tests: added checks for invalid X.509 certificate signatures

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 33d7e32cf579abd4712f27efe2c7205c3bd9e96d..c4fe11039ec465be735f8f52df19489b24a779b4 100644 (file)
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -27,11 +27,11 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
        template-overflow.tmpl template-overflow2.pem template-overflow2.tmpl \
        template-date.tmpl template-date.pem template-dn-err.tmpl \
        template-nc.tmpl template-nc.pem xmpp-othername.pem \
-       suppressions.valgrind csr-invalid.der
+       suppressions.valgrind csr-invalid.der invalid-sig2.pem invalid-sig3.pem
 
-dist_check_SCRIPTS = pathlen aki template-test pem-decoding dane crq certtool
+dist_check_SCRIPTS = pathlen aki template-test pem-decoding dane crq certtool invalid-sig
 
-TESTS = pathlen aki pem-decoding certtool
+TESTS = pathlen aki pem-decoding certtool invalid-sig
 
 if ENABLE_NON_SUITEB_CURVES
 TESTS += crq

diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig
new file mode 100755 (executable)
index 0000000..bf2e054
--- /dev/null
+++ b/tests/cert-tests/invalid-sig
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir=${srcdir:-.}
+CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
+DIFF=${DIFF:-diff}
+if ! test -z "${VALGRIND}";then
+VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+#check whether a different tbsCertificate than the outer signature algorithm is tolerated
+$VALGRIND $CERTTOOL -e --infile $srcdir/invalid-sig2.pem
+rc=$?
+
+# We're done.
+if test "$rc" = "0"; then
+  echo "Verification of invalid signature (2) failed"
+  exit $rc
+fi
+
+#check whether a different tbsCertificate than the outer signature algorithm is tolerated
+$VALGRIND $CERTTOOL -e --infile $srcdir/invalid-sig3.pem
+rc=$?
+
+# We're done.
+if test "$rc" = "0"; then
+  echo "Verification of invalid signature (3) failed"
+  exit $rc
+fi
+
+exit 0

diff --git a/tests/cert-tests/invalid-sig2.pem b/tests/cert-tests/invalid-sig2.pem
new file mode 100644 (file)
index 0000000..69163e2
--- /dev/null
+++ b/tests/cert-tests/invalid-sig2.pem
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAXugAwIBAgIIVOei+gI+zMYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
+AxMOR251VExTIFRlc3QgQ0EwIhgPMjAxNTAyMjAyMTExMjJaGA85OTk5MTIzMTIz
+NTk1OVowFzEVMBMGA1UEAxMMV3Jvbmcgc2lnYWxnMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDKivjLpeml2GINsAimC6xwTxj44mLcxS+u69yFXFg2Z/AepUU+
+IvfqVOeRVgg1WHrh+DZLuoC6kwn7a2afUTzytrITKni+J14ENa/ZcF2MrhSM8WZ1
+NWrmvUltjkbJQIwyVPuIweRH1ECqSFxVqBT8RwYZ27FzTL8WF1JnlSlKuQIDAQAB
+o2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFK9V
+bbSoqbHWgZwkzN57nbmAyyTwMB8GA1UdIwQYMBaAFE1Wt2oAWPFnkvSmdVUbjlMB
+A+/PMA0GCSqGSIb3DQEBBAUAA4IBMQCT2A88WEahnJgfXTjLbThqc/ICOg4dnk61
+zhaTkgK3is7T8gQrTqEbaVF4qu5gOLN6Z+xluii+ApZKKpKSyYLXS6MS3nJ6xGTi
+SOqixmPv7qfQnkUvUTagZymnWQ3GxRxjAv65YpmGyti+/TdkYWDQ9R/D/sWPJO8o
+YrFNw1ZXAaNMg4EhhGZ4likMlww+e5NPfJsJ32AovveTFKqSrvabb4UtrUJTwsC4
+Bd018g2MEhTkxeTQTqzIL98CoSBJjbbZD/YW13J/3xU590QpHTgni5hAni27IFLr
+1V+UJAglBs8qYiUzv/GjwbRt8TDzYVjvc+5MvPaGpoTcmdQyi9/L+3s8J6dX3i93
+TneIXeExwjTmXKL7NG+KQz9/F4FJChRXR6X1zsSB45DzoCoGMmzD
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAgigAwIBAgIBADANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0xMTA1MjgwODM2MzBaFw0zODEwMTIwODM2MzNaMBkxFzAV
+BgNVBAMTDkdudVRMUyBUZXN0IENBMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIB
+OgKCATEAnORCsX1unl//fy2d1054XduIg/3CqVBaT3Hca65SEoDwh0KiPtQoOgZL
+dKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJU95v4TQdC4OLMiE56eIGq252hZAb
+HoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08
+WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3
+F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vGVYHigXMEZC2FezlwIHaZzpEoFlY3
+a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSe
+oxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/
+MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFE1Wt2oAWPFnkvSmdVUbjlMBA+/P
+MA0GCSqGSIb3DQEBCwUAA4IBMQAesOgjGFi1zOYpA/N3gkUVRcBHDxmN7g2yOcqH
+VfhFc+e4zhOehR11WCt2RgzNlnYVmV5zBmQBdTAt8Po/MVhLCDW1BULHlLvL0DFc
+4sB1RlcGeQcCKQa4b+Q9VWf4f6TfuEWZQC5j5stiXjVgOqrOMrzKZ2eKWA4JsL9s
+V+7ANSZE+hOt1X1mA8moyqe95U2Ecih+nFJSWSBd1WFiEzVnXv4FVWPXbH9HERDK
+VbasjofWWmQO1YlQPishLgm1IbwqOkOk4sDgoLuUZ4GgP0DDeN6EmRDOzByrv+9u
+f45Bl9IQf4IJNPLU9lEqjyMOydqT6kBi7fjV5ICuQZ4EeVJsOGuX7PqNyoDzJHLv
+ferRfNLr6eQSHSxBhS0cVyDjb5gCawK6u7xTU+b7xikEie9k
+-----END CERTIFICATE-----

