This is like #16027, but for 3.0

The CI failure is only CMP related - perhaps @DDvO can look at it? I suppose the test makes some incorrect expectations?

I suppose the test makes some incorrect expectations?

I have no idea... test/cmp_ctx_test.c is too macroised for me to follow, not to mention debug.

(irrelevant comment removed)

So it appears that this particular test tries to set an incomplete certificate (signature algorithm is unset):

The result is that OSSL_CMP_CTX_set1_srvCert() tries to call ossl_x509v3_cache_extensions(), which fails because the certificate fingerprint couldn't be calculated (the calculation is done on the DER encoding of the certificate, but since it's incomplete, the DER encoding will fail with ASN1_R_ILLEGAL_ZERO_CONTENTS).

I suppose that for that test, the following lines:

... translate to:

    X509 *val1_to_free = X509_new();
    X509 *val1 = val1_to_free;

and with set_fn == OSSL_CMP_CTX_set1_srvCert, it's clear why the following test fails:

I suppose replacing all the X509_new() calls in the test with calls to X509_dup() of a real certificate should fix it?

I suppose replacing all the X509_new() calls in the test with calls to X509_dup() of a real certificate should fix it?

The underlying issue is that X509_new() produces an invalid X.509 structure, not having the mandatory fields.
Indeed, copying a real cert would be a workaround.

(irrelevant comment removed)

The stack trace you originally provided here was of interest.

#9  0x0000555555667485 in X509_digest (cert=0x5555559b99b0, 
    md=0x55555596a4e0 <sha1_md>, data=0x5555559b9ae8 "", len=0x0)
    at ../master/crypto/x509/x_all.c:432
#10 0x000055555564f210 in ossl_x509v3_cache_extensions (x=0x5555559b99b0)
    at ../master/crypto/x509/v3_purp.c:421
#11 0x00005555555eb9b8 in OSSL_CMP_CTX_set1_srvCert (ctx=0x55555599b860, 
    val=0x5555559b99b0) at ../master/crypto/cmp/cmp_ctx.c:649
#12 0x00005555555bc370 in execute_CTX_set1_get0_srvCert (
    fixture=0x5555559e4430) at ../master/test/cmp_ctx_test.c:736
#13 0x00005555555bc59a in test_CTX_set1_get0_srvCert ()
    at ../master/test/cmp_ctx_test.c:736

It shows why part of the certificate get/set test failed, namely only those calling OSSL_CMP_CTX_set1_*():
They call ossl_x509v3_cache_extensions() for checking the validity of the cert, which among others has the side effect of hashing the cert contents, which now fails for a incomplete ASN.1 structures, as you wrote above.

@t8m, many thanks for fixing the test

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

Merged

2296cc3 TEST: Check that i2d refuses to encode non-optional items with no content
4cd4735 ASN.1: Refuse to encode to DER if non-optional items are missing
f0f4de4 Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN
50d0a51 Fix test/asn1_encode_test.c to handle encoding/decoding failure
6bfd3e5 test_cmp_ctx: Avoid using empty X509 with i2d

I suppose replacing all the X509_new() calls in the test with calls to X509_dup() of a real certificate should fix it?

The underlying issue is that X509_new() produces an invalid X.509 structure, not having the mandatory fields.
Indeed, copying a real cert would be a workaround.

As I wrote above, the quick solution taken here is just a workaround.
For the root cause and my proposal to solve it, see #16043.