From c8a04447aacf77470e9fc576f769bd58b7ce4408 Mon Sep 17 00:00:00 2001
From: Jou Ho <43765840+jouho@users.noreply.github.com>
Date: Mon, 17 Jun 2024 11:51:59 -0700
Subject: [PATCH] Fix: update default cert chain for unit tests (#4582)

---
 tests/pems/ocsp/OCSP-TEST.md                  |  17 ++++++++++++++
 tests/pems/ocsp/ocsp_response_revoked.der     | Bin 2249 -> 2249 bytes
 tests/testlib/s2n_testlib.h                   |  10 +++++----
 .../unit/s2n_cert_validation_callback_test.c  |   6 ++---
 tests/unit/s2n_config_test.c                  |   2 +-
 tests/unit/s2n_crl_test.c                     |   4 ++--
 tests/unit/s2n_mem_usage_test.c               |   2 +-
 tests/unit/s2n_x509_validator_test.c          |  21 +++++-------------
 ...2n_x509_validator_time_verification_test.c |   4 ++--
 9 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/tests/pems/ocsp/OCSP-TEST.md b/tests/pems/ocsp/OCSP-TEST.md
index f26a300152d..0dddd53c6a5 100644
--- a/tests/pems/ocsp/OCSP-TEST.md
+++ b/tests/pems/ocsp/OCSP-TEST.md
@@ -79,6 +79,23 @@ openssl ocsp -CAfile ca_cert.pem \
       -cert server_cert.pem -respout ocsp_response_no_next_update.der
 ```
 
+### Generating ocsp_response_revoked.der
+```
+# Run responder
+openssl ocsp -port 8889 -text -CA ca_cert.pem \
+      -index certs_revoked.txt \
+      -rkey ocsp_key.pem \
+      -rsigner ocsp_cert.pem \
+      -nrequest 1 -ndays $(( 365 * 100 ))
+
+# Run requester
+openssl ocsp -CAfile ca_cert.pem \
+      -url http://127.0.0.1:8889 \
+      -issuer ca_cert.pem \
+      -cert server_cert.pem \
+      -respout ocsp_response_revoked.der
+```
+
 ### Index Files
 The index files in the previous commands are in the CA Database format, and are the source of truth for certificates being verified or rejected.
 
diff --git a/tests/pems/ocsp/ocsp_response_revoked.der b/tests/pems/ocsp/ocsp_response_revoked.der
index 6a9adcd2420d702701504185f0a26b1bb51597f1..d721d02ccc7fe4a3ae42438b751e3db4e5e59f2c 100644
GIT binary patch
delta 631
zcmV--0*L*|5y=sdiVHL_HZd|XGc`3ZFp-s7e>5;QF)}hUH8n6WTA&da4>B<_G%z(W
zIWjXfH83z*p(8LMFdqg9D+U1t1qUzz0t6BS5Px8fLMQUYn=-AEx}WIvs4xu%2`Yw2
zhW8Bt0Sg5H1A+np0E`R8+yH76`0$1K&?)wezsh;zPP%{oYtF3Fu4s*(8Vz3Rj@SDU
zf39`(|I#d%nMU<a2%ltwrfWh_shF{dmI1gvshrEB^X)K-v#voIF%Dyddv6(NjDLF4
zPfmjG)*QPSP5`=252N)<{l&1d_V;98{PeBChMH3KTKeHnO>`PCu|PZ#LoLFX$X{5@
zZrFSRP<^Y~jbN?*eH`cEz*&JkR<%g0f0O9nbY63HwoG$UuYQ{RZ|Mpur5YI2)YNez
zaP-oKa6N9U7!-`Yn1OjCcf>=UD}>(LTp9O4R<551sjiAt(Ji9u37jr<PpJ{#`+#}?
