Add Test for Verification Failure on Incorrect X509 Version

Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either early when reading from data or later when `X509_REQ_verify` is called. Adding a new test recipe `60-test_x509_req.t` Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24677)
2024-06-19 14:02:53 +02:00 · 2024-06-19 14:02:53 +02:00 · 895ecd0ce8
commit 895ecd0ce8
parent 7fab3c7d61
3 changed files with 92 additions and 1 deletions
--- a/test/build.info
+++ b/test/build.info
@ -64,7 +64,7 @@ IF[{- !$disabled{tests} -}]
          ca_internals_test bio_tfo_test membio_test bio_dgram_test list_test \
          fips_version_test x509_test hpke_test pairwise_fail_test \
          nodefltctxtest evp_xof_test x509_load_cert_file_test bio_meth_test \
-          x509_acert_test
+          x509_acert_test x509_req_test

  IF[{- !$disabled{'rpk'} -}]
    PROGRAMS{noinst}=rpktest
@ -1211,6 +1211,10 @@ ENDIF
  INCLUDE[x509_acert_test]=../include ../apps/include
  DEPEND[x509_acert_test]=../libcrypto libtestutil.a

+  SOURCE[x509_req_test]=x509_req_test.c
+  INCLUDE[x509_req_test]=../include ../apps/include
+  DEPEND[x509_req_test]=../libcrypto libtestutil.a
+
 {-
   use File::Spec::Functions;
   use File::Basename;
--- a/test/recipes/60-test_x509_req.t
+++ b/test/recipes/60-test_x509_req.t
@ -0,0 +1,11 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use OpenSSL::Test::Simple;
+
+simple_test("test_x509_req_test", "x509_req_test", "x509_req");
--- a/test/x509_req_test.c
+++ b/test/x509_req_test.c
@ -0,0 +1,76 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include "testutil.h"
+
+static const char bad_csr_version_6[] =
+    "-----BEGIN CERTIFICATE REQUEST-----\n"
+    "MIICoTCCAYkCAQUwXDELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBEJlcm4xDTALBgNV\n"
+    "BAcMBEJlcm4xFDASBgNVBAoMC0VyYnNsYW5kREVWMRkwFwYDVQQDDBB0ZXN0Lm9w\n"
+    "ZW5zc2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgnKT31X7\n"
+    "GG1doZXQ0cHY32OjExJT5z/AhZNHt44AdZmrGDwcANBa68mK1pJ4zbLStsa0ABfC\n"
+    "clPnoq4jqPcoMqPu5SNGR29lBWSQr8AzzHFOalHfYmdsTwRxy2fM56WVfrmi/HY5\n"
+    "8pZ0LgAuF7Kb8hjUkqBbWzAo0GJaYqWitkrDdproLMLz65GJYYlxXcPd79yt+SHk\n"
+    "TdfRANcjinRK/EKgkWYVu5yE/lqWl9lwgxY9YAeDp6/WZ7K5wGueiMNYsKoud0MP\n"
+    "al00AgaBgicIBMfVPdN19p8ZC4u2BuJlM1oq2eZbaP35rAlB1InbPtFIGL0c0h0o\n"
+    "6prLD6FgYHd1PQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADQIUWrf2wnUlKK4\n"
+    "Q2kuK6EtC2CYblmUqV8kUx/sWkfaG2zD7ekyTVJg80IhnsrVJ3VQwOUtbWltgskF\n"
+    "ZzrwXbIIVkHzeI51jrt/jUXzskCjyDkxjeRgCxSJ1bIlN+OkIeXf/jjDJ+ebyeJl\n"
+    "oRgg/KtbaJVb9niFjbxdyMNEI5qZAmocFpE2t5S9GlosTEIPNbowZAe8+AeUXGJB\n"
+    "7SPJZ3U+Rk7Yx6cW2Hc5litIDzJlIN8D86v26lgJ1VEoYGD81wPEhIjHTkRBWhp6\n"
+    "kGV0EojP8ntSjDFHIH184MQAJYyr6YlEM3DcCYPwydLN/rkEHQVAxKKuSCrpcUMH\n"
+    "hfcdPO4=\n"
+    "-----END CERTIFICATE REQUEST-----";
+
+/*
+ * Test for the missing X509 version check discussed in issue #5738 and
+ * added in PR #24677.
+ * This test tries to verify a malformed CSR with the X509 version set
+ * version 6, instead of 1. As this request is malformed, even its
+ * signature is valid, the verification must fail.
+ */
+static int test_x509_req_detect_invalid_version(void)
+{
+    BIO *bio = NULL;
+    EVP_PKEY *pkey = NULL;
+    X509_REQ *req = NULL;
+    int ret = 0;
+
+    if (!TEST_ptr(bio = BIO_new_mem_buf(bad_csr_version_6, sizeof(bad_csr_version_6) - 1)))
+        goto err;
+    req = PEM_read_bio_X509_REQ(bio, NULL, 0, NULL);
+    if (req == NULL) {
+        ret = 1; /* success, reading PEM with invalid CSR data is allowed to fail. */
+        goto err;
+    }
+    if (!TEST_ptr(pkey = X509_REQ_get_pubkey(req)))
+        goto err;
+    /* Verification MUST fail at this point. ret != 1. */
+    if (!TEST_int_ne(X509_REQ_verify(req, pkey), 1))
+        goto err;
+    ret = 1; /* success */
+err:
+    EVP_PKEY_free(pkey);
+    X509_REQ_free(req);
+    BIO_free(bio);
+    return ret;
+}
+
+int setup_tests(void)
+{
+    ADD_TEST(test_x509_req_detect_invalid_version);
+    return 1;
+}
+
+void cleanup_tests(void)
+{
+}