Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c

author Dr. David von Oheimb <David.von.Oheimb@siemens.com>

Sat, 19 Dec 2020 18:49:25 +0000 (19:49 +0100)

committer Dr. David von Oheimb <dev@ddvo.net>

Wed, 13 Jan 2021 10:53:15 +0000 (11:53 +0100)
author Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Sat, 19 Dec 2020 18:49:25 +0000 (19:49 +0100)
committer Dr. David von Oheimb <dev@ddvo.net>
Wed, 13 Jan 2021 10:53:15 +0000 (11:53 +0100)
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t

index b5d63fe1dad672f6c32a275e2ed9bb96512ddab4..cb9f8888a5c583655df6f1f7464458548b022968 100644 (file)
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,10 +15,12 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
  
  setup("test_req");
  
-plan tests => 16;
+plan tests => 39;
  
  require_ok(srctop_file('test','recipes','tconversion.pl'));
  
+my @certs = qw(test certs);
+
  # What type of key to generate?
  my @req_new;
  if (disabled("rsa")) {
@@ -190,7 +192,7 @@ subtest "generating SM2 certificate requests" => sub {
          if disabled("sm2");
          ok(run(app(["openssl", "req",
                      "-config", srctop_file("test", "test.cnf"),
-                    "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+                    "-new", "-key", srctop_file(@certs, "sm2.key"),
                      "-sigopt", "distid:1234567812345678",
                      "-out", "testreq-sm2.pem", "-sm3"])),
             "Generating SM2 certificate request");
@@ -203,7 +205,7 @@ subtest "generating SM2 certificate requests" => sub {
  
          ok(run(app(["openssl", "req",
                      "-config", srctop_file("test", "test.cnf"),
-                    "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+                    "-new", "-key", srctop_file(@certs, "sm2.key"),
                      "-sigopt", "hexdistid:DEADBEEF",
                      "-out", "testreq-sm2.pem", "-sm3"])),
             "Generating SM2 certificate request with hex id");
@@ -246,3 +248,81 @@ sub run_conversion {
          done_testing();
      };
  }
+
+# Test both generation and verification of certs w.r.t. RFC 5280 requirements
+
+my $ca_cert; # will be set below
+sub generate_cert {
+    my $cert = shift @_;
+    my $ss = $cert =~ m/self-signed/;
+    my $is_ca = $cert =~ m/CA/;
+    my $cn = $is_ca ? "CA" : "EE";
+    my $ca_key = srctop_file(@certs, "ca-key.pem");
+    my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem");
+    my @cmd = ("openssl", "req", "-config", "\"\"","-x509",
+               "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert);
+    push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss;
+    ok(run(app([@cmd])), "generate $cert");
+}
+sub has_SKID {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    cert_contains($cert, "Subject Key Identifier", $expect);
+}
+sub has_AKID {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    cert_contains($cert, "Authority Key Identifier", $expect);
+}
+sub strict_verify {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    my $trusted = shift @_;
+    $trusted = $cert unless $trusted;
+    ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
+                "-partial_chain", $cert])) == $expect,
+       "strict verify allow $cert");
+}
+
+my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
+             "-addext", "keyUsage = keyCertSign");
+my $cert = "self-signed_v1_CA_no_KIDs.pem";
+generate_cert($cert);
+has_SKID($ca_cert, 0);
+has_AKID($ca_cert, 0);
+#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
+
+$ca_cert = "self-signed_v3_CA_default_SKID.pem";
+generate_cert($ca_cert, @v3_ca);
+has_SKID($ca_cert, 1);
+has_AKID($ca_cert, 0);
+strict_verify($ca_cert, 1);
+
+$cert = "self-signed_v3_CA_no_SKID.pem";
+generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
+has_SKID($cert, 0);
+has_AKID($cert, 0);
+#TODO strict_verify($cert, 0);
+
+$cert = "self-signed_v3_CA_both_KIDs.pem";
+generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
+            "-addext", "authorityKeyIdentifier = keyid");
+has_SKID($cert, 1);
+has_AKID($cert, 1);
+strict_verify($cert, 1);
+
+$cert = "self-signed_v3_EE_wrong_keyUsage.pem";
+generate_cert($cert, "-addext", "keyUsage = keyCertSign");
+#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
+
+$cert = "v3_EE_default_KIDs.pem";
+generate_cert($cert, "-addext", "keyUsage = dataEncipherment");
+has_SKID($cert, 1);
+has_AKID($cert, 1);
+strict_verify($cert, 1, $ca_cert);
+
+$cert = "v3_EE_no_AKID.pem";
+generate_cert($cert, "-addext", "authorityKeyIdentifier = none");
+has_SKID($cert, 1);
+has_AKID($cert, 0);
+strict_verify($cert, 0, $ca_cert);
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t

index 19ff335f8285e3825618f7b1e664f89dbc6e108f..e9550f1fe4d6d8ee29165cf45960b32ab43e34ed 100644 (file)
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -20,6 +20,7 @@ plan tests => 15;
  
  require_ok(srctop_file('test','recipes','tconversion.pl'));
  
+my @certs = qw(test certs);
  my $pem = srctop_file("test/certs", "cyrillic.pem");
  my $out_msb = "out-cyrillic.msb";
  my $out_utf8 = "out-cyrillic.utf8";
@@ -88,21 +89,9 @@ subtest 'x509 -- pathlen' => sub {
      ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
  };
  
-subtest 'x500 -- subjectAltName' => sub {
-     my $fp = srctop_file("test/certs", "fake-gp.pem");
-     my $out = "ext.out";
-     ok(run(app(["openssl", "x509", "-text", "-in", $fp, "-out", $out])));
-     ok(has_doctor_id($out));
-     unlink $out;
-};
-
-sub has_doctor_id { 
-    $_ = shift @_;
-    open(DATA,$_) or return 0;
-    $_= join('',<DATA>); 
-    close(DATA);
-    return m/2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678/;
-}
+cert_contains(srctop_file(@certs, "fake-gp.pem"),
+              "2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678",
+              1, 'x500 -- subjectAltName');
  
  sub test_errors { # actually tests diagnostics of OSSL_STORE
      my ($expected, $cert, @opts) = @_;
diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl

index d3b64590da7362fcc488720d46ea1550de656823..bf096994e39a6f73413dcac7bc3db7a9125b7756 100644 (file)
--- a/test/recipes/tconversion.pl
+++ b/test/recipes/tconversion.pl
@@ -108,4 +108,25 @@ sub cmp_text {
      });
  }
  
+sub file_contains {
+    $_ = shift @_;
+    my $pattern = shift @_;
+    open(DATA,$_) or return 0;
+    $_= join('',<DATA>);
+    close(DATA);
+    return m/$pattern/ ? 1 : 0;
+}
+
+sub cert_contains {
+    my $cert = shift @_;
+    my $pattern = shift @_;
+    my $expected = shift @_;
+    my $name = shift @_;
+    my $out = "tmp.out";
+    run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out]));
+    is(file_contains($out, $pattern), $expected, ($name ? "$name: " : "").
+       "$cert should ".($expected ? "" : "not ")."contain $pattern");
+    # not unlinking $out
+}
+
  1;
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Sat, 19 Dec 2020 18:49:25 +0000 (19:49 +0100)
committer	Dr. David von Oheimb <dev@ddvo.net>
	Wed, 13 Jan 2021 10:53:15 +0000 (11:53 +0100)
test/recipes/25-test_req.t		patch \| blob \| blame \| history
test/recipes/25-test_x509.t		patch \| blob \| blame \| history
test/recipes/tconversion.pl		patch \| blob \| blame \| history