]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
da1c088f | 2 | # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
4650de3e RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
e2ec7332 | 13 | use OpenSSL::Test::Utils; |
42e0ccdf | 14 | use OpenSSL::Test qw/:DEFAULT srctop_file/; |
4650de3e RL |
15 | |
16 | setup("test_req"); | |
17 | ||
342e3652 | 18 | plan tests => 102; |
4650de3e | 19 | |
41e597a0 | 20 | require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); |
4650de3e | 21 | |
f0a057dd DDO |
22 | my @certs = qw(test certs); |
23 | ||
f9964863 RS |
24 | # What type of key to generate? |
25 | my @req_new; | |
26 | if (disabled("rsa")) { | |
27 | @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem")); | |
28 | } else { | |
29 | @req_new = ("-new"); | |
30 | note("There should be a 2 sequences of .'s and some +'s."); | |
31 | note("There should not be more that at most 80 per line"); | |
32 | } | |
33 | ||
53d0d01f MC |
34 | # Prevent MSys2 filename munging for arguments that look like file paths but |
35 | # aren't | |
36 | $ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; | |
37 | ||
f9964863 RS |
38 | # Check for duplicate -addext parameters, and one "working" case. |
39 | my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", | |
00cf3a2d | 40 | "-key", srctop_file(@certs, "ee-key.pem"), |
f9964863 | 41 | "-config", srctop_file("test", "test.cnf"), @req_new ); |
2ddee136 RS |
42 | my $val = "subjectAltName=DNS:example.com"; |
43 | my $val2 = " " . $val; | |
44 | my $val3 = $val; | |
45 | $val3 =~ s/=/ =/; | |
f9964863 RS |
46 | ok( run(app([@addext_args, "-addext", $val]))); |
47 | ok(!run(app([@addext_args, "-addext", $val, "-addext", $val]))); | |
48 | ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); | |
49 | ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); | |
50 | ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); | |
2ddee136 | 51 | |
df5c86e9 HL |
52 | # If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. |
53 | ok(!run(app(["openssl", "req", "-x509", | |
54 | "-in", srctop_file(@certs, "x509-check.csr"), | |
55 | "-out", "testreq.pem"]))); | |
56 | ||
d462b5ff RS |
57 | subtest "generating alt certificate requests with RSA" => sub { |
58 | plan tests => 3; | |
59 | ||
60 | SKIP: { | |
61 | skip "RSA is not supported by this OpenSSL build", 2 | |
62 | if disabled("rsa"); | |
63 | ||
64 | ok(run(app(["openssl", "req", | |
65 | "-config", srctop_file("test", "test.cnf"), | |
66 | "-section", "altreq", | |
67 | "-new", "-out", "testreq-rsa.pem", "-utf8", | |
68 | "-key", srctop_file("test", "testrsa.pem")])), | |
69 | "Generating request"); | |
70 | ||
71 | ok(run(app(["openssl", "req", | |
72 | "-config", srctop_file("test", "test.cnf"), | |
73 | "-verify", "-in", "testreq-rsa.pem", "-noout"])), | |
74 | "Verifying signature on request"); | |
75 | ||
76 | ok(run(app(["openssl", "req", | |
77 | "-config", srctop_file("test", "test.cnf"), | |
78 | "-section", "altreq", | |
79 | "-verify", "-in", "testreq-rsa.pem", "-noout"])), | |
80 | "Verifying signature on request"); | |
81 | } | |
82 | }; | |
83 | ||
84 | ||
b2a7310a | 85 | subtest "generating certificate requests with RSA" => sub { |
20432344 | 86 | plan tests => 8; |
b2a7310a NT |
87 | |
88 | SKIP: { | |
89 | skip "RSA is not supported by this OpenSSL build", 2 | |
90 | if disabled("rsa"); | |
91 | ||
d105a24c TM |
92 | ok(!run(app(["openssl", "req", |
93 | "-config", srctop_file("test", "test.cnf"), | |
94 | "-new", "-out", "testreq-rsa.pem", "-utf8", | |
95 | "-key", srctop_file("test", "testrsa.pem"), | |
96 | "-keyform", "DER"])), | |
97 | "Checking that mismatching keyform fails"); | |
98 | ||
b2a7310a NT |
99 | ok(run(app(["openssl", "req", |
