tests: Add more tests for catalog files.

2025-04-05 01:00:11 -05:00 · 2023-11-03 09:46:59 +01:00 · 2023-11-03 09:46:59 +01:00 · e290e03341
commit e290e03341
parent 900ffed596
1 changed files with 93 additions and 55 deletions
--- a/cmake/CMakeTest.cmake
+++ b/cmake/CMakeTest.cmake
@ -134,7 +134,7 @@ add_test(NAME version

 ### Sign ###

-# Tests 2-5
+# Tests 2-7
 # Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
 foreach(ext ${extensions_all})
    add_test(
@ -154,7 +154,7 @@ foreach(ext ${extensions_all})
        "-out" "${FILES}/legacy.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 6-9
+# Tests 8-13
 # Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
 # Disable legacy mode and don't automatically load the legacy provider
 # Option "-nolegacy" requires OpenSSL 3.0.0 or later
@ -184,7 +184,7 @@ if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
    endforeach(ext ${extensions_all})
 endif(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)

-# Tests 10-13
+# Tests 14-19
 # Sign with PKCS#12 container with AES-256-CBC private key and certificate encryption algorithm
 foreach(ext ${extensions_all})
    add_test(
@ -204,7 +204,7 @@ foreach(ext ${extensions_all})
        "-out" "${FILES}/signed.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 14-17
+# Tests 20-25
 # Sign with revoked certificate
 foreach(ext ${extensions_all})
    add_test(
@ -225,7 +225,7 @@ foreach(ext ${extensions_all})
        "-out" "${FILES}/revoked.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 18-20
+# Tests 26-30
 # Remove signature
 # Unsupported command for CAT files
 foreach(ext ${extensions_nocat})
@ -241,7 +241,7 @@ foreach(ext ${extensions_nocat})
        REQUIRED_FILES "${FILES}/signed.${ext}")
 endforeach(ext ${extensions_nocat})

-# Tests 21-24
+# Tests 31-36
 # Extract PKCS#7 signature in PEM format
 foreach(ext ${extensions_all})
    add_test(
@ -257,7 +257,7 @@ foreach(ext ${extensions_all})
        REQUIRED_FILES "${FILES}/signed.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 25-28
+# Tests 37-42
 # Extract PKCS#7 signature in default DER format
 foreach(ext ${extensions_all})
    add_test(
@ -272,7 +272,7 @@ foreach(ext ${extensions_all})
        REQUIRED_FILES "${FILES}/signed.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 29-34
+# Tests 43-52
 # Attach signature in PEM or DER format
 # Unsupported command for CAT files
 set(formats "pem" "der")
@ -302,7 +302,7 @@ foreach(ext ${extensions_nocat})
    endforeach(format ${formats})
 endforeach(ext ${extensions_nocat})

-# Tests 35-38
+# Tests 53-58
 # Add an unauthenticated blob to a previously-signed file
 foreach(ext ${extensions_all})
    add_test(
@ -319,7 +319,7 @@ foreach(ext ${extensions_all})
        REQUIRED_FILES "${FILES}/signed.${ext}")
 endforeach(ext ${extensions_all})

-# Tests 39-42
+# Tests 59-64
 # Add the new nested signature instead of replacing the first one
 foreach(ext ${extensions_all})
    add_test(
@ -350,9 +350,9 @@ endforeach(ext ${extensions_all})

 ### Verify signature ###

-# Tests 43-45
+# Tests 65-67
 # Verify PE/MSI/CAB files signed in the catalog file
-# APPX does not support detached PKCS#7 signature
+# CAT and APPX files do not support detached PKCS#7 signature
 foreach(ext ${extensions_nocatappx})
    add_test(
        NAME verify_catalog_${ext}
@ -371,9 +371,64 @@ foreach(ext ${extensions_nocatappx})
        REQUIRED_FILES "${FILES}/unsigned.${ext}")
 endforeach(ext ${extensions_nocatappx})

-# Tests 46-69
+# Tests 68-97
 # Verify signature
-set(files "legacy" "signed" "nested" "added" "removed" "revoked" "attached_pem" "attached_der")
+set(files "legacy" "signed" "nested" "added" "revoked")
+foreach(file ${files})
+    foreach(ext ${extensions_all})
+        add_test(
+            NAME verify_${file}_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-CRLfile" "${CERTS}/CACertCRL.pem"
+            "-in" "${FILES}/${file}.${ext}")
+        set_tests_properties(
+            verify_${file}_${ext}
+            PROPERTIES
+            DEPENDS "${file}_${ext}"
+            REQUIRED_FILES "${FILES}/${file}.${ext}")
+    endforeach(ext ${extensions_all})
+endforeach(file ${files})
+
+# "revoked" tests are expected to fail
+set(files "revoked")
+foreach(file ${files})
+    foreach(ext ${extensions_all})
+        set_tests_properties(
+            verify_${file}_${ext}
+            PROPERTIES
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_all})
+endforeach(file ${files})
+
+# Tests 98-102
+# Verify removed signature
+# "removed" tests are expected to fail
+# "remove-signature" command is unsupported for CAT files
+set(files "removed")
+foreach(file ${files})
+    foreach(ext ${extensions_nocat})
+        add_test(
+            NAME verify_${file}_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-CRLfile" "${CERTS}/CACertCRL.pem"
+            "-in" "${FILES}/${file}.${ext}")
+        set_tests_properties(
+            verify_${file}_${ext}
+            PROPERTIES
+            DEPENDS "${file}_${ext}"
+            REQUIRED_FILES "${FILES}/${file}.${ext}"
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_nocat})
+endforeach(file ${files})
+
+# Tests 103-112
+# Verify attached signature
+# "attach-signature" command is unsupported for CAT files
+set(files "attached_pem" "attached_der")
 foreach(file ${files})
    foreach(ext ${extensions_nocat})
        add_test(
@ -391,22 +446,12 @@ foreach(file ${files})
    endforeach(ext ${extensions_nocat})
 endforeach(file ${files})

