fa4b:3a6a with SMTP id v8-20020a056a207d8800b000ccfa4b3a6amr51768729pzj.58.1678844156379; Tue, 14 Mar 2023 18:35:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678844156; cv=none; d=google.com; s=arc-20160816; b=0H2Jg7twtChqufXDtsc44qgC9IUHhJNJ46VoKv7VyGcYpBy1WjQorubOqv5evbHocP 6AsmgbE9WnYSRoQDgKmwhSAt/m1iZz9a9NnzP5AzsPkamNdMXT9iypuamOeqlrsqZrCu hxwd2IOmv7EZ/AzlH4p0/KKOhmVAtSY5KuFxsfmLz1lPpSX/smfPPD6MlPV+XnjFHBVo axBigR6ElimT3nbmqGPSsDV7pfY1cgRgnxYaKYqFukieG270icxB/rdDbh3ND105BJuZ RdxMqclUH+d8ChQ+LBJDoiMQQLUvDb8jb+F+ZvkLgA7LBw6PJ2cyYsr1kxUgeDNob2GR 221A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=xIGTnBCINWnVjQh/RsHOcEL74wiH/z3B5pwUU/fjRo0=; b=PwkFWvSd8fOrsrv6+2J2P3PUELBcnlkY/lHPDbTr30NMT/Y8kR8urOrbQXxRVHuajF ylx1jwOaWPq0WvuLNMGfjTehocb+fZUNK5j4+OA6AfS+EdkZedpopffTE9Ja7BqObQ/+ GGFnfonCiNlcjuSirWplJ1rpsfc0AbzVh8K92NxsJqOmETi1purLJVx/fgu7m+DqizE9 NyYtOoSyuV8kivmZ7wte0U8q7JVe3YPnIf/DUUW+Q5SbtIJFe9JOKNmGXzI0ux0wplUl vCDc7UofgziHrYif5AdZv3Doult0n15PIRDgW6ER0ReOuJUJR1uK2lc+mYSRbtaBPy8C RNpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ij2BAzHP; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jJZu5pbL; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=Y2AmWmxb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id f18-20020aa79d92000000b005a91144267asi3151292pfq.247.2023.03.14.18.35.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 18:35:56 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ij2BAzHP; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jJZu5pbL; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=Y2AmWmxb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pcG3B-0008QF-Li; Wed, 15 Mar 2023 01:35:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pcG3A-0008Q7-AS for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=ij2BAzHP92pJdL29BF7Qy+yvyZ MaurUBho+NYtpvVKUnfsTzkZ+eWeGMOxasSGXpn9mooLIWz/WiMvshdxIEe2AsvzQ0qB50AdloQXe L2bL7Jrsgc3GPTuR+dK7gq5hPW6JwJWfLu5AsGJeIkPq7P5Xkk5guSWQvDrwS/1QIxfM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=jJZu5pbLBHatJTP2v2YDCHDgQh RjNhb956HexYnbiN+U0/77EQNa6tRr79O0x1BEuW+skj6WyL7qtIjsaPCdG94JfsR4IuFyJdhVw9b QAeHG4LiL8lAe5ttY/QfBZ1WkehJiUYpVoS2i5SVwErPq/gcNmXLLg13RKEGIFgPryb0=; Received: from mail-io1-f41.google.com ([209.85.166.41]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pcG3A-008tLL-2U for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:32 +0000 Received: by mail-io1-f41.google.com with SMTP id t129so7185598iof.12 for ; Tue, 14 Mar 2023 18:35:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678844126; x=1681436126; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=Y2AmWmxbdBXAkvzYD92+7JtyDzGRIe3WzvgFPYUaJoVV+565Plomtq9mVbKSEc3ka+ KgvFoy7DdP8C+1ZUMOmKsoR3OK5wJqut3nJ4fUW+f1nX5nirlsb1OeeeXY2ibPn9VG1e fobJeiSk5E0PdgfGn19ryrgWDu7e1tKb0vO3RQJ8dun0FnK8PgUb9pN8NVITQqQhQbh5 uFuD046v6kcjc2fcQiCzdZEO7Ep1sP7tiX870QX68bITwrVmqHiyLuZnE46UtrqljE47 xQsClDUxHtQ7sPiOScyBL84K+M1tg4Vzg+Cirlpi86QtgkaECIXV7o2DLEeDfo4cQhNo O7RQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678844126; x=1681436126; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NV+TTnaduyj7ngC/bdhsrCp9g2J862n6pf0cxcVvrbo=; b=xWlyXMQNBt+HepE3PPc6shjzFLj8itQbhdWjBBvZBjwG+6fqV7Jbqww5+tZDH34LA3 YRBmCMw0XoqXO92C2A07bttZnDXDh+E77GMkBI5I7UisfdDqD1CoG7z03ISPB9jMBPwr fVEMGHUQ4PoGeJgyUu380OKb7ah2LOpyDbaX+SFENZXA/XY9E75Y4dHn0ktMoUfwkeR9 sS/AUZoBgfsvXOler7taWQBSjAbLdL9PN/+zPBsjmtk0rrKcl9CaelHONjdULBB8hQSU s+5kSXIIQ0KtYXU9EQ0WvO+9RLoWX1oMyh/rlbQ4+ylD1elMwgIr4n9KBatOm8seLY/t