100 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 101 | "-new", "-out", "testreq-rsa.pem", "-utf8", |
d105a24c TM |
102 | "-key", srctop_file("test", "testrsa.pem"), |
103 | "-keyform", "PEM"])), | |
b2a7310a NT |
104 | "Generating request"); |
105 | ||
106 | ok(run(app(["openssl", "req", | |
107 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 108 | "-verify", "-in", "testreq-rsa.pem", "-noout"])), |
b2a7310a | 109 | "Verifying signature on request"); |
6dbb2776 | 110 | |
20432344 TM |
111 | ok(run(app(["openssl", "req", |
112 | "-config", srctop_file("test", "test.cnf"), | |
113 | "-modulus", "-in", "testreq-rsa.pem", "-noout"])), | |
114 | "Printing a modulus of the request key"); | |
115 | ||
6dbb2776 DB |
116 | ok(run(app(["openssl", "req", |
117 | "-config", srctop_file("test", "test.cnf"), | |
118 | "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", | |
119 | "-key", srctop_file("test", "testrsa_withattrs.pem")])), | |
120 | "Generating request from a key with extra attributes - PEM"); | |
121 | ||
122 | ok(run(app(["openssl", "req", | |
123 | "-config", srctop_file("test", "test.cnf"), | |
124 | "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])), | |
125 | "Verifying signature on request from a key with extra attributes - PEM"); | |
126 | ||
127 | ok(run(app(["openssl", "req", | |
128 | "-config", srctop_file("test", "test.cnf"), | |
129 | "-new", "-out", "testreq_withattrs_der.pem", "-utf8", | |
130 | "-key", srctop_file("test", "testrsa_withattrs.der"), | |
a0430488 | 131 | "-keyform", "DER"])), |
6dbb2776 DB |
132 | "Generating request from a key with extra attributes - PEM"); |
133 | ||
134 | ok(run(app(["openssl", "req", | |
135 | "-config", srctop_file("test", "test.cnf"), | |
136 | "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])), | |
137 | "Verifying signature on request from a key with extra attributes - PEM"); | |
b2a7310a NT |
138 | } |
139 | }; | |
140 | ||
a2a5506b | 141 | subtest "generating certificate requests with RSA-PSS" => sub { |
bbde8566 | 142 | plan tests => 12; |
a2a5506b TM |
143 | |
144 | SKIP: { | |
145 | skip "RSA is not supported by this OpenSSL build", 2 | |
146 | if disabled("rsa"); | |
147 | ||
148 | ok(run(app(["openssl", "req", | |
149 | "-config", srctop_file("test", "test.cnf"), | |
150 | "-new", "-out", "testreq-rsapss.pem", "-utf8", | |
151 | "-key", srctop_file("test", "testrsapss.pem")])), | |
152 | "Generating request"); | |
a2a5506b TM |
153 | ok(run(app(["openssl", "req", |
154 | "-config", srctop_file("test", "test.cnf"), | |
155 | "-verify", "-in", "testreq-rsapss.pem", "-noout"])), | |
156 | "Verifying signature on request"); | |
157 | ||
158 | ok(run(app(["openssl", "req", | |
159 | "-config", srctop_file("test", "test.cnf"), | |
160 | "-new", "-out", "testreq-rsapss2.pem", "-utf8", | |
161 | "-sigopt", "rsa_padding_mode:pss", | |
162 | "-sigopt", "rsa_pss_saltlen:-1", | |
163 | "-key", srctop_file("test", "testrsapss.pem")])), | |
164 | "Generating request"); | |
a2a5506b TM |
165 | ok(run(app(["openssl", "req", |
166 | "-config", srctop_file("test", "test.cnf"), | |
167 | "-verify", "-in", "testreq-rsapss2.pem", "-noout"])), | |
168 | "Verifying signature on request"); | |
bbde8566 TM |
169 | |
170 | ok(run(app(["openssl", "req", | |
171 | "-config", srctop_file("test", "test.cnf"), | |
172 | "-new", "-out", "testreq-rsapssmand.pem", "-utf8", | |
173 | "-sigopt", "rsa_padding_mode:pss", | |
174 | "-key", srctop_file("test", "testrsapssmandatory.pem")])), | |
175 | "Generating request"); | |
176 | ok(run(app(["openssl", "req", | |
177 | "-config", srctop_file("test", "test.cnf"), | |
178 | "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])), | |
179 | "Verifying signature on request"); | |
180 | ||
181 | ok(run(app(["openssl", "req", | |
