From b0f614a979a248edf129da0b3f1b774c65dfce21 Mon Sep 17 00:00:00 2001
From: Dariusz Michaluk <d.michaluk@samsung.com>
Date: Mon, 17 Apr 2023 15:00:10 +0200
Subject: [PATCH] Enable 2-element OCF certificate chain tests

Change-Id: Iaeba40710a501b5990c69d503960a201d8c4245b
---
 src/e2ee-adaptation-layer/tests.cpp | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/e2ee-adaptation-layer/tests.cpp b/src/e2ee-adaptation-layer/tests.cpp
index 2cd6a70..d53cf3d 100644
--- a/src/e2ee-adaptation-layer/tests.cpp
+++ b/src/e2ee-adaptation-layer/tests.cpp
@@ -215,11 +215,9 @@ X509StackPtr getOcfChain()
     while((cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr)) != nullptr)
         RUNNER_ASSERT_MSG(sk_X509_push(chainPtr.get(), cert) > 0, "Nothing was pushed to stack");
 
-    RUNNER_ASSERT_MSG(sk_X509_num(chainPtr.get()) >= 1, "No certificates in the chain");
-
-    // TODO this requires 2-element OCF cert chain
-    if (sk_X509_num(chainPtr.get()) < 2)
-        RUNNER_ERROR_MSG("Insufficient number of certificates in the chain");
+    // make sure the chain is long enough
+    RUNNER_ASSERT_MSG(sk_X509_num(chainPtr.get()) >= 2,
+                      "Insufficient number of certificates in the chain");
 
     return chainPtr;
 }
@@ -357,18 +355,26 @@ public:
         // verify received cert with local certchain
         auto chainPtr = getOcfChain();
 
-        // pop the first certificate
-        sk_X509_shift(chainPtr.get());
+        // pop and free the first certificate (OCF)
+        X509_free(sk_X509_shift(chainPtr.get()));
+
+        // pop the last certificate (OCF root)
+        auto ocfRoot = sk_X509_pop(chainPtr.get());
+        RUNNER_ASSERT_MSG(ocfRoot != nullptr, "OCF root cert is NULL");
+        FreeX509 freeOcfRoot(ocfRoot);
 
         X509_STORE* store = X509_STORE_new();
         FreeX509StoreCtx storeCtx(X509_STORE_CTX_new());
+
+        // add OCF root as a trusted cert
+        ret = X509_STORE_add_cert(store, ocfRoot);
+        RUNNER_ASSERT_MSG(ret == 1, "Failed to add certificate to the store");
+
         // store becomes a member of storeCtx
         ret = X509_STORE_CTX_init(*storeCtx, store, ocfCertX509, chainPtr.get());
         RUNNER_ASSERT_MSG(ret == 1, "X509_STORE_CTX_init failed");
         ret = X509_verify_cert(*storeCtx);
-        // TODO this requires 2-element OCF cert chain
-        if (ret != 1)
-            RUNNER_ERROR_MSG("OCF certificate verification failed");
+        RUNNER_ASSERT_MSG(ret == 1, "OCF certificate verification failed");
 
         // derive shared key
         e2ee_positive(ckmew_key_agreement,
-- 
2.7.4