-# "Removed" and "revoked" tests are expected to fail
-set(files "removed" "revoked")
-foreach(file ${files})
-    foreach(ext ${extensions_nocat})
-        set_tests_properties(
-            verify_${file}_${ext}
-            PROPERTIES
-            WILL_FAIL TRUE)
-    endforeach(ext ${extensions_nocat})
-endforeach(file ${files})

 if(Python3_FOUND OR server_error)

 ### Sign with Time-Stamp Authority ###

-    # Tests 70-89
+    # Tests 113-142
    # Sign with the RFC3161 Time-Stamp Authority
    # Use "cert" "expired" "revoked" without X509v3 CRL Distribution Points extension
    # and "cert_crldp" "revoked_crldp" contain X509v3 CRL Distribution Points extension
@ -439,9 +484,9 @@ if(Python3_FOUND OR server_error)

 ### Verify Time-Stamp Authority ###

-    # Tests 90-92
+    # Tests 143-148
    # Signature verification time: Sep  1 00:00:00 2019 GMT
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        add_test(
            NAME verify_ts_cert_${ext}
            COMMAND osslsigncode "verify"
@ -455,11 +500,11 @@ if(Python3_FOUND OR server_error)
            DEPENDS "sign_ts_cert_${ext}"
            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
            REQUIRED_FILES "${LOGS}/port.log")
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})

-    # Tests 93-95
+    # Tests 149-154
    # Signature verification time: Jan  1 00:00:00 2035 GMT
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        add_test(
            NAME verify_ts_future_${ext}
            COMMAND osslsigncode "verify"
@ -473,12 +518,12 @@ if(Python3_FOUND OR server_error)
            DEPENDS "sign_ts_cert_${ext}"
            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
            REQUIRED_FILES "${LOGS}/port.log")
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})

-    # Tests 96-98
+    # Tests 155-160
    # Verify with ignored timestamp
    # This tests are expected to fail
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        add_test(
            NAME verify_ts_ignore_${ext}
            COMMAND osslsigncode "verify"
@ -494,16 +539,16 @@ if(Python3_FOUND OR server_error)
            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
            REQUIRED_FILES "${LOGS}/port.log"
            WILL_FAIL TRUE)
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})


 ### Verify CRL Distribution Points ###

-    # Tests 99-101
+    # Tests 161-166
    # Verify file signed with X509v3 CRL Distribution Points extension
    # Signature verification time: Sep  1 00:00:00 2019 GMT
    # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        add_test(
            NAME verify_ts_cert_crldp_${ext}
            COMMAND osslsigncode "verify"
@ -517,13 +562,13 @@ if(Python3_FOUND OR server_error)
            DEPENDS "sign_ts_cert_crldp_${ext}"
            REQUIRED_FILES "${FILES}/ts_cert_crldp.${ext}"
            REQUIRED_FILES "${LOGS}/port.log")
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})

-    # Tests 102-107
+    # Tests 167-183
    # Verify with expired or revoked certificate without X509v3 CRL Distribution Points extension
    # This tests are expected to fail
    set(failed_certs "expired" "revoked")
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        foreach(cert ${failed_certs})
            add_test(
                NAME verify_ts_${cert}_${ext}
@ -541,13 +586,13 @@ if(Python3_FOUND OR server_error)
                REQUIRED_FILES "${LOGS}/port.log"
                WILL_FAIL TRUE)
        endforeach(cert ${failed_certs})
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})

-    # Tests 108-110
+    # Tests 178-184
    # Verify with revoked certificate contains X509v3 CRL Distribution Points extension
    # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
    # This test is expected to fail
-    foreach(ext ${extensions_nocat})
+    foreach(ext ${extensions_all})
        add_test(
            NAME verify_ts_revoked_crldp_${ext}
            COMMAND osslsigncode "verify"
@ -562,12 +607,10 @@ if(Python3_FOUND OR server_error)
            REQUIRED_FILES "${FILES}/ts_revoked_crldp.${ext}"
            REQUIRED_FILES "${LOGS}/port.log"
            WILL_FAIL TRUE)
-    endforeach(ext ${extensions_nocat})
+    endforeach(ext ${extensions_all})


 ### Cleanup ###
-
-    # Test 111
 # Stop HTTP server
    if(STOP_SERVER)
        add_test(NAME stop_server
@ -584,17 +627,12 @@ else(Python3_FOUND OR server_error)
    message(STATUS "CTest skips some tests")
 endif(Python3_FOUND OR server_error)

-
-# Test 112
 # Delete test files
+set(names "legacy" "signed" "signed_crldp" "nested" "revoked" "removed" "added")
 foreach(ext ${extensions_all})
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/legacy.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed_crldp.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/revoked.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
-    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
+    foreach(name ${names})
+        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${name}.${ext}")
+    endforeach(name ${names})
    foreach(cert ${pem_certs})
        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
    endforeach(cert ${pem_certs})