182 | "-config", srctop_file("test", "test.cnf"), | |
183 | "-new", "-out", "testreq-rsapssmand2.pem", "-utf8", | |
184 | "-sigopt", "rsa_pss_saltlen:100", | |
185 | "-key", srctop_file("test", "testrsapssmandatory.pem")])), | |
186 | "Generating request"); | |
187 | ok(run(app(["openssl", "req", | |
188 | "-config", srctop_file("test", "test.cnf"), | |
189 | "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])), | |
190 | "Verifying signature on request"); | |
191 | ||
192 | ok(!run(app(["openssl", "req", | |
193 | "-config", srctop_file("test", "test.cnf"), | |
194 | "-new", "-out", "testreq-rsapss3.pem", "-utf8", | |
195 | "-sigopt", "rsa_padding_mode:pkcs1", | |
196 | "-key", srctop_file("test", "testrsapss.pem")])), | |
197 | "Generating request with expected failure"); | |
198 | ||
199 | ok(!run(app(["openssl", "req", | |
200 | "-config", srctop_file("test", "test.cnf"), | |
201 | "-new", "-out", "testreq-rsapss3.pem", "-utf8", | |
6c73ca4a | 202 | "-sigopt", "rsa_pss_saltlen:-5", |
bbde8566 TM |
203 | "-key", srctop_file("test", "testrsapss.pem")])), |
204 | "Generating request with expected failure"); | |
205 | ||
206 | ok(!run(app(["openssl", "req", | |
207 | "-config", srctop_file("test", "test.cnf"), | |
208 | "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", | |
209 | "-sigopt", "rsa_pss_saltlen:10", | |
210 | "-key", srctop_file("test", "testrsapssmandatory.pem")])), | |
211 | "Generating request with expected failure"); | |
212 | ||
213 | ok(!run(app(["openssl", "req", | |
214 | "-config", srctop_file("test", "test.cnf"), | |
215 | "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", | |
216 | "-sha256", | |
217 | "-key", srctop_file("test", "testrsapssmandatory.pem")])), | |
218 | "Generating request with expected failure"); | |
a2a5506b TM |
219 | } |
220 | }; | |
221 | ||
b2a7310a NT |
222 | subtest "generating certificate requests with DSA" => sub { |
223 | plan tests => 2; | |
224 | ||
225 | SKIP: { | |
226 | skip "DSA is not supported by this OpenSSL build", 2 | |
227 | if disabled("dsa"); | |
228 | ||
229 | ok(run(app(["openssl", "req", | |
230 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 231 | "-new", "-out", "testreq-dsa.pem", "-utf8", |
b2a7310a NT |
232 | "-key", srctop_file("test", "testdsa.pem")])), |
233 | "Generating request"); | |
234 | ||
235 | ok(run(app(["openssl", "req", | |
236 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 237 | "-verify", "-in", "testreq-dsa.pem", "-noout"])), |
b2a7310a NT |
238 | "Verifying signature on request"); |
239 | } | |
240 | }; | |
241 | ||
242 | subtest "generating certificate requests with ECDSA" => sub { | |
243 | plan tests => 2; | |
244 | ||
245 | SKIP: { | |
246 | skip "ECDSA is not supported by this OpenSSL build", 2 | |
247 | if disabled("ec"); | |
248 | ||
249 | ok(run(app(["openssl", "req", | |
250 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 251 | "-new", "-out", "testreq-ec.pem", "-utf8", |
b2a7310a NT |
252 | "-key", srctop_file("test", "testec-p256.pem")])), |
253 | "Generating request"); | |
254 | ||
255 | ok(run(app(["openssl", "req", | |
256 | "-config", srctop_file("test", "test.cnf"), | |
11920665 | 257 | "-verify", "-in", "testreq-ec.pem", "-noout"])), |
b2a7310a NT |
258 | "Verifying signature on request"); |
259 | } | |
260 | }; | |
261 | ||
81722fdf NT |
262 | subtest "generating certificate requests with Ed25519" => sub { |
263 | plan tests => 2; | |
264 | ||
265 | SKIP: { | |
266 | skip "Ed25519 is not supported by this OpenSSL build", 2 | |
4032cd9a | 267 | if disabled("ecx"); |
81722fdf | 268 | |
4c6348c2 | 269 | ok(run(app(["openssl", "req", |
81722fdf | 270 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 271 | "-new", "-out", "testreq-ed25519.pem", "-utf8", |
