From 2b77d4d7056daa1ab0f0784eca3406ba5a92463b Mon Sep 17 00:00:00 2001 From: AssemblyJohn Date: Fri, 24 May 2024 14:24:41 +0300 Subject: [PATCH] Updated test cases, removed unused provider header file, removed unused test Signed-off-by: AssemblyJohn --- .../detail/openssl/openssl_providers.hpp | 205 ------------------ .../crypto/openssl/openssl_supplier.cpp | 15 +- .../crypto/openssl/openssl_tpm.cpp | 4 +- tests/openssl_supplier_test_tpm.cpp | 12 +- tests/tests.cpp | 132 +---------- 5 files changed, 21 insertions(+), 347 deletions(-) delete mode 100644 include/evse_security/detail/openssl/openssl_providers.hpp diff --git a/include/evse_security/detail/openssl/openssl_providers.hpp b/include/evse_security/detail/openssl/openssl_providers.hpp deleted file mode 100644 index 65a0321..0000000 --- a/include/evse_security/detail/openssl/openssl_providers.hpp +++ /dev/null @@ -1,205 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Pionix GmbH and Contributors to EVerest -#pragma once - -#include -#include -#include -#include -#include - -#include -#include - -namespace evse_security { - -static constexpr const char* PROVIDER_NULL = "null"; -static constexpr const char* PROVIDER_DEFAULT = "default"; -static constexpr const char* PROVIDER_TPM = "tpm2"; - -enum class Provider { - SSL_NULL, - DEFAULT, - TPM2, - CUSTOM, -}; - -template struct ProviderResolver {}; - -template <> struct ProviderResolver { - static constexpr const char* name() { - return PROVIDER_NULL; - } -}; - -template <> struct ProviderResolver { - static constexpr const char* name() { - return PROVIDER_DEFAULT; - } -}; - -template <> struct ProviderResolver { - static constexpr const char* name() { - return PROVIDER_TPM; - } -}; - -template static void foreach_provider(F func) { - auto iter = [](OSSL_PROVIDER* provider, void* cbdata) { - F* fc = (F*)cbdata; - (*fc)(provider); - - return 1; - }; - - OSSL_PROVIDER_do_all(nullptr, iter, &func); -} - -static std::vector get_current_provider_names() { - std::vector providers; - foreach_provider( - [&providers](OSSL_PROVIDER* provider) { providers.emplace_back(OSSL_PROVIDER_get0_name(provider)); }); - - return providers; -} - -static std::vector get_current_providers() { - std::vector providers; - foreach_provider([&providers](OSSL_PROVIDER* provider) { providers.emplace_back(provider); }); - - return providers; -} - -class ProviderLoadException : public std::runtime_error { -public: - using std::runtime_error::runtime_error; -}; - -template struct OptionalMember { - type data; -}; - -template struct OptionalMember {}; - -template struct OSSLProvider { - std::string get_required_provider() { - return provider_required; - } - - OSSL_PROVIDER* get_scope_provider_raw() { - return provider_loaded; - } - -protected: - OSSLProvider(const std::string& provider) { - provider_required = provider; - } - - virtual ~OSSLProvider() noexcept(false) { - } - -public: // Utilities for loading/unloading - void load_provider() { - persist_providers(); - - if constexpr (!use_fallback) - provider_loaded = OSSL_PROVIDER_load(nullptr, provider_required.c_str()); - else - provider_loaded = OSSL_PROVIDER_try_load(nullptr, provider_required.c_str(), 1); - - if (!provider_loaded) { - std::string error = "Failed to load provider: [" + provider_required + "] all operations reverting!"; - throw new ProviderLoadException(error); - } - - EVLOG_debug << "[PROV] Provider loaded: " << provider_required; - } - - void unload_provider() { - if (OSSL_PROVIDER_unload(provider_loaded) != 1) { - std::string error = "Failed to unload provider: [" + provider_required + "]"; - throw new ProviderLoadException(error); - } - - // Invalidate - provider_loaded = nullptr; - restore_providers(); - - EVLOG_debug << "[PROV] Provider unloaded: " << provider_required; - } - -private: - template typename std::enable_if::type persist_providers() { - old_providers.data = get_current_provider_names(); - - // No internal OSSL iteration while unloading - std::vector providers = get_current_providers(); - for (auto& provider : providers) { - if (!OSSL_PROVIDER_unload(provider)) { - std::string error = "Failed to unload old provider!"; - throw new ProviderLoadException(error); - } - } - } - - template typename std::enable_if::type restore_providers() { - for (auto& provider : old_providers.data) { - if (!OSSL_PROVIDER_load(nullptr, provider.c_str())) { - std::string error = "Failed to load old provider: " + provider; - throw new ProviderLoadException(error); - } - } - } - - template typename std::enable_if::type persist_providers() { - } - template typename std::enable_if::type restore_providers() { - } - -private: - std::string provider_required; - OSSL_PROVIDER* provider_loaded; - - OptionalMember, !use_fallback> old_providers; -}; - -template struct OSSLScopedProvider : public OSSLProvider { -protected: - OSSLScopedProvider(const std::string& provider) : OSSLProvider(provider) { - this->load_provider(); - } - - virtual ~OSSLScopedProvider() noexcept(false) { - this->unload_provider(); - } -}; - -template -struct OSSLAutoresolvedScopedProvider : OSSLScopedProvider { - OSSLAutoresolvedScopedProvider() : OSSLScopedProvider(ProviderResolver::name()) { - } -}; - -template struct OSSLAutoresolvedProvider : OSSLProvider { - OSSLAutoresolvedProvider() : OSSLProvider(ProviderResolver::name()) { - } -}; - -// NULL provider to test certain operations -typedef OSSLAutoresolvedScopedProvider NullScopedProvider; - -/// @brief Scoped TPM provider. In order to use the TPM for a certain operation simply -/// declare an object of this type within a scope. Example usage: -/// { -/// TPMScopedProvider TPM(); -/// ... do TPM operations here normally ... -/// } -typedef OSSLAutoresolvedScopedProvider TPMScopedProvider; - -/// @brief Same as above, but with manual locking and unlocking -typedef OSSLAutoresolvedProvider TPMProvider; - -/// @brief Same as the above but with the currently loaded provider as fallback -typedef OSSLAutoresolvedScopedProvider TPMScopedProviderFallback; - -} // namespace evse_security \ No newline at end of file diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp index f2449ec..51fd965 100644 --- a/lib/evse_security/crypto/openssl/openssl_supplier.cpp +++ b/lib/evse_security/crypto/openssl/openssl_supplier.cpp @@ -674,7 +674,6 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat if (csr_info.key_info.generate_on_tpm) { provider.set_global_mode(OpenSSLProvider::mode_t::tpm2_provider); - } else { provider.set_global_mode(OpenSSLProvider::mode_t::default_provider); } @@ -693,12 +692,16 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat if (false == X509_REQ_set_version(x509_req_ptr.get(), n_version)) { EVLOG_error << "Failed to set csr version!"; + ERR_print_errors_fp(stderr); + return CertificateSignRequestResult::VersioningError; } // set public key of x509 req if (false == X509_REQ_set_pubkey(x509_req_ptr.get(), key)) { EVLOG_error << "Failed to set csr pubkey!"; + ERR_print_errors_fp(stderr); + return CertificateSignRequestResult::PubkeyError; } @@ -743,16 +746,18 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat if (!result) { EVLOG_error << "Failed to add csr extensions!"; + ERR_print_errors_fp(stderr); + return CertificateSignRequestResult::ExtensionsError; } // sign the certificate with the private key - bool x509_signed = false; + bool x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256()); - x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256()); + if (x509_signed == false) { + EVLOG_error << "Failed to sign csr with error!"; + ERR_print_errors_fp(stderr); - if (x509_signed == false) { - EVLOG_error << "Failed to sign csr!"; return CertificateSignRequestResult::SigningError; } diff --git