MGBw== X-Gm-Message-State: AO0yUKUvqiF/DPm1xUpkfqvYoHCEFFgDXulnn4whctebX1wKiuNACwuS r6jPrP5a6hz9nrOTCdNZMovSgkrODwc= X-Received: by 2002:a6b:14d2:0:b0:72c:f57a:a37b with SMTP id 201-20020a6b14d2000000b0072cf57aa37bmr875657iou.2.1678844126233; Tue, 14 Mar 2023 18:35:26 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Mar 2023 18:35:26 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Mar 2023 21:35:14 -0400 Message-Id: <20230315013516.1256700-3-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com> References: <20230315013516.1256700-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - find_certificate_in_store tested using 'SUBJ:', 'THUMB:' and 'ISSUER:' select strings. Uses test certificates imported into the store during the import test. Change-Id: Ib5138465e6228538af592ca98b3d877277355f59 Signed-off-by: Selva Nair --- tests/unit_tests/openvpn/test_cryptoapi.c | 102 ++++++++++++++++++++++ 1 file changed, 102 insertions(+) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.41 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.41 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pcG3A-008tLL-2U Subject: [Openvpn-devel] [PATCH 2/4] Add tests for finding certificates in Windows cert store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760395690129878879?= X-GMAIL-MSGID: =?utf-8?q?1760395690129878879?= From: Selva Nair - find_certificate_in_store tested using 'SUBJ:', 'THUMB:' and 'ISSUER:' select strings. Uses test certificates imported into the store during the import test. Change-Id: Ib5138465e6228538af592ca98b3d877277355f59 Signed-off-by: Selva Nair Acked-by: Gert Doering --- tests/unit_tests/openvpn/test_cryptoapi.c | 102 ++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index 54dbd094..ccb3207c 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -237,6 +237,105 @@ cleanup(void **state) return 0; } +static void +test_find_cert_bythumb(void **state) +{ + (void) state; + char select_string[64]; + struct gc_arena gc = gc_new(); + const CERT_CONTEXT *ctx; + + import_certs(state); /* a no-op if already imported */ + assert_non_null(user_store); + + for (struct test_cert *c = certs; c->cert; c++) + { + openvpn_snprintf(select_string, sizeof(select_string), "THUMB:%s", c->hash); + ctx = find_certificate_in_store(select_string, user_store); + if (ctx) + { + /* check we got the right certificate and is valid */ + assert_int_equal(c->valid, 1); + char *friendly_name = get_cert_name(ctx, &gc); + assert_string_equal(c->friendly_name, friendly_name); + CertFreeCertificateContext(ctx); + } + else + { + /* find should fail only if the certificate has expired */ + assert_int_equal(c->valid, 0); + } + } + + gc_free(&gc); +} + +static void +test_find_cert_byname(void **state) +{ + (void) state; + char select_string[64]; + struct gc_arena gc = gc_new(); + const CERT_CONTEXT *ctx; + + import_certs(state); /* a no-op if already imported */ + assert_non_null(user_store); + + for (struct test_cert *c = certs; c->cert; c++) + { + openvpn_snprintf(select_string, sizeof(select_string), "SUBJ:%s", c->cname); + ctx = find_certificate_in_store(select_string, user_store); + /* In this case we expect a successful return as there is at least one valid + * cert that matches the common name. But the returned cert may not exactly match + * c->cert as multiple certs with same common names exist in the db. We check that + * the return cert is one from our db, has a matching common name and is valid. + */ + assert_non_null(ctx); + + char *friendly_name = get_cert_name(ctx, &gc); + struct test_cert *found = lookup_cert(friendly_name); + assert_non_null(found); + assert_string_equal(found->cname, c->cname); + assert_int_equal(found->valid, 1); + CertFreeCertificateContext(ctx); + } + + gc_free(&gc); +} + +static void +test_find_cert_byissuer(void **state) +{ + (void) state; + char select_string[64]; + struct gc_arena gc = gc_new(); + const CERT_CONTEXT *ctx; + + import_certs(state); /* a no-op if already imported */ + assert_non_null(user_store); + + for (struct test_cert *c = certs; c->cert; c++) + { + openvpn_snprintf(select_string, sizeof(select_string), "ISSUER:%s", c->issuer); + ctx = find_certificate_in_store(select_string, user_store); + /* In this case we expect a successful return as there is at least one valid + * cert that matches the issuer. But the returned cert may not exactly match + * c->cert as multiple certs with same issuer exist in the db. We check that + * the returned cert is one from our db, has a matching issuer name and is valid. + */ + assert_non_null(ctx); + + char *friendly_name = get_cert_name(ctx, &gc); + struct test_cert *found = lookup_cert(friendly_name); + assert_non_null(found); + assert_string_equal(found->issuer, c->issuer); + assert_int_equal(found->valid, 1); + CertFreeCertificateContext(ctx); + } + + gc_free(&gc); +} + static void test_parse_hexstring(void **state) { @@ -264,6 +363,9 @@ main(void) const struct CMUnitTest tests[] = { cmocka_unit_test(test_parse_hexstring), cmocka_unit_test(import_certs), + cmocka_unit_test(test_find_cert_bythumb), + cmocka_unit_test(test_find_cert_byname), + cmocka_unit_test(test_find_cert_byissuer), }; int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, cleanup); From patchwork Wed Mar 15 01:35:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3132 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700352dye; Tue, 14 Mar 2023 18:36:21 -0700 (PDT) X-Google-Smtp-Source: AK7set/kyhN7WA8NUu1A5TRQdVAzVePzTRxDewXVEC5p50Mrxj8VrvrXg5JteQPkLVlyC8RiwPL8 X-Received: by 2002:a17:902:c651:b0:19f:8ad5:4331 with SMTP id s17-20020a170902c65100b0019f8ad54331mr753330pls.38.1678844181443; Tue, 14 Mar 2023 18:36:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678844181; cv=none; d=google.com; s=arc-20160816; b=BTZjmvsoNleKHRKqIGfL6SwJ3+nvNJB4KPyh9PPWb8GQHMrxBaOPCQuVE4LsRKyNF7 5b3cNmmcGnJiCKDhU465qh25xKmPctZgiSrYDiMzuaIqO1MRjdjHv5XeV551CUOc+tex CInTNAoUwblviAkV8xzGAkTAWJr4qc2rHGcOwt3BOHLJATyxWIV5JzFSj5VdqHUz9z/b RLc5EgOJ9irSZV4wCdorIYnCVm+14Cel+Ad+p9GWZyNK5r4mCe/JMYwDR8XOcii6mpGx nXlGOEZc7UgjQ9PfA6U64FgeejF0bU6XcpaeUXRowmMzMTFIhNoBvdWXxXnkwa2tabW4 7XHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=PZUiGCmbx9wWPHmWjan5CyRW0CHm0uT2OqkmTpr7Smc=; b=It0/vXHxgm2XJsYxSjCcQ6+yekGBUvCS24ak+3nTkOKsa5kjeOMNXYMlZh9zoXu1MI x5kiIzNQpKigEv1+8NIScu/VhQU3qRzHP9CGmmR75znTdA5/XKkCOpAoQeUzTgyuEPyF 18Fwp4Oad68hPmHTdiZhQ1/09w0K81oDw+c9vh90XLohW9CW28kwun8He9rowB3gIN9c 0IatAFwf9KR12YPC9d8XhaaOloSsH98fAeTpZ21RvT9VSw03CCuUWYHvjHJiAgQezSim MYWbALKJk2mJ8QDBRB5aMEUsYe8ntscZXbIvpu0/eEUtOH+qO9B90i716zK8xYAxvk43 WKyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tcd3KpY3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F1CQvYiZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=akp9v8Kr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e8-20020a170902cf4800b0019f79ba4a01si3530991plg.443.2023.03.14.18.36.