81722fdf NT |
272 | "-key", srctop_file("test", "tested25519.pem")])), |
273 | "Generating request"); | |
274 | ||
4c6348c2 | 275 | ok(run(app(["openssl", "req", |
81722fdf | 276 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 277 | "-verify", "-in", "testreq-ed25519.pem", "-noout"])), |
81722fdf NT |
278 | "Verifying signature on request"); |
279 | } | |
280 | }; | |
281 | ||
282 | subtest "generating certificate requests with Ed448" => sub { | |
283 | plan tests => 2; | |
284 | ||
285 | SKIP: { | |
286 | skip "Ed448 is not supported by this OpenSSL build", 2 | |
4032cd9a | 287 | if disabled("ecx"); |
81722fdf | 288 | |
4c6348c2 | 289 | ok(run(app(["openssl", "req", |
81722fdf | 290 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 291 | "-new", "-out", "testreq-ed448.pem", "-utf8", |
81722fdf NT |
292 | "-key", srctop_file("test", "tested448.pem")])), |
293 | "Generating request"); | |
294 | ||
4c6348c2 | 295 | ok(run(app(["openssl", "req", |
81722fdf | 296 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 297 | "-verify", "-in", "testreq-ed448.pem", "-noout"])), |
81722fdf NT |
298 | "Verifying signature on request"); |
299 | } | |
300 | }; | |
301 | ||
e2ec7332 | 302 | subtest "generating certificate requests" => sub { |
e2ec7332 RL |
303 | plan tests => 2; |
304 | ||
305 | ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), | |
00cf3a2d | 306 | "-key", srctop_file(@certs, "ee-key.pem"), |
b2a7310a | 307 | @req_new, "-out", "testreq.pem"])), |
e2ec7332 RL |
308 | "Generating request"); |
309 | ||
310 | ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), | |
b2a7310a | 311 | "-verify", "-in", "testreq.pem", "-noout"])), |
e2ec7332 RL |
312 | "Verifying signature on request"); |
313 | }; | |
314 | ||
bc42bd62 | 315 | subtest "generating SM2 certificate requests" => sub { |
a45eb7e8 | 316 | plan tests => 4; |
bc42bd62 PY |
317 | |
318 | SKIP: { | |
a45eb7e8 | 319 | skip "SM2 is not supported by this OpenSSL build", 4 |
fb2a6954 MC |
320 | if disabled("sm2"); |
321 | ok(run(app(["openssl", "req", | |
b2a7310a | 322 | "-config", srctop_file("test", "test.cnf"), |
f0a057dd | 323 | "-new", "-key", srctop_file(@certs, "sm2.key"), |
fda127be | 324 | "-sigopt", "distid:1234567812345678", |
11920665 | 325 | "-out", "testreq-sm2.pem", "-sm3"])), |
bc42bd62 PY |
326 | "Generating SM2 certificate request"); |
327 | ||
fb2a6954 | 328 | ok(run(app(["openssl", "req", |
b2a7310a | 329 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 330 | "-verify", "-in", "testreq-sm2.pem", "-noout", |
fda127be | 331 | "-vfyopt", "distid:1234567812345678", "-sm3"])), |
bc42bd62 | 332 | "Verifying signature on SM2 certificate request"); |
a45eb7e8 | 333 | |
fb2a6954 | 334 | ok(run(app(["openssl", "req", |
b2a7310a | 335 | "-config", srctop_file("test", "test.cnf"), |
f0a057dd | 336 | "-new", "-key", srctop_file(@certs, "sm2.key"), |
fda127be | 337 | "-sigopt", "hexdistid:DEADBEEF", |
11920665 | 338 | "-out", "testreq-sm2.pem", "-sm3"])), |
a45eb7e8 PY |
339 | "Generating SM2 certificate request with hex id"); |
340 | ||
fb2a6954 | 341 | ok(run(app(["openssl", "req", |
b2a7310a | 342 | "-config", srctop_file("test", "test.cnf"), |
11920665 | 343 | "-verify", "-in", "testreq-sm2.pem", "-noout", |
fda127be | 344 | "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), |
a45eb7e8 | 345 | "Verifying signature on SM2 certificate request"); |
bc42bd62 PY |
346 | } |
347 | }; | |
348 | ||
42e0ccdf | 349 | my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); |
4650de3e RL |
350 | |
351 | run_conversion('req conversions', | |
b2a7310a | 352 | "testreq.pem"); |
4650de3e | 353 | run_conversion('req conversions -- testreq2', |
b2a7310a | 354 | srctop_file("test", "testreq2.pem")); |
e2ec7332 | 355 | |
