diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-08-11 18:52:37 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-03-16 19:16:11 +0900 |
commit | d4ad1e71ca6c1b58e5ea1b518e406a0251ca812f (patch) | |
tree | d4fbf1cb388aface7222af9cc736e0e962a4d347 /test/openssl/test_x509store.rb | |
parent | c46b1f0bec3af8c51a9eebc6408a2895eccdff91 (diff) | |
download | ruby-d4ad1e71ca6c1b58e5ea1b518e406a0251ca812f.tar.gz |
[ruby/openssl] test/openssl/test_x509store: break up test_verify
The test case is huge and too complex. Break it up into separate test
cases for better documentation.
https://github.com/ruby/openssl/commit/61012df03b
Diffstat (limited to 'test/openssl/test_x509store.rb')
-rw-r--r-- | test/openssl/test_x509store.rb | 339 |
1 files changed, 227 insertions, 112 deletions
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 4b02e6664f..57a3e79c61 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -65,159 +65,274 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase tmpfile and tmpfile.close! end - def test_verify - # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), - # and there may be difference. - now = Time.now - 3 + def test_verify_simple ca_exts = [ - ["basicConstraints","CA:TRUE",true], - ["keyUsage","cRLSign,keyCertSign",true], + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], ] + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, ca_exts, nil, nil) + ca2 = OpenSSL::X509::Name.parse_rfc2253("CN=Intermediate CA") + ca2_key = Fixtures.pkey("rsa-2") + ca2_cert = issue_cert(ca2, ca2_key, 2, ca_exts, ca1_cert, ca1_key) + ee_exts = [ - ["keyUsage","keyEncipherment,digitalSignature",true], + ["keyUsage", "keyEncipherment,digitalSignature", true], ] - ca1_cert = issue_cert(@ca1, @rsa2048, 1, ca_exts, nil, nil) - ca2_cert = issue_cert(@ca2, @rsa1024, 2, ca_exts, ca1_cert, @rsa2048, - not_after: now+1800) - ee1_cert = issue_cert(@ee1, @dsa256, 10, ee_exts, ca2_cert, @rsa1024) - ee2_cert = issue_cert(@ee2, @dsa512, 20, ee_exts, ca2_cert, @rsa1024) - ee3_cert = issue_cert(@ee2, @dsa512, 30, ee_exts, ca2_cert, @rsa1024, - not_before: now-100, not_after: now-50) - ee4_cert = issue_cert(@ee2, @dsa512, 40, ee_exts, ca2_cert, @rsa1024, - not_before: now+1000, not_after: now+2000,) - - revoke_info = [] - crl1 = issue_crl(revoke_info, 1, now, now+1800, [], - ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1')) - revoke_info = [ [2, now, 1], ] - crl1_2 = issue_crl(revoke_info, 2, now, now+1800, [], - ca1_cert, @rsa2048, OpenSSL::Digest.new('SHA1')) - revoke_info = [ [20, now, 1], ] - crl2 = issue_crl(revoke_info, 1, now, now+1800, [], - ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1')) - revoke_info = [] - crl2_2 = issue_crl(revoke_info, 2, now-100, now-1, [], - ca2_cert, @rsa1024, OpenSSL::Digest.new('SHA1')) - - assert_equal(true, ca1_cert.verify(ca1_cert.public_key)) # self signed - assert_equal(true, ca2_cert.verify(ca1_cert.public_key)) # issued by ca1 - assert_equal(true, ee1_cert.verify(ca2_cert.public_key)) # issued by ca2 - assert_equal(true, ee2_cert.verify(ca2_cert.public_key)) # issued by ca2 - assert_equal(true, ee3_cert.verify(ca2_cert.public_key)) # issued by ca2 - assert_equal(true, crl1.verify(ca1_cert.public_key)) # issued by ca1 - assert_equal(true, crl1_2.verify(ca1_cert.public_key)) # issued by ca1 - assert_equal(true, crl2.verify(ca2_cert.public_key)) # issued by ca2 - assert_equal(true, crl2_2.verify(ca2_cert.public_key)) # issued by ca2 + ee1 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 1") + ee1_key = Fixtures.pkey("rsa-3") + ee1_cert = issue_cert(ee1, ee1_key, 10, ee_exts, ca2_cert, ca2_key) + # Nothing trusted store = OpenSSL::X509::Store.new - assert_equal(false, store.verify(ca1_cert)) - assert_not_equal(OpenSSL::X509::V_OK, store.error) + assert_equal(false, store.verify(ee1_cert, [ca2_cert, ca1_cert])) + assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, store.error) + assert_match(/self.signed/i, store.error_string) - assert_equal(false, store.verify(ca2_cert)) - assert_not_equal(OpenSSL::X509::V_OK, store.error) + # CA1 