kmf_verify_cert.c | searchcode

/usr/src/suites/security/kmf/tests/kmf_api/kmf_verify_cert.c

https://bitbucket.org/illumos/illumos-stc
C | 265 lines | 175 code | 32 blank | 58 comment | 39 complexity | 1b96b76a3a7cebfc81589492333fcd64 MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#include "kmf_test_util.h"

#ifdef __stc_assertion__
/*
 * ASSERTION: kmf_verify_cert_001, kmf_verify_cert_002,
 *	      kmf_verify_cert_003
 *
 * DESCRIPTION:
 *	If kmf_verify_cert() is called with one or some unaccepted
 *	parameters, it will fail with KMF_ERR_BAD_PARAMETER.
 *
 *	If kmf_verify_cert() is called with an invalid kstype,
 *	it will fail with KMF_ERR_PLUGIN_NOTFOUND.
 *
 *	If kmf_verify_cert() is called with cert data couldn't be
 *	decoded, it will fail with KMF_ERR_BAD_CERT_FORMAT.
 *
 * STRATEGY:
 *	1) Call KMF_Initialize.
 *	2) Set one or some of the four input parameters
 *	   to NULL, then call kmf_verify_cert.
 *	3) Verify the return value is KMF_ERR_BAD_PARAMETER.
 *
 *	4) Call kmf_verify_cert with an invalid params->kstype
 *	   (other than NSS, PKCS11, OpenSSL).
 *	5) Verify the return value is KMF_ERR_PLUGIN_NOTFOUND.
 *
 *	6) Given cert format couldn't be decoded,
 *	   call kmf_verify_cert.
 *	7) Verify the return value is KMF_ERR_BAD_CERT_FORMAT.
 *
 *	8) Free memory.
 *	9) Call KMF_Finalize.
 *
 * INTERFACES: kmf_verify_cert
 */
#endif /* __stc_assertion_ */

static int failure = 0;
static int param_fail = 0;
static int param_tests = 0;
static int test_num = 0;
static char *func_name = "kmf_verify_cert()";

static int
set_attrlist(KMF_ATTRIBUTE *attrs, KMF_KEY_HANDLE *key, KMF_DATA *cert,
	KMF_DATA *SignerCert)
{
	int i = 0;

	if (key) {
		kmf_set_attr_at_index(attrs, i, KMF_KEY_HANDLE_ATTR,
		    key, sizeof (KMF_KEY_HANDLE));
		i++;
	}

	if (cert) {
		kmf_set_attr_at_index(attrs, i, KMF_CERT_DATA_ATTR,
		    cert, sizeof (KMF_DATA));
		i++;
	}

	if (SignerCert) {
		kmf_set_attr_at_index(attrs, i, KMF_SIGNER_CERT_DATA_ATTR,
		    SignerCert, sizeof (KMF_DATA));
		i++;
	}

	return (i);
}

int
main(int argc, char *argv[])
{
	KMF_RETURN exp_ret;
	int ret = STF_PASS;

	KMF_HANDLE_T kmfhandle, tmphandle = NULL;
	KMF_KEY_HANDLE key, privKey, pubKey;
	KMF_DATA signedCert;
	KMF_HANDLE_T *arg1[2] = {&tmphandle, &kmfhandle};
	KMF_KEY_HANDLE *arg21[2] = {NULL, &pubKey};
	KMF_DATA *arg3[2] = {NULL, &signedCert};
	int i, j, k;

	KMF_CREATEKEYPAIR_PARAMS params;
	KMF_X509_CERTIFICATE cert, tobesigned;
	uchar_t sernum[16];
	uint32_t numlen;
	KMF_DATA x509Cert = {NULL, 0};
	int numattr = 0;
	KMF_ATTRIBUTE attrlist[32];

	KMF_CRYPTOWITHCERT_PARAMS crypto_params;
	KMF_DATA signercert = {NULL, 0};
	KMF_DATA nokeyusage_signercert = {NULL, 0};
	KMF_DATA *arg22[2] = {NULL, &signercert};

	uint32_t isCert = 1;

	if ((kmf_test_initialize(&kmfhandle, NULL)) != 0)
		return (STF_UNRESOLVED);

	exp_ret = KMF_ERR_BAD_PARAMETER;
	print_test(++test_num, func_name, exp_ret);
	for (i = 0; i < 2; i++) {
		for (j = 0; j < 2; j++) {
			for (k = 0; k < 2; k++) {

		if (k == 1 && j == 1 && i == 1)
			continue;

		param_tests++;
		numattr = set_attrlist(attrlist, arg21[j], arg3[k], NULL);
		if ((compare_result(kmf_verify_cert(
		    *arg1[i], numattr, attrlist), exp_ret))
		    != 0 && (++param_fail) == 1)
			failure++;

		param_tests++;
		numattr = set_attrlist(attrlist, NULL, arg3[k], arg22[j]);
		if ((compare_result(kmf_verify_cert(
		    *arg1[i], numattr, attrlist), exp_ret))
		    != 0 && (++param_fail) == 1)
			failure++;