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 18:36:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tcd3KpY3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F1CQvYiZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=akp9v8Kr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pcG3D-0008OO-BU; Wed, 15 Mar 2023 01:35:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pcG3B-0008OE-Cy for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=Tcd3KpY3gb4R8BLdqa32OK18Tl jICgXhMhdyNta79ylkzZ5z05q2BhS0PAGghHxThKn62LnmYWHbapQ6UZEovchK8wNjsGgTi11HRQK Yv6AvACSYr3XkO81waq2R7Vm9k29/gJGtNZXMYHigQ/c+Gr6nTvvtEBekXu9xQ/AgHiE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=F1CQvYiZdQqq0YV5ZwJDkLU/bd S8m0nNrrDyQVPOuv1o/HvFdUrW02Ily7w+FgXukSUenHvgYHFaxSu7j1ASP6P6UpZo/VY96dMZ3T8 INl+/g2Qqn4J643OWzViC3uiXfTeWrlbLpakSBLpmUDcHC3MwDXmI/fB1F57TDKPONj0=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pcG3B-008tLQ-C6 for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:33 +0000 Received: by mail-io1-f48.google.com with SMTP id q6so7199111iot.2 for ; Tue, 14 Mar 2023 18:35:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678844127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=akp9v8KrtfcDpg8+5bunO3XmIuJ5M/Lp47GKmfn4XHXAmki60/CHe+8CWGJS1sKj1S uwF8H0/TjcK0F9ffVIYavEQw2Ro9ZaeYfxJ/ZSpX5ry+XJXb7OBtJ11BLFfthRyyUgla chuI2vNSwSvmdGTDOgEVguHi6o2rxKNV8T9Bb1LLBAn5Ima0bp9Wo5F0f3Rtp7OCnjaT DgC9fY5xHbMNIP7MuoKd+qFII9B5jtIpr31omfFmmKHW6kjjOie/VRB2f1//5k+Igprr g2C/f+Z78JmiRWT3gAZ3GmwVMbum4qFSqbHbgcAs7bRbkMHc/vtRwqciJd6HC+2gG9fI QLBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678844127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=KUYKNn0F16LUVsLPs7ADC15ziyJCvg3M48PBqR0X7J45FlO4dx9cHU2MVGYHjP7kfC nmPd4WcP83uOBwTmIRxnKb8EpB1x3KggSPvqw1jw6Ugl6SHSke/6JgsTDJx4xa8nQhaT ukMSjXvzlzhe5PDVVCB1ElO0i4YLQAg0zXoCa06xSz7d/uqBm19w+wsDZUyjJSFb3zPL RDAhOwEmcME/oK79nH1k9ZXp/xrCUO3NWzFiZHKeJfJVgz4OtPffUg4X/ublTAsm8r/6 8E6qD032aKC+dxtvu04D6cXHnpwtQfTjfRD2JcIpKBiiDPJLWJ2y3PVoEThw6ypjfDrM u1Dg== X-Gm-Message-State: AO0yUKWPwAbSQOCuU2ZgHLajwFvALYwsnEqS85XnF1IfpEImUhXOUtey 3QCRFXxiccOq135zbPZc4hG7Nn3bPG8= X-Received: by 2002:a5d:9297:0:b0:74c:99e8:7f44 with SMTP id s23-20020a5d9297000000b0074c99e87f44mr8534008iom.2.1678844127620; Tue, 14 Mar 2023 18:35:27 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Mar 2023 18:35:27 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Mar 2023 21:35:15 -0400 Message-Id: <20230315013516.1256700-4-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com> References: <20230315013516.1256700-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Loading the certificate and key into the provider is split out of setting up the SSL context. This allows testing of signing by cryptoapi-provider interface without dependence on SSL context or link [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pcG3B-008tLQ-C6 Subject: [Openvpn-devel] [PATCH 3/4] Refactor SSL_CTX_use_CryptoAPI_certificate() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760395716110951641?= X-GMAIL-MSGID: =?utf-8?q?1760395716110951641?