while((cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr)) != nullptr)
RUNNER_ASSERT_MSG(sk_X509_push(chainPtr.get(), cert) > 0, "Nothing was pushed to stack");
- RUNNER_ASSERT_MSG(sk_X509_num(chainPtr.get()) >= 1, "No certificates in the chain");
-
- // TODO this requires 2-element OCF cert chain
- if (sk_X509_num(chainPtr.get()) < 2)
- RUNNER_ERROR_MSG("Insufficient number of certificates in the chain");
+ // make sure the chain is long enough
+ RUNNER_ASSERT_MSG(sk_X509_num(chainPtr.get()) >= 2,
+ "Insufficient number of certificates in the chain");
return chainPtr;
}
// verify received cert with local certchain
auto chainPtr = getOcfChain();
- // pop the first certificate
- sk_X509_shift(chainPtr.get());
+ // pop and free the first certificate (OCF)
+ X509_free(sk_X509_shift(chainPtr.get()));
+
+ // pop the last certificate (OCF root)
+ auto ocfRoot = sk_X509_pop(chainPtr.get());
+ RUNNER_ASSERT_MSG(ocfRoot != nullptr, "OCF root cert is NULL");
+ FreeX509 freeOcfRoot(ocfRoot);
X509_STORE* store = X509_STORE_new();
FreeX509StoreCtx storeCtx(X509_STORE_CTX_new());
+
+ // add OCF root as a trusted cert
+ ret = X509_STORE_add_cert(store, ocfRoot);
+ RUNNER_ASSERT_MSG(ret == 1, "Failed to add certificate to the store");
+
// store becomes a member of storeCtx
ret = X509_STORE_CTX_init(*storeCtx, store, ocfCertX509, chainPtr.get());
RUNNER_ASSERT_MSG(ret == 1, "X509_STORE_CTX_init failed");
ret = X509_verify_cert(*storeCtx);
- // TODO this requires 2-element OCF cert chain
- if (ret != 1)
- RUNNER_ERROR_MSG("OCF certificate verification failed");
+ RUNNER_ASSERT_MSG(ret == 1, "OCF certificate verification failed");
// derive shared key
e2ee_positive(ckmew_key_agreement,