From 876a1a83adb926303c0b3e602e1fb44be6020a44 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Tue, 7 Jun 2016 17:56:02 +0100 Subject: [PATCH] Tests should check validation status directly Reviewed-by: Rich Salz Reviewed-by: Matt Caswell --- test/ct_test.c | 92 ++++++++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 45 deletions(-) diff --git a/test/ct_test.c b/test/ct_test.c index c42391c682..8cc97e25ff 100644 --- a/test/ct_test.c +++ b/test/ct_test.c @@ -223,6 +223,51 @@ end: return result; } +static int assert_validity(CT_TEST_FIXTURE fixture, + STACK_OF(SCT) *scts, + CT_POLICY_EVAL_CTX *policy_ctx) { + int invalid_sct_count = 0; + int valid_sct_count = 0; + int i; + + if (SCT_LIST_validate(scts, policy_ctx) < 0) { + fprintf(stderr, "Error verifying SCTs\n"); + return 0; + } + + for (i = 0; i < sk_SCT_num(scts); ++i) { + SCT *sct_i = sk_SCT_value(scts, i); + switch (SCT_get_validation_status(sct_i)) { + case SCT_VALIDATION_STATUS_VALID: + ++valid_sct_count; + break; + case SCT_VALIDATION_STATUS_INVALID: + ++invalid_sct_count; + break; + default: + /* Ignore other validation statuses. */ + break; + } + } + + if (valid_sct_count != fixture.expected_sct_count) { + int unverified_sct_count = sk_SCT_num(scts) - + invalid_sct_count - valid_sct_count; + + fprintf(stderr, + "%d SCTs failed verification\n" + "%d SCTs passed verification (%d expected)\n" + "%d SCTs were unverified\n", + invalid_sct_count, + valid_sct_count, + fixture.expected_sct_count, + unverified_sct_count); + return 0; + } + + return 1; +} + static int execute_cert_test(CT_TEST_FIXTURE fixture) { int success = 0; @@ -293,7 +338,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) } if (fixture.test_validity) { - int are_scts_validated = 0; int i; scts = X509V3_EXT_d2i(sct_extension); @@ -307,44 +351,8 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) } } - are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx); - if (are_scts_validated < 0) { - fprintf(stderr, "Error verifying SCTs\n"); - goto end; - } else if (!are_scts_validated) { - int invalid_sct_count = 0; - int valid_sct_count = 0; - - for (i = 0; i < sk_SCT_num(scts); ++i) { - SCT *sct_i = sk_SCT_value(scts, i); - switch (SCT_get_validation_status(sct_i)) { - case SCT_VALIDATION_STATUS_VALID: - ++valid_sct_count; - break; - case SCT_VALIDATION_STATUS_INVALID: - ++invalid_sct_count; - break; - default: - /* Ignore other validation statuses. */ - break; - } - } - - if (valid_sct_count != fixture.expected_sct_count) { - int unverified_sct_count = sk_SCT_num(scts) - - invalid_sct_count - valid_sct_count; - - fprintf(stderr, - "%d SCTs failed verification\n" - "%d SCTs passed verification (%d expected)\n" - "%d SCTs were unverified\n", - invalid_sct_count, - valid_sct_count, - fixture.expected_sct_count, - unverified_sct_count); - } + if (!assert_validity(fixture, scts, ct_policy_ctx)) goto end; - } } } else if (sct_extension != NULL) { fprintf(stderr, @@ -362,14 +370,8 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) } if (fixture.test_validity && cert != NULL) { - int is_sct_validated = SCT_validate(sct, ct_policy_ctx); - if (is_sct_validated < 0) { - fprintf(stderr, "Error validating SCT\n"); + if (!assert_validity(fixture, scts, ct_policy_ctx)) goto end; - } else if (!is_sct_validated) { - fprintf(stderr, "SCT failed verification\n"); - goto end; - } } if (fixture.sct_text_file -- 2.25.1