From 8cb0f0ec4cf14574765e7f733047f70a609be8d8 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Feb 2025 16:15:18 -0500
Subject: [PATCH] Add lower level test to load certs via store

This allows to proprely test that certs load correctly even when no PIN
is provided.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 tests/ccerts.c    | 81 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/meson.build |  1 +
 tests/tcerts      |  3 ++
 tests/tlssetkey.c |  2 +-
 tests/util.c      |  4 +--
 tests/util.h      |  2 +-
 6 files changed, 89 insertions(+), 4 deletions(-)
 create mode 100644 tests/ccerts.c

diff --git a/tests/ccerts.c b/tests/ccerts.c
new file mode 100644
index 00000000..4c898147
--- /dev/null
+++ b/tests/ccerts.c
@@ -0,0 +1,81 @@
+/* Copyright (C) 2025 Simo Sorce <simo@redhat.com>
+   SPDX-License-Identifier: Apache-2.0 */
+
+#include <stdio.h>
+#include <stdbool.h>
+#include <openssl/evp.h>
+#include <openssl/ui.h>
+#include "util.h"
+
+struct ui_data {
+    bool nopin;
+};
+
+static int ui_read_string(UI *ui, UI_STRING *uis)
+{
+    struct ui_data *user_data;
+    const char *pinvalue;
+    enum UI_string_types type;
+
+    user_data = (struct ui_data *)UI_get0_user_data(ui);
+    if (user_data->nopin) {
+        fprintf(stderr, "Unexpected request for PIN value");
+        exit(EXIT_FAILURE);
+    }
+
+    pinvalue = getenv("PINVALUE");
+    if (!pinvalue) {
+        fprintf(stderr, "PINVALUE not defined\n");
+        exit(EXIT_FAILURE);
+    }
+
+    type = UI_get_string_type(uis);
+    switch (type) {
+    case UIT_PROMPT:
+        fprintf(stderr, "Prompt: \"%s\"\n", UI_get0_output_string(uis));
+        fprintf(stderr, "Returning: %s\n", pinvalue);
+        UI_set_result(ui, uis, pinvalue);
+        return 1;
+    default:
+        fprintf(stderr, "Unexpected UI type: %d\n", (int)type);
+        exit(EXIT_FAILURE);
+    }
+
+    return 0;
+}
+
+int main(int argc, char *argv[])
+{
+    struct ui_data user_data = { 0 };
+    UI_METHOD *ui_method = NULL;
+    X509 *cert = NULL;
+
+    if (argc < 2 || argc > 3) {
+        fprintf(stderr, "Usage: %s [certuri] <nopin>\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    if (argc > 2) {
+        if (strcmp(argv[2], "nopin")) {
+            fprintf(stderr, "Invalid argument: '%s'\n", argv[2]);
+            fprintf(stderr, "Usage: %s [certuri] <nopin>\n", argv[0]);
+            exit(EXIT_FAILURE);
+        } else {
+            user_data.nopin = true;
+        }
+    }
+
+    ui_method = UI_create_method("Load cert test");
+    if (!ui_method) {
+        fprintf(stderr, "Failed to set up UI_METHOD\n");
+        exit(EXIT_FAILURE);
+    }
+    (void)UI_method_set_reader(ui_method, ui_read_string);
+
+    cert = load_cert(argv[1], ui_method, &user_data);
+
+    fprintf(stderr, "Cert load successfully\n");
+
+    X509_free(cert);
+    exit(EXIT_SUCCESS);
+}
diff --git a/tests/meson.build b/tests/meson.build
index fd32a611..2f198495 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -116,6 +116,7 @@ test_programs = {
   'tfork': ['tfork.c', 'util.c'],
   'tpkey': ['tpkey.c', 'util.c'],
   'pincache': ['pincache.c'],
+  'ccerts': ['ccerts.c', 'util.c'],
 }
 
 test_executables = []
diff --git a/tests/tcerts b/tests/tcerts
index 254b20ee..752faf39 100755
--- a/tests/tcerts
+++ b/tests/tcerts
@@ -49,5 +49,8 @@ sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF
 OPENSSL_CONF=${OPENSSL_CONF}.nopin
 ossl 'x509 -in $CRTURI -subject -out ${TMPPDIR}/crt-subj-nopin.txt'
 
+title PARA "Test fetching certificate via STORE api"
+$CHECKER "${TESTBLDDIR}/ccerts" "${CRTURI}" nopin
+
 OPENSSL_CONF=${ORIG_OPENSSL_CONF}
 exit 0
diff --git a/tests/tlssetkey.c b/tests/tlssetkey.c
index c224a261..3fef8a73 100644
--- a/tests/tlssetkey.c
+++ b/tests/tlssetkey.c
@@ -20,7 +20,7 @@ int main(int argc, char *argv[])
         fprintf(stderr, "Usage: tlssetkey [certuri] [pkeyuri]\n");
         exit(EXIT_FAILURE);
     }
-    cert = load_cert(argv[1]);
+    cert = load_cert(argv[1], NULL, NULL);
     pkey = load_key(argv[2]);
 
     ctx = SSL_CTX_new(TLS_client_method());
diff --git a/tests/util.c b/tests/util.c
index 4d5b3a23..5234d049 100644
--- a/tests/util.c
+++ b/tests/util.c
@@ -97,7 +97,7 @@ EVP_PKEY *load_key(const char *uri)
     return key;
 }
 
-X509 *load_cert(const char *uri)
+X509 *load_cert(const char *uri, const UI_METHOD *ui_method, void *ui_data)
 {
     OSSL_STORE_CTX *store;
     OSSL_STORE_INFO *info;
@@ -109,7 +109,7 @@ X509 *load_cert(const char *uri)
         exit(EXIT_FAILURE);
     }
 
-    store = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
+    store = OSSL_STORE_open(uri, ui_method, ui_data, NULL, NULL);
     if (store == NULL) {
         fprintf(stderr, "Failed to open store: %s\n", uri);
         ossl_err_print();
diff --git a/tests/util.h b/tests/util.h
index a57a18eb..26841b57 100644
--- a/tests/util.h
+++ b/tests/util.h
@@ -18,6 +18,6 @@
 
 void ossl_err_print(void);
 EVP_PKEY *load_key(const char *uri);
-X509 *load_cert(const char *uri);
+X509 *load_cert(const char *uri, const UI_METHOD *ui_method, void *ui_data);
 void hexify(char *out, unsigned char *byte, size_t len);
 EVP_PKEY *util_gen_key(const char *label);