Updated test cases, removed unused provider header file, removed unus…

…ed test Signed-off-by: AssemblyJohn <[email protected]>
EVerest · May 24, 2024 · c5f049c · c5f049c
1 parent a315ae7
commit c5f049c
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 361 deletions.
diff --git a/include/evse_security/detail/openssl/openssl_providers.hpp b/include/evse_security/detail/openssl/openssl_providers.hpp
diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
@@ -674,7 +674,6 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
 
     if (csr_info.key_info.generate_on_tpm) {
         provider.set_global_mode(OpenSSLProvider::mode_t::tpm2_provider);
-
     } else {
         provider.set_global_mode(OpenSSLProvider::mode_t::default_provider);
     }
@@ -688,17 +687,28 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
     // X509 CSR request
     X509_REQ_ptr x509_req_ptr(X509_REQ_new());
 
+    if (nullptr == x509_req_ptr.get()) {
+        EVLOG_error << "Failed to create CSR request!";
+        ERR_print_errors_fp(stderr);
+
+        return CertificateSignRequestResult::Unknown;
+    }
+
     // set version of x509 req
     int n_version = csr_info.n_version;
 
     if (false == X509_REQ_set_version(x509_req_ptr.get(), n_version)) {
         EVLOG_error << "Failed to set csr version!";
+        ERR_print_errors_fp(stderr);
+
         return CertificateSignRequestResult::VersioningError;
     }
 
     // set public key of x509 req
     if (false == X509_REQ_set_pubkey(x509_req_ptr.get(), key)) {
         EVLOG_error << "Failed to set csr pubkey!";
+        ERR_print_errors_fp(stderr);
+
         return CertificateSignRequestResult::PubkeyError;
     }
 
@@ -743,16 +753,18 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
 
     if (!result) {
         EVLOG_error << "Failed to add csr extensions!";
+        ERR_print_errors_fp(stderr);
+
         return CertificateSignRequestResult::ExtensionsError;
     }
 
     // sign the certificate with the private key
-    bool x509_signed = false;
-
-    x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256());
+    bool x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256());
 
     if (x509_signed == false) {
-        EVLOG_error << "Failed to sign csr!";
+        EVLOG_error << "Failed to sign csr with error!";
+        ERR_print_errors_fp(stderr);
+
         return CertificateSignRequestResult::SigningError;
     }
 

diff --git a/lib/evse_security/crypto/openssl/openssl_tpm.cpp b/lib/evse_security/crypto/openssl/openssl_tpm.cpp
@@ -5,9 +5,7 @@
 
 #include <openssl/opensslv.h>
 
-#define USING_OPENSSL_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
-#if USING_OPENSSL_3 && defined(USING_TPM2)
+#if USING_TPM2
 // OpenSSL3 without TPM will use the default provider anyway
 #include <openssl/err.h>
 #include <openssl/evp.h>

diff --git a/tests/openssl_supplier_test_tpm.cpp b/tests/openssl_supplier_test_tpm.cpp
@@ -23,6 +23,22 @@ class OpenSSLSupplierTpmTest : public testing::Test {
     }
 };
 
+TEST_F(OpenSSLSupplierTpmTest, supports_tpm) {
+    OpenSSLProvider::cleanup();
+    ASSERT_FALSE(OpenSSLProvider::supports_tpm());
+    // calculates
+    OpenSSLProvider provider;
+    // returns cached
+    ASSERT_TRUE(OpenSSLProvider::supports_tpm());
+}
+
+TEST_F(OpenSSLSupplierTpmTest, supports_tpm_key_creation) {
+    OpenSSLProvider::cleanup();
+    ASSERT_FALSE(OpenSSLProvider::supports_tpm());
+    // should calculate
+    ASSERT_TRUE(OpenSSLSupplier::supports_tpm_key_creation());
+}
+
 TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) {
     KeyGenerationInfo info = {
         CryptoKeyType::RSA_TPM20, true, std::nullopt, std::nullopt, std::nullopt,
@@ -33,6 +49,10 @@ TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) {
 }
 
 TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_3072) {
+    // Enable this test manually only if your platform supports 3072 TPM keys
+    GTEST_SKIP() << "Skipping TPM2.0 GEN_RSA_3072 test since it is a non-spec value"
+                    "which probably will not be supported on many platforms!";
+
     KeyGenerationInfo info = {
         CryptoKeyType::RSA_3072, true, std::nullopt, std::nullopt, std::nullopt,
     };
@@ -71,7 +91,7 @@ TEST_F(OpenSSLSupplierTpmTest, x509_check_private_key) {
     auto cert = res_leaf[0].get();
     auto key = getFile("tpm_pki/server_priv.pem");
     auto res = OpenSSLSupplier::x509_check_private_key(cert, key, std::nullopt);
-    ASSERT_TRUE(res);
+    ASSERT_EQ(res, KeyValidationResult::Valid);
 }
 
 TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) {
@@ -87,9 +107,9 @@ TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) {
         parents.push_back(i.get());
     }
 
-    auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, true, std::nullopt,
+    auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, {}, true, std::nullopt,
                                                               "tpm_pki/root_cert.pem");
-    ASSERT_EQ(res, CertificateValidationError::NoError);
+    ASSERT_EQ(res, CertificateValidationResult::Valid);
 }
 
 TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
@@ -101,32 +121,33 @@ TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
         "0123456789",
         .dns_name = std::nullopt,
         .ip_address = std::nullopt,
-        {CryptoKeyType::EC_prime256v1, true, std::nullopt, "tpm_pki/csr_key.pem", std::nullopt}};
+        {CryptoKeyType::EC_prime256v1, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
 
     // std::cout << "tpm2 pre: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
     // std::cout << "base pre: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
     auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
     // std::cout << "tpm2 post: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
     // std::cout << "base post: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
 
-    ASSERT_TRUE(res);
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
     ASSERT_GT(csr.size(), 0);
 }
 
-TEST_F(OpenSSLSupplierTpmTest, supports_tpm) {
-    OpenSSLProvider::cleanup();
-    ASSERT_FALSE(OpenSSLProvider::supports_tpm());
-    // calculates
-    OpenSSLProvider provider;
-    // returns cached
-    ASSERT_TRUE(OpenSSLProvider::supports_tpm());
-}
+TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr2) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = std::nullopt,
+        .ip_address = std::nullopt,
+        {CryptoKeyType::RSA_TPM20, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
 
-TEST_F(OpenSSLSupplierTpmTest, supports_tpm_key_creation) {
-    OpenSSLProvider::cleanup();
-    ASSERT_FALSE(OpenSSLProvider::supports_tpm());
-    // should calculate
-    ASSERT_TRUE(OpenSSLSupplier::supports_tpm_key_creation());
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+    ASSERT_GT(csr.size(), 0);
 }
 
 } // namespace