a/lib/evse_security/crypto/openssl/openssl_tpm.cpp b/lib/evse_security/crypto/openssl/openssl_tpm.cpp index 233f2b1..c4edb0d 100644 --- a/lib/evse_security/crypto/openssl/openssl_tpm.cpp +++ b/lib/evse_security/crypto/openssl/openssl_tpm.cpp @@ -5,9 +5,7 @@ #include -#define USING_OPENSSL_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L) - -#if USING_OPENSSL_3 && defined(USING_TPM2) +#if USING_TPM2 // OpenSSL3 without TPM will use the default provider anyway #include #include diff --git a/tests/openssl_supplier_test_tpm.cpp b/tests/openssl_supplier_test_tpm.cpp index 952044d..ef1fb6f 100644 --- a/tests/openssl_supplier_test_tpm.cpp +++ b/tests/openssl_supplier_test_tpm.cpp @@ -33,6 +33,10 @@ TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) { } TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_3072) { + // Enable this test manually only if your platform supports 3072 TPM keys + GTEST_SKIP() << "Skipping TPM2.0 GEN_RSA_3072 test since it is a non-spec value" + "which probably will not be supported on many platforms!"; + KeyGenerationInfo info = { CryptoKeyType::RSA_3072, true, std::nullopt, std::nullopt, std::nullopt, }; @@ -71,7 +75,7 @@ TEST_F(OpenSSLSupplierTpmTest, x509_check_private_key) { auto cert = res_leaf[0].get(); auto key = getFile("tpm_pki/server_priv.pem"); auto res = OpenSSLSupplier::x509_check_private_key(cert, key, std::nullopt); - ASSERT_TRUE(res); + ASSERT_EQ(res, KeyValidationResult::Valid); } TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) { @@ -87,9 +91,9 @@ TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) { parents.push_back(i.get()); } - auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, true, std::nullopt, + auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, {}, true, std::nullopt, "tpm_pki/root_cert.pem"); - ASSERT_EQ(res, CertificateValidationError::NoError); + ASSERT_EQ(res, CertificateValidationResult::Valid); } TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) { @@ -109,7 +113,7 @@ TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) { // std::cout << "tpm2 post: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl; // std::cout << "base post: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl; - ASSERT_TRUE(res); + ASSERT_EQ(res, CertificateSignRequestResult::Valid); ASSERT_GT(csr.size(), 0); } diff --git a/tests/tests.cpp b/tests/tests.cpp index 4c4c286..f53c731 100644 --- a/tests/tests.cpp +++ b/tests/tests.cpp @@ -17,14 +17,8 @@ #include #include -#define USING_OPENSSL_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L) -#if USING_OPENSSL_3 -// provider management has changed - ensure tests still work -#ifndef USING_TPM2 - -#include -#else +#ifdef USING_TPM2 // updates so that existing tests run with the OpenSSLProvider #include @@ -38,19 +32,6 @@ typedef OpenSSLProvider TPMScopedProvider; } // namespace evse_security #endif // USING_TPM2 -#else - -// updates so that tests run under OpenSSL v1 -namespace evse_security { -const char* PROVIDER_TPM = "tpm2"; -const char* PROVIDER_DEFAULT = "default"; -} // namespace evse_security -constexpr bool check_openssl_providers(const std::vector&) { - return true; -} - -#endif // USING_OPENSSL_3 - std::string read_file_to_string(const fs::path filepath) { fsstd::ifstream t(filepath.string()); std::stringstream buffer; @@ -69,61 +50,6 @@ bool equal_certificate_strings(const std::string& cert1, const std::string& cert return true; } -#if USING_OPENSSL_3 -bool supports_tpm_usage() { - bool supports_tpm = false; - auto libctx = OSSL_LIB_CTX_new(); - - OSSL_PROVIDER* tpm2_provider = OSSL_PROVIDER_load(libctx, evse_security::PROVIDER_TPM); - - if (tpm2_provider != nullptr) { - supports_tpm = - OSSL_PROVIDER_available(libctx, evse_security::PROVIDER_TPM) && OSSL_PROVIDER_self_test(tpm2_provider); - OSSL_PROVIDER_unload(tpm2_provider); - } else { - supports_tpm = false; - } - - // Load default