= From: Selva Nair - Loading the certificate and key into the provider is split out of setting up the SSL context. This allows testing of signing by cryptoapi-provider interface without dependence on SSL context or link-time wrapping. Change-Id: I269b94589636425e1ba9bf953047d238fa830376 Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/cryptoapi.c | 63 +++++++++++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 022f53d4..20b7d985 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -401,11 +401,17 @@ get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) return name; } -int -SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) +/** + * Load certificate matching 'cert_prop' from Windows cert store + * into xkey provider and return pointers to X509 cert and private key. + * Returns 1 on success, 0 on error. + * Caller must free 'cert' and 'privkey' after use. + */ +static int +Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privkey) { + HCERTSTORE cs; - X509 *cert = NULL; CAPI_DATA *cd = calloc(1, sizeof(*cd)); struct gc_arena gc = gc_new(); @@ -450,9 +456,9 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) } /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ - cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, - cd->cert_context->cbCertEncoded); - if (cert == NULL) + *cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, + cd->cert_context->cbCertEncoded); + if (*cert == NULL) { msg(M_NONFATAL, "Error in cryptoapicert: X509 certificate decode failed"); goto err; @@ -468,28 +474,16 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) /* private key may be in a token not available, or incompatible with CNG */ msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to acquire key. Key not present or " "is in a legacy token not supported by Windows CNG API"); - goto err; - } - - /* Public key in cert is NULL until we call SSL_CTX_use_certificate(), - * so we do it here then... */ - if (!SSL_CTX_use_certificate(ssl_ctx, cert)) - { + X509_free(*cert); goto err; } /* the public key */ - EVP_PKEY *pkey = X509_get_pubkey(cert); + EVP_PKEY *pkey = X509_get_pubkey(*cert); cd->pubkey = pkey; /* will be freed with cd */ - /* SSL_CTX_use_certificate() increased the reference count in 'cert', so - * we decrease it here with X509_free(), or it will never be cleaned up. */ - X509_free(cert); - cert = NULL; - - EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, - xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); - SSL_CTX_use_PrivateKey(ssl_ctx, privkey); + *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, + xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ @@ -498,5 +492,30 @@ err: gc_free(&gc); return 0; } + +int +SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) +{ + X509 *cert = NULL; + EVP_PKEY *privkey = NULL; + int ret = 0; + + if (!Load_CryptoAPI_certificate(cert_prop, &cert, &privkey)) + { + return ret; + } + if (SSL_CTX_use_certificate(ssl_ctx, cert) + && SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) + { + ret = 1; + } + + /* Always free cert and privkey even if retained by ssl_ctx as + * they are reference counted */ + X509_free(cert); + EVP_PKEY_free(privkey); + return ret; +} + #endif /* HAVE_XKEY_PROVIDER */ #endif /* _WIN32 */ From patchwork Wed Mar 15 01:35:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3133 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700382dye; Tue, 14 Mar 2023 18:36:24 -0700 (PDT) X-Google-Smtp-Source: AK7set+J1/YZgyAjXpnIxHYhLYwu50w+9A4othSwac1FKsGgTWstAWZ1YnLFLqD9WI4zltqf/fTQ X-Received: by 2002:a05:6a20:a11f:b0:d5:c14c:1263 with SMTP id q31-20020a056a20a11f00b000d5c14c1263mr3314592pzk.53.1678844184761; Tue, 14 Mar 2023 18:36:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678844184; cv=none; d=google.com; s=arc-20160816; b=gF3s2DQYXZivMzKLSJrlQNuuy/JovNTFYXfmg3EyygKHObwp/A10kFjfdrwm44+djA CbXHSv/dmiZTbTO4q8ZgGZh48ZKU6duIgBqDTlR2TxF+rXG0/MRTOxCj7M87NPH7Aa6b 