			}
		}
	}
	if (param_fail)
		jnl_printf("%d parameter tests, %d failed\n",
		    param_tests, param_fail);

	exp_ret = KMF_ERR_PLUGIN_NOTFOUND;
	print_test(++test_num, func_name, exp_ret);
	unlink(SSL_KEY_FILE);
	numlen = sizeof (sernum);
	memset(sernum, 0xa, numlen);
	if (create_signed_cert(kmfhandle, &params, &privKey, &pubKey,
	    KMF_KEYSTORE_OPENSSL, KMF_RSA, RSA_SIZE, NULL, &cert,
	    sernum, numlen, &signedCert)) {
		failure++;
		goto out;
	}
	pubKey.kstype = 100;
	numattr = set_attrlist(attrlist, &pubKey, &signedCert, NULL);
	if (compare_result(kmf_verify_cert(kmfhandle, numattr, attrlist),
	    exp_ret) != 0)
		failure++;
	pubKey.kstype = KMF_KEYSTORE_OPENSSL;

	exp_ret = KMF_ERR_BAD_CERT_FORMAT;
	print_test(++test_num, func_name, exp_ret);
	memset(signedCert.Data, 1, signedCert.Length);
	numattr = set_attrlist(attrlist, &pubKey, &signedCert, NULL);
	if (compare_result(kmf_verify_cert(kmfhandle, numattr, attrlist),
	    exp_ret) != 0)
		failure++;

	kmf_free_data(&signedCert);
	kmf_free_signed_cert(&cert);

	exp_ret = KMF_ERR_KEYUSAGE;

	unlink(SSL_KEY_FILE);
	memset(sernum, 0xa, numlen);
	if (create_signed_cert(kmfhandle, &params, &privKey, &pubKey,
	    KMF_KEYSTORE_OPENSSL, KMF_RSA, RSA_SIZE, NULL, &cert,
	    sernum, numlen, &signercert)) {
		failure++;
		goto out;
	}
	kmf_free_signed_cert(&cert);
	memset(sernum, 0xb, numlen);

	/* Create an unsigned X509_CERTIFICATE record */
	unlink(SSL_KEY_FILE);
	if (create_keypair(kmfhandle, &privKey, &pubKey, KMF_KEYSTORE_OPENSSL,
	    KMF_RSA, RSA_SIZE, NULL)) {
		failure++;
		goto out;
	}
	if (build_x509_cert(kmfhandle, &tobesigned, sernum, numlen, &pubKey)) {
		failure++;
		goto out;
	}

	signedCert.Length = 0;
	signedCert.Data = NULL;

	print_test(++test_num, func_name, exp_ret);

	if (set_cryptowithcert_params(&crypto_params, KMF_KEYSTORE_OPENSSL,
	    KMF_FORMAT_ASN1, NULL)) {
		failure++;
	} else {
		set_SignCertWithCert_attrs(attrlist, &numattr,
		    &crypto_params, &tobesigned, &signercert, &signedCert);
		if (testcall(kmf_sign_cert(kmfhandle, numattr, attrlist),
		    "kmf_sign_cert")) {
			failure++;
			goto out;
		}
		unlink(SSL_KEY_FILE);
		memset(sernum, 0xc, numlen);

		if (create_base_signed_cert(kmfhandle, &params,
		    &privKey, &pubKey,
		    KMF_KEYSTORE_OPENSSL, KMF_RSA, RSA_SIZE, NULL, &cert,
		    sernum, numlen, &nokeyusage_signercert)) {
			failure++;
			goto out;
		}
		numattr = set_attrlist(attrlist, NULL, &signedCert,
		    &nokeyusage_signercert);
		if (compare_result(kmf_verify_cert(kmfhandle,
		    numattr, attrlist), exp_ret) != 0)
			failure++;
		free_cryptowithcert_params(&crypto_params);
	}
out:
	kmf_free_data(&x509Cert);
	kmf_free_data(&signedCert);
	kmf_free_kmf_key(kmfhandle, &privKey);
	kmf_free_kmf_key(kmfhandle, &pubKey);
	kmf_free_signed_cert(&cert);
	kmf_free_signed_cert(&tobesigned);
	kmf_free_data(&nokeyusage_signercert);
	kmf_test_finalize(kmfhandle);

	if (failure != 0) {
		jnl_printf("%d tests, only %d passed\n", test_num,
		    test_num - failure);
		ret = STF_FAIL;
	}

	kmf_test_finalize(kmfhandle);
	return (ret);
}