Add alternate chain test case where peer presents chain (INT -> INT2 -> PEER) and only INT2 is loaded as trusted. Update existing alternate chain partial test cases to use INT2. Fix for test suite to allow extra newlines in .test files.

2025-07-30 18:57:27 +02:00 · 2020-06-16 14:10:05 -07:00
parent 5a5bc34aa5
commit 9be61c61f5
3 changed files with 115 additions and 19 deletions
--- a/tests/suites.c
+++ b/tests/suites.c
@ -509,6 +509,8 @@ static void test_harness(void* vargs)
    int   cliArgsSz;
    char* cursor;
    char* comment;
+    char  lastChar = '\0';
+    int   do_it = 0;
    const char* fname = "tests/test.conf";
    const char* addArgs = NULL;

@ -571,20 +573,27 @@ static void test_harness(void* vargs)
    cliArgs[0] = args->argv[0];

    while (*cursor != 0) {
-        int do_it = 0;
-
        switch (*cursor) {
            case '\n':
                /* A blank line triggers test case execution or switches
                   to client mode if we don't have the client command yet */
+                if (lastChar != '\n' && (cliArgsSz > 1 || svrArgsSz > 1)) {
                    if (cliMode == 0)
                        cliMode = 1;  /* switch to client mode processing */
-                /* skip extra newlines */
                    else
                        do_it = 1;    /* Do It, we have server and client */
+                }
+            #ifdef DEBUG_SUITE_TESTS
+                else {
+                    /* skip extra new-lines */
+                    printf("skipping extra new line\n");
+                }
+            #endif
+                lastChar = *cursor;
                cursor++;
                break;
            case '#':
+                lastChar = *cursor;
                /* Ignore lines that start with a # */
                comment = XSTRSEP(&cursor, "\n");
            #ifdef DEBUG_SUITE_TESTS
@ -597,6 +606,7 @@ static void test_harness(void* vargs)
            default:
                /* Parameters start with a -. They end in either a newline
                 * or a space. Capture until either, save in Args list. */
+                lastChar = *cursor;
                if (cliMode)
                    cliArgs[cliArgsSz++] = XSTRSEP(&cursor, " \n");
                else
@ -659,6 +669,7 @@ static void test_harness(void* vargs)
            svrArgsSz = 1;
            cliArgsSz = 1;
            cliMode   = 0;
+            do_it     = 0;
        }
    }

--- a/tests/test-altchains.conf
+++ b/tests/test-altchains.conf
@ -1,6 +1,7 @@
-# Tests will use complete chain with intermediate CA for testing
+# Tests using a longer certificate chain (with intermediate CA's)
 # The tests with chains have the CRL checking disabled
 # CRL's only load for trusted CA's, for a chain you must load the root and intermediate as trusted
+
 # For these tests we are loading root and sending intermediate and peer certs
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Chain
 -v 3
@ -82,11 +83,12 @@
 -c ./certs/intermediate/client-chain-ecc.pem
 -C

+
 # Test will load intermediate CA as trusted and only present the peer cert (partial chain)
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
 -l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
 -V
@ -94,7 +96,7 @@
 # client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
 -l DHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
 -C
@ -102,7 +104,7 @@
 # server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
 -V
@ -110,7 +112,7 @@
 # client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Chain
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
 -C
@ -118,7 +120,7 @@
 # server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
 -V
@ -126,7 +128,7 @@
 # client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Chain
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
 -C
@ -134,7 +136,7 @@
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/server-key.pem
 -c ./certs/intermediate/server-int-cert.pem
 -V
@ -142,7 +144,7 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Chain
 -v 4
 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-cert.pem
+-A ./certs/intermediate/ca-int2-cert.pem
 -k ./certs/client-key.pem
 -c ./certs/intermediate/client-int-cert.pem
 -C
@ -150,7 +152,7 @@
 # server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
 -k ./certs/ecc-key.pem
 -c ./certs/intermediate/server-int-ecc-cert.pem
 -V
@ -158,11 +160,94 @@
 # client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Chain
 -v 4
 -l TLS13-AES128-GCM-SHA256
-A ./certs/intermediate/ca-int-ecc-cert.pem
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
 -k ./certs/ecc-client-key.pem
 -c ./certs/intermediate/client-int-ecc-cert.pem
 -C

+
+# Test will load intermediate2 CA as trusted and present full chain (where intermediate CA is not trusted)
+# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 3
+-l DHE-RSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/server-key.pem
+-c ./certs/intermediate/server-chain.pem
+-V
+
+# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 3
+-l DHE-RSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/client-key.pem
+-c ./certs/intermediate/client-chain.pem
+-C
+
+# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/server-key.pem
+-c ./certs/intermediate/server-chain.pem
+-V
+
+# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/client-key.pem
+-c ./certs/intermediate/client-chain.pem
+-C
+
+# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
+-k ./certs/ecc-key.pem
+-c ./certs/intermediate/server-chain-ecc.pem
+-V
+
+# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Partial Trusted Chain
+-v 3
+-l ECDHE-ECDSA-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
+-k ./certs/ecc-client-key.pem
+-c ./certs/intermediate/client-chain-ecc.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/server-key.pem
+-c ./certs/intermediate/server-chain.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Partial Trusted Chain
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-cert.pem
+-k ./certs/client-key.pem
+-c ./certs/intermediate/client-chain.pem
+-C
+
+# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
+-k ./certs/ecc-key.pem
+-c ./certs/intermediate/server-chain-ecc.pem
+-V
+
+# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Partial Trusted Chain
+-v 4
+-l TLS13-AES128-GCM-SHA256
+-A ./certs/intermediate/ca-int2-ecc-cert.pem
+-k ./certs/ecc-client-key.pem
+-c ./certs/intermediate/client-chain-ecc.pem
+-C
+
+
 # Test will use alternate chain where chain contains extra cert
 # server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Alt Chain
 -v 3