2r+Q4d1ZgaaYhSHQKlh3GoiP5PZJJVIpXAZ1seNlGevxV26QBDZPaTeth7lHIZ2FgHbi UI3hLvtcJ6jl5dyDpl0RbgIlIVUHA67ETjAyMYeDYtOvKT/MZ5iLq+LjIHefQEkwMUxm uXfys1uFObF/fAkWgPnS4/y/0o9SpxF5w/bkTw5W2UaMoRbCqwAU8oM/ybcr3oLxznY8 usMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Us5Bqy+MhRe1/YjTB+pbM5xfdwL8/knEd4IEu3IUJpI=; b=Yz91pxn/EPaBiuWzVO+Z4Hwbzfat7Eq6Uee5ig56kUkACcqvFAqeSmxH3HY9PDKWx1 +S+I5BpD/D1mpMmZXysb09otVyx35YUzzsg9uHyFoEIDZ3iH/+hnZ9z/7ODW1hiJO6Jz SdKRSiFBpscMUgJKvuOZDmrTQiqTfV4QUXvTnV3e/RiGNAbhj0zM8X6/tIO8FPHp8VeH Z0C87Hdr7zJsOGs8kEWUddTz4MarZ0/rMjjdYEX+FWXpFoYHuIXVaC1yXkeGnDUfUmuH cLEnEqzxb+b0TQ/UiFwMj8m/5zrjVvcNWT619XukMd6oY0eqBknU2cB86c54nEuOB320 BLQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tb5zt0NQ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=miem8YiV; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=nnctg4XU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s10-20020a65644a000000b004fb944d4ad1si3500587pgv.513.2023.03.14.18.36.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 18:36:24 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tb5zt0NQ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=miem8YiV; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=nnctg4XU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pcG3G-0008Os-UO; Wed, 15 Mar 2023 01:35:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pcG3F-0008Of-4p for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Pa2MC6VEmaAmkzyXKzbsAxhfaQr1mWbsq7zkTBsPWvw=; b=Tb5zt0NQqeoJ7P0cTaWu71IZUf 6sCi/TQb2VVTkyww/J0ijXOs4YKHCi4iOvJMFPSnm39lfvl7ra1wrT+LHSpCwc6JNvUNs5FdxJa2l ksp5a4FojciWuThoreWRXaava3HJ7n6iCGuacBSs5LEq2uHKBrs6bT+N9cLBo+nfyC7k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Pa2MC6VEmaAmkzyXKzbsAxhfaQr1mWbsq7zkTBsPWvw=; b=miem8YiVAYN55UG5juhFK63chm svemAGRJNzg8tjF0CeYDVVgwk79etAv0+sV9RFJ8dO0RqKOdnXmVYHMbge82IEKYlsYku0CRpPRHl H3XAuTzlWW3Uc0EQriIpB3fkRNbhnJ7rtpvBKdOxvcPnfwq5r94ZxaVNmxocBj2ESqgU=; Received: from mail-il1-f171.google.com ([209.85.166.171]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pcG3E-008tLc-03 for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:37 +0000 Received: by mail-il1-f171.google.com with SMTP id s7so1998916ilv.12 for ; Tue, 14 Mar 2023 18:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678844130; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Pa2MC6VEmaAmkzyXKzbsAxhfaQr1mWbsq7zkTBsPWvw=; b=nnctg4XUWw0XRzz/H2X5FkerFuH8HRdChNR3HxO0AebY4/gZK11DbqD8I9U4Iu2lcr 68aakDz28yCsVwdYgYYLTR6p7owEuIYclyx+Z8aC9cFODog5VylJNxm+Wgge1aYBfE5K IYi91GxKuF24XhbrW+GwMvvsF2PakschjO1/nlBm6wAC6la7BTu08EvhtlV/Gexgdb3a /b9rivLb/VApapfECA4R7ysJ0vAEwgxliH+hTmPG2NHamRkhPypZ7UQy9q0w4JX+W5aJ ZjYwhRvkv5jli14zlrZgw3BspEYrf6zv6lJ2MU0m1en0StJ4jJDw3ZS3sUB03ma0wPyg KWiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678844130; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Pa2MC6VEmaAmkzyXKzbsAxhfaQr1mWbsq7zkTBsPWvw=; b=XfSnlBiq5AHbwa1EsCM+i8X47ijc6HDkRCqwROEBr2/AQBp8ehLDyTUEuMmUaSU+xG qUNsQlzK1V40BpmkEVAwVeCHxuO93ylZjp4vD+29SYRY34Ul5ApBmWWqhQNrrGcymcRS RKg5c8C1N9nO0rkBkrIGe26EQ7X/D+EsQXzIhp84fQ0EXbud8vGLaxQp+0cQIhXAczz/ GbzqCPLwM3YxLPWA2T7A18wMW+thvEXouP2xM/T8rfcajNpECV+FJ8etgcaPfnijFWDT 3fKoPD2+LpjVKwQc15RGa0szj+d06R6FKooFFkjkARxZCUg/1ATupK8E8k/H9MeoaENz hMDA== X-Gm-Message-State: AO0yUKWgzKQ99xcKp7yPGJy+abwon+b9HL7ZQxIr3Xmkj0rzqTAwxbZe fU7YKyflFC3Sy4sw0oTglxjirPdE2g4= X-Received: by 2002:a92:d186:0:b0:323:504:cff6 with SMTP id z6-20020a92d186000000b003230504cff6mr4783314ilz.3.1678844130193; Tue, 14 Mar 2023 