4650de3e RL |
356 | sub run_conversion { |
357 | my $title = shift; | |
358 | my $reqfile = shift; | |
359 | ||
360 | subtest $title => sub { | |
b2a7310a NT |
361 | run(app(["openssl", @openssl_args, |
362 | "-in", $reqfile, "-inform", "p", | |
363 | "-noout", "-text"], | |
364 | stderr => "req-check.err", stdout => undef)); | |
365 | open DATA, "req-check.err"; | |
366 | SKIP: { | |
367 | plan skip_all => "skipping req conversion test for $reqfile" | |
368 | if grep /Unknown Public Key/, map { s/\R//; } <DATA>; | |
369 | ||
b40498c6 RL |
370 | tconversion( -type => 'req', -in => $reqfile, |
371 | -args => [ @openssl_args ] ); | |
b2a7310a NT |
372 | } |
373 | close DATA; | |
374 | unlink "req-check.err"; | |
375 | ||
376 | done_testing(); | |
4650de3e RL |
377 | }; |
378 | } | |
f0a057dd DDO |
379 | |
380 | # Test both generation and verification of certs w.r.t. RFC 5280 requirements | |
381 | ||
382 | my $ca_cert; # will be set below | |
383 | sub generate_cert { | |
384 | my $cert = shift @_; | |
385 | my $ss = $cert =~ m/self-signed/; | |
386 | my $is_ca = $cert =~ m/CA/; | |
387 | my $cn = $is_ca ? "CA" : "EE"; | |
388 | my $ca_key = srctop_file(@certs, "ca-key.pem"); | |
389 | my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); | |
a1a62437 | 390 | my @cmd = ("openssl", "req", "-config", "", "-x509", |
df5c86e9 HL |
391 | "-subj", "/CN=$cn", @_, "-out", $cert); |
392 | push(@cmd, ("-key", $key)) if $ss; | |
f0a057dd DDO |
393 | push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; |
394 | ok(run(app([@cmd])), "generate $cert"); | |
395 | } | |
342e3652 | 396 | |
b65c5ec8 DDO |
397 | sub has_keyUsage { |
398 | my $cert = shift @_; | |
399 | my $expect = shift @_; | |
400 | cert_contains($cert, "Key Usage", $expect); | |
401 | } | |
f0a057dd DDO |
402 | sub strict_verify { |
403 | my $cert = shift @_; | |
404 | my $expect = shift @_; | |
405 | my $trusted = shift @_; | |
406 | $trusted = $cert unless $trusted; | |
407 | ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted, | |
408 | "-partial_chain", $cert])) == $expect, | |
409 | "strict verify allow $cert"); | |
410 | } | |
411 | ||
412 | my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", | |
413 | "-addext", "keyUsage = keyCertSign"); | |
41e597a0 | 414 | my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; |
00cf3a2d DDO |
415 | |
416 | # # SKID | |
417 | ||
342e3652 DDO |
418 | my $cert = "self-signed_default_SKID_no_explicit_exts.pem"; |
419 | generate_cert($cert); | |
420 | has_version($cert, 3); | |
421 | has_SKID($cert, 1); # SKID added, though no explicit extensions given | |
422 | has_AKID($cert, 0); | |
423 | ||
00cf3a2d DDO |
424 | my $cert = "self-signed_v3_CA_hash_SKID.pem"; |
425 | generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash"); | |
426 | has_SKID($cert, 1); # explicit hash SKID | |
427 | ||
428 | $cert = "self-signed_v3_CA_no_SKID.pem"; | |
429 | generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); | |
430 | cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID | |
431 | #TODO strict_verify($cert, 0); | |
432 | ||
433 | $cert = "self-signed_v3_CA_given_SKID.pem"; | |
434 | generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45"); | |
435 | cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID | |
436 | strict_verify($cert, 1); | |
437 | ||
438 | # AKID of self-signed certs | |
439 | ||
440 | $cert = "self-signed_v1_CA_no_KIDs.pem"; | |
342e3652 DDO |
441 | generate_cert($cert, "-x509v1"); |
442 | has_version($cert, 1); | |
41e597a0 | 443 | cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID |
f0a057dd DDO |
444 | #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA |
445 | ||
00cf3a2d | 446 | $ca_cert = "self-signed_v3_CA_default_SKID.pem"; # will also be used below |