zp>*W3W4g2a4TIwfrz!26j`6pqjvEHrP^b7)JK<e48%nWE;Ry(YpxNYg4g>yFe~T3E
z4eIGo6CWvuOT%3TO@g_Me`75JWWbo#?9K(Sv%Z2hhk;C!KquE7?2MEouDBe{-wC(|
zjb|X|BSfVE3|3i*5p7xzW0gkMuZrh-nct3Y_?1~_9{h|QfC8~neV%mOPK-zqyB}w7
z<Vg8*T=164cq}BkQXw?+o$zNNT;$u|!cauBH^{0@i^F02wiIm8_S%OJfb?V><q%5<
zzBvLAeB4?4a3aLLSfEhRdGO(0)V7WUh(ukn=255i=!pMG%b{}0u+SsYP4ZUzJdyxO
RB8u(Aae(a82eU^5f(0?GC!GKQ

delta 631
zcmV--0*L*|5y=sdiVH9>HZn3YF)}hTHIbECe=smMGBPqTGBPqXTA&da4>B+~FfcYS
zH!?9YGBPz<p(8LMFdqg9D+U1t1qUzz0t6BS5Z>wN2ER$<M1v{91a^sFnlKFp2`Yw2
zhW8Bt0R;sB1A+np0H2wd8{W@*HK|QY1Tz1Y>4PZ`qad&b`Bq`BWGto$lm%03stto-
ze`T&y*((T!1D-(~8)t0o7!MT+bR?NF=BR0uj{=FRPaZrS@F4{|xq^T-??Qhmf5%_A
zBH~2W<_wwhh%x^vxJzxS(sHDpo&M$hmABrzdCAb*Tsrurx+&O?^4wMK)i0|;hr}Lz
z3fLjs@8BnjrFud)d2~5*kwhTD?B3Eof6TSV7?}Gk%c=pn*3gPfi_Mu$;ywziXw3c!
zHkVO!HS`!nvBg2dsbeqFM6HUsK6U+GSzLEMJRR(4d5;Ip0o2^Y&+d?F9-y;2o}m$7
zruIAWQxk}GsKK&7x;eYjil6%Lscr<V=i5;BUvuIGj@fj5)pNz<)%tbnW(q48e|d~B
zgoSRcPA=hZFM0=l`}yV&-)%YVF_#FtgR*kMmn>R9fUPVuZN3ex@V);loVo1oQ5jK@
zq%FL3yJ23FR*pa$ONFlzfPZ=-S(7ac&ZU?UMpI5Lc|A>^L85`a{3QTTpECLACkl~;
z*GSmd*L%DGI}(4iHqo3{Ir@c?T!j|@SP<m58lky8lvyjdASOKhrjB5sp1HGk8-2XQ
zaq})e>*zesJsIt`4>m@wIhjlU{1iG^^@49tWS(Lm6J$<U^OEuHk0||j1d24f=2?~N
RpRxW2WDy0v=(9%yf(7!r9$f$c

diff --git a/tests/testlib/s2n_testlib.h b/tests/testlib/s2n_testlib.h
index 78754fed2c1..e05da3eefc5 100644
--- a/tests/testlib/s2n_testlib.h
+++ b/tests/testlib/s2n_testlib.h
@@ -100,8 +100,10 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 /* These paths assume that the unit tests are run from inside the unit/ directory.
  * Absolute paths will be needed if test directories go to deeper levels.
  */
-#define S2N_RSA_2048_PKCS8_CERT_CHAIN "../pems/rsa_2048_pkcs8_cert.pem"
-#define S2N_RSA_2048_PKCS1_CERT_CHAIN "../pems/rsa_2048_pkcs1_cert.pem"
+#define S2N_RSA_2048_PKCS8_CERT_CHAIN        "../pems/rsa_2048_pkcs8_cert.pem"
+#define S2N_RSA_2048_PKCS1_CERT_CHAIN        "../pems/rsa_2048_pkcs1_cert.pem"
+#define S2N_RSA_2048_PKCS1_SHA256_CERT_CHAIN "../pems/permutations/rsae_pkcs_2048_sha256/server-chain.pem"
+#define S2N_RSA_2048_PKCS1_SHA256_CERT_KEY   "../pems/permutations/rsae_pkcs_2048_sha256/server-key.pem"
 
 #define S2N_RSA_2048_PKCS1_LEAF_CERT    "../pems/rsa_2048_pkcs1_leaf.pem"
 #define S2N_ECDSA_P256_PKCS1_CERT_CHAIN "../pems/ecdsa_p256_pkcs1_cert.pem"
@@ -194,8 +196,8 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 
 #define S2N_TEST_TRUST_STORE "../pems/trust-store/ca-bundle.crt"
 
-#define S2N_DEFAULT_TEST_CERT_CHAIN  S2N_RSA_2048_PKCS1_CERT_CHAIN
-#define S2N_DEFAULT_TEST_PRIVATE_KEY S2N_RSA_2048_PKCS1_KEY
+#define S2N_DEFAULT_TEST_CERT_CHAIN  S2N_RSA_2048_PKCS1_SHA256_CERT_CHAIN
+#define S2N_DEFAULT_TEST_PRIVATE_KEY S2N_RSA_2048_PKCS1_SHA256_CERT_KEY
 
 #define S2N_DEFAULT_ECDSA_TEST_CERT_CHAIN  S2N_ECDSA_P384_PKCS1_CERT_CHAIN
 #define S2N_DEFAULT_ECDSA_TEST_PRIVATE_KEY S2N_ECDSA_P384_PKCS1_KEY
diff --git a/tests/unit/s2n_cert_validation_callback_test.c b/tests/unit/s2n_cert_validation_callback_test.c
index bd85a6c92d0..01615f53500 100644
--- a/tests/unit/s2n_cert_validation_callback_test.c
+++ b/tests/unit/s2n_cert_validation_callback_test.c
@@ -222,7 +222,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(conn);
             EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
-            EXPECT_SUCCESS(s2n_set_server_name(conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
             EXPECT_OK(s2n_test_cert_chain_data_from_pem(conn, S2N_DEFAULT_TEST_CERT_CHAIN, &cert_chain_stuffer));
@@ -313,7 +313,7 @@ int main(int argc, char *argv[])
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
             EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
@@ -359,7 +359,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c
index bbe783fca40..aa4687f8138 100644
--- a/tests/unit/s2n_config_test.c
+++ b/tests/unit/s2n_config_test.c
@@ -925,7 +925,7 @@ int main(int argc, char **argv)
                         s2n_connection_ptr_free);
                 EXPECT_NOT_NULL(client_conn);
                 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-                EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+                EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
                 struct s2n_test_io_pair io_pair = { 0 };
                 EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
