lib: Add tests for missing root CA

This adds authentication tests to verify flows are rejected with a
missing root CA certificate in the store. Also adds one for the OAP
protocol.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>

2 files changed, 125 insertions, 0 deletions

diff --git a/src/irmd/oap/tests/oap_test.c b/src/irmd/oap/tests/oap_test.c
index 2f0f0b4d..dffffe82 100644
--- a/src/irmd/oap/tests/oap_test.c
+++ b/src/irmd/oap/tests/oap_test.c
@@ -1071,6 +1071,74 @@ static int test_oap_replay_packet(void)
         return TEST_RC_FAIL;
 }
 
+/* Server rejects client certificate when root CA is missing from store */
+static int test_oap_missing_root_ca(void)
+{
+        struct oap_test_ctx ctx;
+        void *              im_ca = NULL;
+
+        test_default_cfg();
+
+        TEST_START();
+
+        memset(&ctx, 0, sizeof(ctx));
+
+        strcpy(ctx.srv.info.name, "test-1.unittest.o7s");
+        strcpy(ctx.cli.info.name, "test-1.unittest.o7s");
+
+        if (oap_auth_init() < 0) {
+                printf("Failed to init OAP.\n");
+                goto fail;
+        }
+
+        /* Load intermediate CA but intentionally omit the root CA */
+        if (crypt_load_crt_str(im_ca_crt_ec, &im_ca) < 0) {
+                printf("Failed to load intermediate CA cert.\n");
+                goto fail_fini;
+        }
+
+        ctx.im_ca = im_ca;
+
+        if (oap_auth_add_ca_crt(im_ca) < 0) {
+                printf("Failed to add intermediate CA cert to store.\n");
+                goto fail_fini;
+        }
+
+        if (oap_cli_prepare_ctx(&ctx) < 0) {
+                printf("Client prepare failed.\n");
+                goto fail_fini;
+        }
+
+        /* Server processes and signs response - succeeds without root CA */
+        if (oap_srv_process_ctx(&ctx) < 0) {
+                printf("Server process failed.\n");
+                goto fail_teardown;
+        }
+
+        /* Client verifies server certificate against trust store:
+         * should reject because root CA is not in the store */
+        if (oap_cli_complete_ctx(&ctx) == 0) {
+                printf("Client should reject without root CA.\n");
+                goto fail_teardown;
+        }
+
+        oap_test_teardown(&ctx);
+
+        TEST_SUCCESS();
+        return TEST_RC_SUCCESS;
+
+ fail_teardown:
+        oap_test_teardown(&ctx);
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+ fail_fini:
+        crypt_free_crt(im_ca);
+        oap_auth_fini();
+ fail:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 /* Test that client rejects server with wrong certificate name */
 static int test_oap_server_name_mismatch(void)
 {
@@ -1149,6 +1217,7 @@ int oap_test(int    argc,
         ret |= test_oap_outdated_packet();
         ret |= test_oap_future_packet();
         ret |= test_oap_replay_packet();
+        ret |= test_oap_missing_root_ca();
         ret |= test_oap_server_name_mismatch();
 #else
         (void) test_oap_roundtrip_auth_only;
@@ -1173,6 +1242,7 @@ int oap_test(int    argc,
         (void) test_oap_outdated_packet;
         (void) test_oap_future_packet;
         (void) test_oap_replay_packet;
+        (void) test_oap_missing_root_ca;
         (void) test_oap_server_name_mismatch;
 
         ret = TEST_RC_SKIP;
diff --git a/src/lib/tests/auth_test.c b/src/lib/tests/auth_test.c
index 1a5a87af..0f3ef715 100644
--- a/src/lib/tests/auth_test.c
+++ b/src/lib/tests/auth_test.c
@@ -347,6 +347,59 @@ static int test_verify_crt(void)
         return TEST_RC_FAIL;
 }
 
+static int test_verify_crt_missing_root_ca(void)
+{
+        struct auth_ctx * auth;
+        void *            _signed_server_crt;
+        void *            _im_ca_crt;
+
+        TEST_START();
+
+        auth = auth_create_ctx();
+        if (auth == NULL) {
+                printf("Failed to create auth context.\n");
+                goto fail_create_ctx;
+        }
+
+        if (crypt_load_crt_str(signed_server_crt_ec, &_signed_server_crt) < 0) {
+                printf("Failed to load signed crt from string.\n");
+                goto fail_load_signed;
+        }
+
+        if (crypt_load_crt_str(im_ca_crt_ec, &_im_ca_crt) < 0) {
+                printf("Failed to load intermediate crt from string.\n");
+                goto fail_load_im_ca;
+        }
+
+        /* Add only the intermediate CA - root CA is missing */
+        if (auth_add_crt_to_store(auth, _im_ca_crt) < 0) {
+                printf("Failed to add intermediate ca crt to auth store.\n");
+                goto fail_add;
+        }
+
+        if (auth_verify_crt(auth, _signed_server_crt) == 0) {
+                printf("Verification should fail without root CA.\n");
+                goto fail_add;
+        }
+
+        crypt_free_crt(_im_ca_crt);
+        crypt_free_crt(_signed_server_crt);
+        auth_destroy_ctx(auth);
+
+        TEST_SUCCESS();
+
+        return TEST_RC_SUCCESS;
+ fail_add:
+        crypt_free_crt(_im_ca_crt);
+ fail_load_im_ca:
+        crypt_free_crt(_signed_server_crt);
+ fail_load_signed:
+        auth_destroy_ctx(auth);
+ fail_create_ctx:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 int test_auth_sign(void)
 {
         uint8_t  buf[TEST_MSG_SIZE];
@@ -526,6 +579,7 @@ int auth_test(int     argc,
         ret |= test_crypt_check_pubkey_crt();
         ret |= test_store_add();
         ret |= test_verify_crt();
+        ret |= test_verify_crt_missing_root_ca();
         ret |= test_auth_sign();
         ret |= test_auth_bad_signature();
         ret |= test_crt_str();
@@ -538,6 +592,7 @@ int auth_test(int     argc,
         (void) test_crypt_check_pubkey_crt;
         (void) test_store_add;
         (void) test_verify_crt;
+        (void) test_verify_crt_missing_root_ca;
         (void) test_auth_sign;
         (void) test_auth_bad_signature;
         (void) test_crt_str;