18:35:30 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Mar 2023 18:35:30 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Mar 2023 21:35:16 -0400 Message-Id: <20230315013516.1256700-5-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com> References: <20230315013516.1256700-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - For each sample certificate/key pair imported into the store, load the key into xkey-provider and sign a test message. As the key is "provided", signing will use appropriate backend (Windows CNG in [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.171 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pcG3E-008tLc-03 Subject: [Openvpn-devel] [PATCH 4/4] Add a test for signing with certificates in Windows store X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760395719787731563?= X-GMAIL-MSGID: =?utf-8?q?1760395719787731563?= From: Selva Nair - For each sample certificate/key pair imported into the store, load the key into xkey-provider and sign a test message. As the key is "provided", signing will use appropriate backend (Windows CNG in this case). The signature is then verified using OpenSSL. Change-Id: I520b34ba51e8c6d0247a82edc52bde181ab5a717 Signed-off-by: Selva Nair Acked-by: Gert Doering --- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/test_cryptoapi.c | 166 ++++++++++++++++++++++ 2 files changed, 167 insertions(+) diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 339c7ef3..4391a54e 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -157,6 +157,7 @@ cryptoapi_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -lcrypt32 -lncrypt cryptoapi_testdriver_SOURCES = test_cryptoapi.c mock_msg.c \ $(top_srcdir)/src/openvpn/xkey_helper.c \ + $(top_srcdir)/src/openvpn/xkey_provider.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/base64.c \ $(top_srcdir)/src/openvpn/platform.c \ diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index ccb3207c..b07e8935 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -47,6 +47,7 @@ #include /* pull-in the whole file to test static functions */ struct management *management; /* global */ +static OSSL_PROVIDER *prov[2]; /* mock a management function that xkey_provider needs */ char * @@ -66,6 +67,11 @@ OSSL_LIB_CTX *tls_libctx; #define _countof(x) sizeof((x))/sizeof(*(x)) #endif +/* A message for signing */ +static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur " + "adipisici elit, sed eiusmod tempor incidunt " + "ut labore et dolore magna aliqua."; + /* test data */ static const uint8_t test_hash[] = { 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae, @@ -336,6 +342,164 @@ test_find_cert_byissuer(void **state) gc_free(&gc); } +static int +setup_cryptoapi_sign(void **state) +{ + (void) state; + /* Initialize providers in a way matching what OpenVPN core does */ + tls_libctx = OSSL_LIB_CTX_new(); + prov[0] = OSSL_PROVIDER_load(tls_libctx, "default"); + OSSL_PROVIDER_add_builtin(tls_libctx, "ovpn.xkey", xkey_provider_init); + prov[1] = OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey"); + + /* set default propq as we do in ssl_openssl.c */ + EVP_set_default_properties(tls_libctx, "?provider!