again (removed - not needed and causes a memory leak) - // OSSL_PROVIDER_load(nullptr, evse_security::PROVIDER_DEFAULT); - - OSSL_LIB_CTX_free(libctx); - - std::cout << "Supports TPM usage: " << supports_tpm << std::endl; - return supports_tpm; -} - -// Checks if we have the following providers active -bool check_openssl_providers(const std::vector& required_providers) { - struct Info { - std::set providers; - }; - - auto collector = [](OSSL_PROVIDER* provider, void* cbdata) { - Info* info = (Info*)cbdata; - info->providers.emplace(OSSL_PROVIDER_get0_name(provider)); - return 1; - }; - - Info info; - OSSL_PROVIDER_do_all(nullptr, collector, &info); - - if (info.providers.size() != required_providers.size()) - return false; - - for (auto& required : required_providers) { - if (info.providers.find(required) == info.providers.end()) - return false; - } - - return true; -} - -static bool supports_tpm = supports_tpm_usage(); -#else -static bool supports_tpm = false; -#endif // USING_OPENSSL_3 - void install_certs() { std::system("./generate_test_certs.sh"); } @@ -248,9 +174,6 @@ class EvseSecurityTestsExpired : public EvseSecurityTests { }; TEST_F(EvseSecurityTests, verify_basics) { - // Check that we have the default provider - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT})); - const char* bundle_path = "certs/ca/v2g/V2G_CA_BUNDLE.pem"; fsstd::ifstream file(bundle_path, std::ios::binary); @@ -312,9 +235,6 @@ TEST_F(EvseSecurityTests, verify_directory_bundles) { } TEST_F(EvseSecurityTests, verify_bundle_management) { - // Check that we have the default provider - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT})); - const char* directory_path = "certs/ca/csms/"; X509CertificateBundle bundle(fs::path(directory_path), EncodingFormat::PEM); ASSERT_TRUE(bundle.split().size() == 2); @@ -366,54 +286,6 @@ TEST_F(EvseSecurityTests, verify_normal_keygen) { ASSERT_TRUE(gen); } -TEST_F(EvseSecurityTests, verify_tpm_keygen_csr) { - if (supports_tpm == false) - return; - - KeyGenerationInfo info; - KeyHandle_ptr key; - - info.key_type = CryptoKeyType::EC_prime256v1; - info.generate_on_tpm = true; - - info.public_key_file = fs::path("key/tpm_pubkey.tkey"); - info.private_key_file = fs::path("key/tpm_privkey.tkey"); - - bool gen = CryptoSupplier::generate_key(info, key); - ASSERT_TRUE(gen); - - CertificateSigningRequestInfo csr_info; - csr_info.n_version = 0; - csr_info.commonName = "pionix_01"; - csr_info.organization = "PionixDE"; - csr_info.country = "DE"; - - info.public_key_file = fs::path("key/csr_tpm_pubkey.tkey"); - info.private_key_file = fs::path("key/csr_tpm_privkey.tkey"); - info.key_type = CryptoKeyType::RSA_TPM20; - - csr_info.key_info = info; - - std::string csr; - - auto csr_gen = CryptoSupplier::x509_generate_csr(csr_info, csr); - ASSERT_EQ(csr_gen, CertificateSignRequestResult::Valid); - - std::cout << "TPM csr: " << std::endl << csr << std::endl; - - info.public_key_file = fs::path("key/csr_nrm_pubkey.tkey"); - info.private_key_file = fs::path("key/csr_nrm_privkey.tkey"); - info.generate_on_tpm = false; - info.key_type = CryptoKeyType::RSA_3072; - - csr_info.key_info = info; - - csr_gen = CryptoSupplier::x509_generate_csr(csr_info, csr); - ASSERT_EQ(csr_gen, CertificateSignRequestResult::Valid); - - std::cout << "normal csr: " << std::endl << csr << std::endl; -} - /// \brief get_certificate_hash_data() throws exception if called with no issuer and a non-self-signed cert TEST_F(EvseSecurityTests, get_certificate_hash_data_non_self_signed_requires_issuer) { const auto non_self_signed_cert_str = @@ -1052,7 +924,7 @@ TEST_F(EvseSecurityTestsExpired, verify_expired_leaf_deletion) { } // Check their respective keys exist - EVLOG_info << key_file; + std::cout << key_file; ASSERT_TRUE(fs::exists(key_file)); X509Wrapper cert = X509CertificateBundle(not_deleted, EncodingFormat::PEM).split().at(0);