f0a057dd | 447 | generate_cert($ca_cert, @v3_ca); |
00cf3a2d DDO |
448 | has_SKID($ca_cert, 1); # default SKID |
449 | has_AKID($ca_cert, 0); # no default AKID | |
f0a057dd DDO |
450 | strict_verify($ca_cert, 1); |
451 | ||
00cf3a2d DDO |
452 | $cert = "self-signed_v3_CA_no_AKID.pem"; |
453 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none"); | |
454 | has_AKID($cert, 0); # forced no AKID | |
f0a057dd | 455 | |
00cf3a2d DDO |
456 | $cert = "self-signed_v3_CA_explicit_AKID.pem"; |
457 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid"); | |
458 | has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced | |
459 | ||
460 | $cert = "self-signed_v3_CA_forced_AKID.pem"; | |
461 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always"); | |
462 | cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID | |
f0a057dd DDO |
463 | strict_verify($cert, 1); |
464 | ||
00cf3a2d DDO |
465 | $cert = "self-signed_v3_CA_issuer_AKID.pem"; |
466 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer"); | |
467 | has_AKID($cert, 0); # suppressed AKID since not forced | |
468 | ||
469 | $cert = "self-signed_v3_CA_forced_issuer_AKID.pem"; | |
470 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always"); | |
471 | cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID | |
472 | ||
473 | $cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem"; | |
474 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer"); | |
475 | has_AKID($cert, 0); # AKID not present because not forced and cert self-signed | |
476 | ||
477 | $cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem"; | |
478 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always"); | |
479 | cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced | |
480 | ||
481 | $cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem"; | |
482 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer"); | |
483 | has_AKID($cert, 1); # AKID with keyid forced | |
484 | cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID | |
485 | ||
486 | $cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem"; | |
487 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always"); | |
488 | cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1); # AKID with keyid and issuer forced | |
489 | ||
f0a057dd DDO |
490 | $cert = "self-signed_v3_EE_wrong_keyUsage.pem"; |
491 | generate_cert($cert, "-addext", "keyUsage = keyCertSign"); | |
492 | #TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply | |
493 | ||
00cf3a2d DDO |
494 | # AKID of self-issued but not self-signed certs |
495 | ||
496 | $cert = "self-issued_x509_v3_CA_default_KIDs.pem"; | |
497 | ok(run(app([("openssl", "x509", "-copy_extensions", "copy", | |
498 | "-req", "-in", srctop_file(@certs, "ext-check.csr"), | |
499 | "-key", srctop_file(@certs, "ca-key.pem"), | |
500 | "-force_pubkey", srctop_file("test", "testrsapub.pem"), | |
501 | "-out", $cert)])), "generate using x509: $cert"); | |
502 | cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1); | |
503 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
504 | strict_verify($cert, 1); | |
505 | ||
506 | $cert = "self-issued_v3_CA_default_KIDs.pem"; | |
507 | generate_cert($cert, "-addext", "keyUsage = dataEncipherment", | |
508 | "-in", srctop_file(@certs, "x509-check.csr")); | |
509 | cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1); | |
510 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
511 | strict_verify($cert, 1); | |
512 | ||
513 | $cert = "self-issued_v3_CA_no_AKID.pem"; | |
514 | generate_cert($cert, "-addext", "authorityKeyIdentifier = none", | |
515 | "-in", srctop_file(@certs, "x509-check.csr")); | |
342e3652 DDO |
516 | has_version($cert, 3); |