=ovpn.xkey"); + return 0; +} + +static int +teardown_cryptoapi_sign(void **state) +{ + (void) state; + for (size_t i = 0; i < _countof(prov); i++) + { + if (prov[i]) + { + OSSL_PROVIDER_unload(prov[i]); + prov[i] = NULL; + } + } + OSSL_LIB_CTX_free(tls_libctx); + tls_libctx = NULL; + return 0; +} + +/** + * Sign "test_msg" using a private key. The key may be a "provided" key + * in which case its signed by the provider's backend -- cryptoapi in our + * case. Then verify the signature using OpenSSL. + * Returns 1 on success, 0 on error. + */ +static int +digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) +{ + uint8_t *sig = NULL; + size_t siglen = 0; + int ret = 0; + + OSSL_PARAM params[2] = {OSSL_PARAM_END}; + const char *mdname = "SHA256"; + + if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA) + { + const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */ + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, + (char *)padmode, 0); + params[1] = OSSL_PARAM_construct_end(); + } + else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC) + { + params[0] = OSSL_PARAM_construct_end(); + } + else + { + print_error("Unknown key type in digest_sign_verify()"); + return ret; + } + + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + + if (!mctx + || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0) + { + /* cmocka assert output for these kinds of failures is hardly explanatory, + * print a message and assert in caller. */ + print_error("Failed to initialize EVP_DigestSignInit_ex()\n"); + goto done; + } + + /* sign with sig = NULL to get required siglen */ + if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestSign: failed to get required signature size"); + goto done; + } + assert_true(siglen > 0); + + if ((sig = test_calloc(1, siglen)) == NULL) + { + print_error("Out of memory"); + goto done; + } + if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestSign: signing failed"); + goto done; + } + + /* + * Now validate the signature using OpenSSL. Just use the public key + * which is a native OpenSSL key. + */ + EVP_MD_CTX_free(mctx); /* this also frees pctx */ + mctx = EVP_MD_CTX_new(); + pctx = NULL; + if (!mctx + || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0) + { + print_error("Failed to initialize EVP_DigestVerifyInit_ex()"); + goto done; + } + if (EVP_DigestVerify(mctx, sig, siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestVerify failed"); + goto done; + } + ret = 1; + +done: + if (mctx) + { + EVP_MD_CTX_free(mctx); /* this also frees pctx */ + } + test_free(sig); + return ret; +} + +/* Load sample certificates & keys, sign a test message using + * them and verify the signature. + */ +void +test_cryptoapi_sign(void **state) +{ + (void) state; + char select_string[64]; + X509 *x509 = NULL; + EVP_PKEY *privkey = NULL; + + import_certs(state); /* a no-op if already imported */ + assert_true(certs_loaded); + + for (struct test_cert *c = certs; c->cert; c++) + { + if (c->valid == 0) + { + continue; + } + openvpn_snprintf(select_string, sizeof(select_string), "THUMB:%s", c->hash); + if (Load_CryptoAPI_certificate(select_string, &x509, &privkey) != 1) + { + fail_msg("Load_CryptoAPI_certificate failed: <%s>", c->friendly_name); + return; + } + EVP_PKEY *pubkey = X509_get_pubkey(x509); + assert_int_equal(digest_sign_verify(privkey, pubkey), 1); + X509_free(x509); + EVP_PKEY_free(privkey); + } +} + static void test_parse_hexstring(void **state) { @@ -366,6 +530,8 @@ main(void) cmocka_unit_test(test_find_cert_bythumb), cmocka_unit_test(test_find_cert_byname), cmocka_unit_test(test_find_cert_byissuer), + cmocka_unit_test_setup_teardown(test_cryptoapi_sign, setup_cryptoapi_sign, + teardown_cryptoapi_sign), }; int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, cleanup);