trusted, CA2 missing + store = OpenSSL::X509::Store.new + store.add_cert(ca1_cert) + assert_equal(false, store.verify(ee1_cert)) + assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, store.error) + # CA1 trusted, CA2 supplied + store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) - assert_equal(true, store.verify(ca2_cert)) + assert_equal(true, store.verify(ee1_cert, [ca2_cert])) + assert_match(/ok/i, store.error_string) assert_equal(OpenSSL::X509::V_OK, store.error) - assert_equal("ok", store.error_string) - chain = store.chain - assert_equal(2, chain.size) - assert_equal(@ca2.to_der, chain[0].subject.to_der) - assert_equal(@ca1.to_der, chain[1].subject.to_der) + assert_equal([ee1_cert, ca2_cert, ca1_cert], store.chain) + end - store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT - assert_equal(false, store.verify(ca2_cert)) - assert_not_equal(OpenSSL::X509::V_OK, store.error) + def test_verify_callback + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, ca_exts, nil, nil) + ca2 = OpenSSL::X509::Name.parse_rfc2253("CN=Intermediate CA") + ca2_key = Fixtures.pkey("rsa-2") + ca2_cert = issue_cert(ca2, ca2_key, 2, ca_exts, ca1_cert, ca1_key) - store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN - assert_equal(true, store.verify(ca2_cert)) - assert_equal(OpenSSL::X509::V_OK, store.error) + ee_exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ] + ee1 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 1") + ee1_key = Fixtures.pkey("rsa-3") + ee1_cert = issue_cert(ee1, ee1_key, 10, ee_exts, ca2_cert, ca2_key) - store.add_cert(ca2_cert) - store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT - assert_equal(true, store.verify(ee1_cert)) - assert_equal(true, store.verify(ee2_cert)) - assert_equal(OpenSSL::X509::V_OK, store.error) - assert_equal("ok", store.error_string) - chain = store.chain - assert_equal(3, chain.size) - assert_equal(@ee2.to_der, chain[0].subject.to_der) - assert_equal(@ca2.to_der, chain[1].subject.to_der) - assert_equal(@ca1.to_der, chain[2].subject.to_der) - assert_equal(false, store.verify(ee3_cert), "now=#{now.inspect} Time.now=#{Time.now.inspect} store=#{store.inspect} ee3_cert=#{ee3_cert.inspect}") - assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) - assert_match(/expire/i, store.error_string) - assert_equal(false, store.verify(ee4_cert)) - assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error) - assert_match(/not yet valid/i, store.error_string) + # verify_callback on X509::Store is called with proper arguments + cb_calls = [] + store = OpenSSL::X509::Store.new + store.verify_callback = -> (preverify_ok, sctx) { + cb_calls << [preverify_ok, sctx.current_cert] + preverify_ok + } + store.add_cert(ca1_cert) + assert_equal(true, store.verify(ee1_cert, [ca2_cert])) + assert_equal(3, cb_calls.size) + assert_equal([true, ca1_cert], cb_calls[0]) + assert_equal([true, ca2_cert], cb_calls[1]) + assert_equal([true, ee1_cert], cb_calls[2]) + # verify_callback can change verification result + store = OpenSSL::X509::Store.new + store.verify_callback = -> (preverify_ok, sctx) { + next preverify_ok if sctx.current_cert != ee1_cert + sctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION + false + } + store.add_cert(ca1_cert) + assert_equal(false, store.verify(ee1_cert, [ca2_cert])) + assert_equal(OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION, store.error) + + # Exception raised by verify_callback is currently suppressed, and is + # treated as a non-truthy return (with warning) + store = OpenSSL::X509::Store.new + store.verify_callback = -> (preverify_ok, sctx) { + raise "suppressed" + } + store.add_cert(ca1_cert) + assert_warning(/exception in verify_callback/) { + assert_equal(false, store.verify(ee1_cert, [ca2_cert])) + } + + # The block given to X509::Store#verify replaces it + called = nil + store = OpenSSL::X509::Store.new + store.verify_callback = -> (preverify_ok, sctx) { called = :store; preverify_ok } + store.add_cert(ca1_cert) + blk = proc { |preverify_ok, sctx| called = :block; preverify_ok } + assert_equal(true, store.verify(ee1_cert, [ca2_cert], &blk)) + assert_equal(:block, called) + end + + def test_verify_purpose + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, ca_exts, nil, nil) + + ee_exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ] + ee1 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 1") + ee1_key = Fixtures.pkey("rsa-3") + ee1_cert = issue_cert(ee1, ee1_key, 10, ee_exts, ca1_cert, ca1_key) + + # Purpose not set store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) - store.add_cert(ca2_cert) - store.time = now + 1500 assert_equal(true, store.verify(ca1_cert)) - assert_equal(true, store.verify(ca2_cert)) - assert_equal(true, store.verify(ee4_cert)) - store.time = now + 1900 + assert_equal(true, store.verify(ee1_cert)) + + # Purpose set to X509::PURPOSE_SSL_CLIENT; keyUsage is checked + store = OpenSSL::X509::Store.new + store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN + store.add_cert(ca1_cert) assert_equal(true, store.verify(ca1_cert)) - assert_equal(false, store.verify(ca2_cert)) - assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) - assert_equal(false, store.verify(ee4_cert)) - assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) - store.time = now + 4000 assert_equal(false, store.verify(ee1_cert)) - assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) - assert_equal(false, store.verify(ee4_cert)) - assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) + end - # the underlying X509 struct caches the result of the last - # verification for signature and not-before. so the following code - # rebuilds new objects to avoid site effect. - store.time = Time.now - 4000 - assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert))) + def test_verify_validity_period + # Creating test certificates with validity periods: + # + # now-5000 now-1000 now+1000 now+5000 + # CA1:|---------------------------------------------------------------| + # EE1:|---------------------------------------------------------------| + # EE2:|-------------------------| + # EE3: |-------------------------| + now = Time.now + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, ca_exts, nil, nil, + not_before: now - 5000, not_after: now + 5000) + + ee_exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ] + ee1 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 1") + ee1_key = Fixtures.pkey("rsa-1") + ee1_cert = issue_cert(ee1, ee1_key, 11, ee_exts, ca1_cert, ca1_key, + not_before: now - 5000, not_after: now + 5000) + ee2 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 2") + ee2_key = Fixtures.pkey("rsa-2") + ee2_cert = issue_cert(ee2, ee2_key, 12, ee_exts, ca1_cert, ca1_key, + not_before: now - 5000, not_after: now - 1000) + ee3 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 3") + ee3_key = Fixtures.pkey("rsa-3") + ee3_cert = issue_cert(ee3, ee3_key, 13, ee_exts, ca1_cert, ca1_key, + not_before: now + 1000, not_after: now + 5000) + + # Using system time + store = OpenSSL::X509::Store.new + store.add_cert(ca1_cert) + assert_equal(true, store.verify(ee1_cert)) + assert_equal(false, store.verify(ee2_cert)) + assert_equal(OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED, store.error) + assert_equal(false, store.verify(ee3_cert)) assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error) - assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert))) + + # Time set to now-2000; EE2 is still valid + store = OpenSSL::X509::Store.new + store.time = now - 2000 + store.add_cert(ca1_cert) + assert_equal(true, store.verify(ee1_cert)) + assert_equal(true, store.verify(ee2_cert)) + assert_equal(false, store.verify(ee3_cert)) assert_equal(OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID, store.error) + end + + def test_verify_with_crl + ca_exts = [ + ["basicConstraints", "CA:TRUE", true], + ["keyUsage", "cRLSign,keyCertSign", true], + ] + ca1 = OpenSSL::X509::Name.parse_rfc2253("CN=Root CA") + ca1_key = Fixtures.pkey("rsa-1") + ca1_cert = issue_cert(ca1, ca1_key, 