diff --git a/tests/unit/s2n_crl_test.c b/tests/unit/s2n_crl_test.c
index 54cc3ce1c09..4017e0a7fc4 100644
--- a/tests/unit/s2n_crl_test.c
+++ b/tests/unit/s2n_crl_test.c
@@ -771,7 +771,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(client_conn);
         EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "S2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
         EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
 
         DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
@@ -822,7 +822,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(client_conn);
         EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "S2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
         EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
 
         DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
diff --git a/tests/unit/s2n_mem_usage_test.c b/tests/unit/s2n_mem_usage_test.c
index 062bf3de73c..b404c924465 100644
--- a/tests/unit/s2n_mem_usage_test.c
+++ b/tests/unit/s2n_mem_usage_test.c
@@ -56,7 +56,7 @@
 #elif defined(__OpenBSD__)
     #define MEM_PER_CONNECTION 61
 #else
-    #define MEM_PER_CONNECTION 49
+    #define MEM_PER_CONNECTION 50
 #endif
 
 /* This is the maximum memory per connection including 4KB of slack */
diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
index 41a4a4ef5f9..9439abd99f5 100644
--- a/tests/unit/s2n_x509_validator_test.c
+++ b/tests/unit/s2n_x509_validator_test.c
@@ -26,8 +26,8 @@ static int mock_time(void *data, uint64_t *timestamp)
 
 static int fetch_expired_after_ocsp_timestamp(void *data, uint64_t *timestamp)
 {
-    /* 2200-11-27 */
-    *timestamp = 7283958536000000000;
+    /* 2250-01-01 */
+    *timestamp = 8835984000000000000;
     return 0;
 }
 
@@ -212,7 +212,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -238,7 +237,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         EXPECT_SUCCESS(s2n_x509_validator_set_max_chain_depth(&validator, 2));
@@ -287,7 +285,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -325,7 +322,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -406,7 +402,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -444,7 +439,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         EXPECT_SUCCESS(s2n_x509_validator_set_max_chain_depth(&validator, 2));
@@ -489,7 +483,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         s2n_clock_time_nanoseconds old_clock = connection->config->wall_clock;
@@ -546,7 +539,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         s2n_clock_time_nanoseconds old_clock = connection->config->wall_clock;
@@ -585,11 +577,12 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         /* alter a random byte in the certificate to make it invalid */
-        chain_data[500] = (uint8_t) (chain_data[500] << 2);
+        size_t corrupt_index = 200;
+        EXPECT_TRUE(chain_len > corrupt_index);
+        chain_data[corrupt_index] = (uint8_t) (chain_data[corrupt_index] << 2);
         struct s2n_pkey public_key_out;
         EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
         s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
@@ -629,7 +622,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -677,7 +669,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -717,7 +708,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
@@ -765,7 +755,6 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         struct s2n_pkey public_key_out;
diff --git a/tests/unit/s2n_x509_validator_time_verification_test.c b/tests/unit/s2n_x509_validator_time_verification_test.c
index 3abefac35a2..e5bf7317447 100644
--- a/tests/unit/s2n_x509_validator_time_verification_test.c
+++ b/tests/unit/s2n_x509_validator_time_verification_test.c
@@ -214,7 +214,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
@@ -256,7 +256,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(conn);
         EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
-        EXPECT_SUCCESS(s2n_set_server_name(conn, "s2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(conn, "localhost"));
 
         DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
         EXPECT_OK(s2n_test_cert_chain_data_from_pem(conn, S2N_DEFAULT_TEST_CERT_CHAIN, &cert_chain_stuffer));