test: Replace hardcoded cert test with OpenSSL-based script.

The previous test assumed a lot about the implementation of the x.509 cert creation (and thus no longer really works as-is), and really wasn't testing the cert creation but rather details of its implementation. The new test uses the openssl CLI, to test that our certs are accepted by third-parties. To keep the tests running on platforms without OpenSSL, this test is gated behind a CMake option.
xaptum · Dec 14, 2020 · 7ced9a3 · 7ced9a3
1 parent cdd191e
commit 7ced9a3
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 163 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -19,6 +19,7 @@ option(USE_TPM "use a TPM" ON)
 option(BUILD_SHARED_LIBS "Build as a shared library" ON)
 option(BUILD_STATIC_LIBS "Build as a static library" OFF)
 option(BUILD_TOOL "Build XTT tool" ON)
+option(TEST_USE_OPENSSL "Run tests that require an OpenSSL installation" ON)
 
 find_package(ecdaa 1.0.0 REQUIRED QUIET)
 find_package(sodium 1.0.11 REQUIRED QUIET)

diff --git a/README.md b/README.md
@@ -85,6 +85,7 @@ The following CMake configuration options are supported.
 | BUILD_SHARED_LIBS    | ON, OFF        | ON         | Build shared libraries.                                |
 | BUILD_STATIC_LIBS    | ON, OFF        | OFF        | Build static libraries.                                |
 | BUILD_TESTING        | ON, OFF        | ON         | Build the test suite.                                  |
+| TEST_USE_OPENSSL     | ON, OFF        | ON         | Run tests that require an OpenSSL installation.        |
 | STATIC_SUFFIX        | <string>       | <none>     | Appends a suffix to the static lib name.               |
 
 ### Installing

diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
@@ -44,7 +44,6 @@ set(CURRENT_TEST_BINARY_DIR ${CMAKE_BINARY_DIR}/testBin/)
 
 add_test_case("wrapper_sanity-test.c" "")
 add_test_case("integration_test.c" "1;2;3;4")
-add_test_case("certificate_test.c" "")
 
 if(BUILD_TOOL)
   add_test(NAME "tool_test"
@@ -55,4 +54,12 @@ if(BUILD_TOOL)
     )
 endif()
 
+if(TEST_USE_OPENSSL)
+  add_test(NAME "cert_test"
+    COMMAND ${CMAKE_CURRENT_LIST_DIR}/cert-test.sh
+    ${CMAKE_BINARY_DIR}/tool
+    ${CURRENT_TEST_BINARY_DIR}
+    )
+endif()
+
 add_subdirectory(cpp)
diff --git a/test/cert-test.sh b/test/cert-test.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+if [[ $# -ne 2 ]]; then
+        echo "usage: $0 <tool directory> <tmp directory>"
+        exit 1
+fi
+
+tool_dir="$1"
+tmp_dir="$2"
+
+OPENSSL_MINOR_VERSION=$(openssl version | sed -E 's/OpenSSL 1.(.).*$/\1/')
+echo $OPENSSL_MINOR_VERSION
+
+CN="DEAD:0000:0000:0000:0000:0000:0000:BEEF"
+CN_BYTES="\xDE\xAD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xBE\xEF"
+
+echo "Generating keypair..."
+${tool_dir}/xtt genkeypair -k ${tmp_dir}/keys.asn1.bin
+
+echo "Validating keypair..."
+openssl ec -in ${tmp_dir}/keys.asn1.bin -inform DER -noout $([ ${OPENSSL_MINOR_VERSION} -ge 1 ] && echo "-check")
+echo "ok"
+
+echo "Generating cert..."
+echo -ne ${CN_BYTES} > ${tmp_dir}/id.bin
+${tool_dir}/xtt genx509cert -k ${tmp_dir}/keys.asn1.bin -d ${tmp_dir}/id.bin -c ${tmp_dir}/cert.bin
+openssl x509 -in ${tmp_dir}/cert.bin -inform DER -out ${tmp_dir}/cert.pem
+
+# NOTE: The `-check_ss_sig` is VERY important here. Without it, the signature won't be checked.
+echo "Verifying certificate..."
+openssl verify -check_ss_sig -CAfile ${tmp_dir}/cert.pem ${tmp_dir}/cert.pem
+echo "ok"
+
+echo "Validating certificate dates (for non-expiring certificate)"
+DATES=$(cat <<EOF
+notBefore=Jan  1 00:00:00 0 GMT
+notAfter=Dec 31 23:59:59 9999 GMT
+EOF
+)
+test "${DATES}" = "$(openssl x509 -in ${tmp_dir}/cert.pem -noout -dates)"
+echo "ok"
+
+echo "Checking Issuer and Subject (should be the same)"
+test 1 -eq $(openssl x509 -in ${tmp_dir}/cert.pem -noout -subject | grep -c ${CN})
+test 1 -eq $(openssl x509 -in ${tmp_dir}/cert.pem -noout -issuer | grep -c ${CN})
+echo "ok"
diff --git a/test/certificate_test.c b/test/certificate_test.c