1, ca_exts, nil, nil) + ca2 = OpenSSL::X509::Name.parse_rfc2253("CN=Intermediate CA") + ca2_key = Fixtures.pkey("rsa-2") + ca2_cert = issue_cert(ca2, ca2_key, 2, ca_exts, ca1_cert, ca1_key) + + ee_exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ] + ee1 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 1") + ee1_key = Fixtures.pkey("rsa-3") + ee1_cert = issue_cert(ee1, ee1_key, 10, ee_exts, ca2_cert, ca2_key) + ee2 = OpenSSL::X509::Name.parse_rfc2253("CN=EE 2") + ee2_key = Fixtures.pkey("rsa-3") + ee2_cert = issue_cert(ee2, ee2_key, 20, ee_exts, ca2_cert, ca2_key) + + # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), + # and there may be difference, so giving 50 seconds margin. + now = Time.now - 50 + revoke_info = [] + ca1_crl1 = issue_crl(revoke_info, 1, now, now+1800, [], ca1_cert, ca1_key, "sha256") + revoke_info = [ [2, now, 1], ] + ca1_crl2 = issue_crl(revoke_info, 2, now, now+1800, [], ca1_cert, ca1_key, "sha256") + + revoke_info = [ [20, now, 1], ] + ca2_crl1 = issue_crl(revoke_info, 1, now, now+1800, [], ca2_cert, ca2_key, "sha256") + revoke_info = [] + ca2_crl2 = issue_crl(revoke_info, 2, now-100, now-1, [], ca2_cert, ca2_key, "sha256") + + # CRL check required, but no CRL supplied + store = OpenSSL::X509::Store.new + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK + store.add_cert(ca1_cert) + assert_equal(false, store.verify(ca2_cert)) + assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, store.error) + # Intermediate CA revoked EE2 store = OpenSSL::X509::Store.new - store.purpose = OpenSSL::X509::PURPOSE_ANY store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK store.add_cert(ca1_cert) - store.add_crl(crl1) # revoke no cert - store.add_crl(crl2) # revoke ee2_cert - assert_equal(true, store.verify(ca1_cert)) - assert_equal(true, store.verify(ca2_cert)) - assert_equal(true, store.verify(ee1_cert, [ca2_cert])) + store.add_crl(ca1_crl1) # revoke no cert + store.add_crl(ca2_crl1) # revoke ee2_cert + assert_equal(true, store.verify(ca2_cert)) + assert_equal(true, store.verify(ee1_cert, [ca2_cert])) assert_equal(false, store.verify(ee2_cert, [ca2_cert])) + # Root CA revoked Intermediate CA; Intermediate CA revoked EE2 store = OpenSSL::X509::Store.new - store.purpose = OpenSSL::X509::PURPOSE_ANY store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK store.add_cert(ca1_cert) - store.add_crl(crl1_2) # revoke ca2_cert - store.add_crl(crl2) # revoke ee2_cert - assert_equal(true, store.verify(ca1_cert)) + store.add_crl(ca1_crl2) # revoke ca2_cert + store.add_crl(ca2_crl1) # revoke ee2_cert assert_equal(false, store.verify(ca2_cert)) - assert_equal(true, store.verify(ee1_cert, [ca2_cert]), - "This test is expected to be success with OpenSSL 0.9.7c or later.") + # Validity of intermediate CAs is not checked by default + assert_equal(true, store.verify(ee1_cert, [ca2_cert])) assert_equal(false, store.verify(ee2_cert, [ca2_cert])) - store.flags = - OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL - assert_equal(true, store.verify(ca1_cert)) + # Same as above, but with OpenSSL::X509::V_FLAG_CRL_CHECK_ALL + store = OpenSSL::X509::Store.new + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL + store.add_cert(ca1_cert) + store.add_crl(ca1_crl2) # revoke ca2_cert + store.add_crl(ca2_crl1) # revoke ee2_cert assert_equal(false, store.verify(ca2_cert)) assert_equal(false, store.verify(ee1_cert, [ca2_cert])) assert_equal(false, store.verify(ee2_cert, [ca2_cert])) + # Expired CRL supplied store = OpenSSL::X509::Store.new - store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = - OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL store.add_cert(ca1_cert) store.add_cert(ca2_cert) - store.add_crl(crl1) - store.add_crl(crl2_2) # issued by ca2 but expired. - assert_equal(true, store.verify(ca1_cert)) + store.add_crl(ca1_crl1) + store.add_crl(ca2_crl2) # issued by ca2 but expired assert_equal(true, store.verify(ca2_cert)) assert_equal(false, store.verify(ee1_cert)) assert_equal(OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, store.error) |