517 | has_SKID($cert, 1); # SKID added, though no explicit extensions given | |
00cf3a2d DDO |
518 | has_AKID($cert, 0); |
519 | strict_verify($cert, 1); | |
520 | ||
521 | $cert = "self-issued_v3_CA_explicit_AKID.pem"; | |
522 | generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid", | |
523 | "-in", srctop_file(@certs, "x509-check.csr")); | |
524 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
525 | strict_verify($cert, 1); | |
526 | ||
527 | $cert = "self-issued_v3_CA_forced_AKID.pem"; | |
528 | generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always", | |
529 | "-in", srctop_file(@certs, "x509-check.csr")); | |
530 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
531 | ||
532 | $cert = "self-issued_v3_CA_issuer_AKID.pem"; | |
533 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer", | |
534 | "-in", srctop_file(@certs, "x509-check.csr")); | |
535 | cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID | |
536 | ||
537 | $cert = "self-issued_v3_CA_forced_issuer_AKID.pem"; | |
538 | generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always", | |
539 | "-in", srctop_file(@certs, "x509-check.csr")); | |
540 | cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID | |
541 | ||
542 | $cert = "self-issued_v3_CA_keyid_issuer_AKID.pem"; | |
543 | generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer", | |
544 | "-in", srctop_file(@certs, "x509-check.csr")); | |
545 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced | |
546 | ||
547 | $cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem"; | |
548 | generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always", | |
549 | "-in", srctop_file(@certs, "x509-check.csr")); | |
550 | cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer | |
551 | ||
552 | $cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem"; | |
553 | generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always", | |
554 | "-in", srctop_file(@certs, "x509-check.csr")); | |
555 | cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced | |
556 | ||
557 | # AKID of not self-issued certs | |
558 | ||
342e3652 DDO |
559 | $cert = "regular_v3_EE_default_KIDs_no_other_exts.pem"; |
560 | generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem")); | |
561 | has_version($cert, 3); | |
562 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
563 | ||
00cf3a2d | 564 | $cert = "regular_v3_EE_default_KIDs.pem"; |
df5c86e9 HL |
565 | generate_cert($cert, "-addext", "keyUsage = dataEncipherment", |
566 | "-key", srctop_file(@certs, "ee-key.pem")); | |
41e597a0 | 567 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID |
f0a057dd | 568 | strict_verify($cert, 1, $ca_cert); |
df5c86e9 | 569 | |
00cf3a2d DDO |
570 | $cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; |
571 | generate_cert($cert, "-copy_extensions", "copy", | |
572 | "-in", srctop_file(@certs, "ext-check.csr")); | |
573 | cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID | |
574 | strict_verify($cert, 1); | |
f0a057dd DDO |
575 | |
576 | $cert = "v3_EE_no_AKID.pem"; | |
df5c86e9 HL |
577 | generate_cert($cert, "-addext", "authorityKeyIdentifier = none", |
578 | "-key", srctop_file(@certs, "ee-key.pem")); | |
f0a057dd DDO |
579 | has_SKID($cert, 1); |
580 | has_AKID($cert, 0); | |
581 | strict_verify($cert, 0, $ca_cert); | |
41e597a0 | 582 | |
b65c5ec8 | 583 | |
00cf3a2d DDO |
584 | # Key Usage |
585 | ||
586 | $cert = "self-signed_CA_no_keyUsage.pem"; | |
b65c5ec8 DDO |
587 | generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); |
588 | has_keyUsage($cert, 0); | |
00cf3a2d | 589 | $cert = "self-signed_CA_with_keyUsages.pem"; |
b65c5ec8 DDO |
590 | generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), |
591 | "-copy_extensions", "copy"); | |
592 | has_keyUsage($cert, 1); |