diff --git a/tests/cert-tests/invalid-sig3.pem b/tests/cert-tests/invalid-sig3.pem
new file mode 100644 (file)
index 0000000..40c610f
--- /dev/null
+++ b/tests/cert-tests/invalid-sig3.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAYygAwIBAgIIVOem0AaBE/EwDQYJKoZIhvcNAQEEBQAwGTEXMBUGA1UE
+AxMOR251VExTIFRlc3QgQ0EwIhgPMjAxNTAyMjAyMTI3NDRaGA85OTk5MTIzMTIz
+NTk1OVowKDEmMCQGA1UEAxMdSW52YWxpZCB0YnNDZXJ0aWZpY2F0ZSBzaWdhbGcw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqK+Mul6aXYYg2wCKYLrHBPGPji
+YtzFL67r3IVcWDZn8B6lRT4i9+pU55FWCDVYeuH4Nku6gLqTCftrZp9RPPK2shMq
+eL4nXgQ1r9lwXYyuFIzxZnU1aua9SW2ORslAjDJU+4jB5EfUQKpIXFWoFPxHBhnb
+sXNMvxYXUmeVKUq5AgMBAAGjYTBfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUD
+AwegADAdBgNVHQ4EFgQUr1VttKipsdaBnCTM3nuduYDLJPAwHwYDVR0jBBgwFoAU
+TVa3agBY8WeS9KZ1VRuOUwED788wDQYJKoZIhvcNAQELBQADggExAEsjzyOB8ntk
+1BW4UhHdDSOZNrR4Ep0y2B3tjoOlXmcQD50WQb7NF/vYGeZN/y+WHEF9OAnneEIi
+5wRHLnm1jP/bXd5Po3EsaTLmpE7rW99DYlHaNRcF5z+a+qTdj7mRsnUtv6o2ItNT
+m81yQr0Lw0D31agU9IAzeXZy+Dm6dQnO1GAaHlOJQR1PZIOzOtYxqodla0qxuvga
+nL+quIR29t8nb7j+n8l1+2WxCUoxEO0wv37t3MQxjXUxzGfo5NDcXqH1364UBzdM
+rOBPX50B4LUyV5gNdWMIGVSMX3fTE+j3b+60w6NALXDzGoSGLQH48hpi/Mxzqctt
+gl58/RqS+nTNQ7c6QMhTj+dgaCE/DUGJJf0354dYp7p43nabr+ZtaMPUaGUQ/1UC
+C5/QFweC23w=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAgigAwIBAgIBADANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU
+TFMgVGVzdCBDQTAeFw0xMTA1MjgwODM2MzBaFw0zODEwMTIwODM2MzNaMBkxFzAV
+BgNVBAMTDkdudVRMUyBUZXN0IENBMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIB
+OgKCATEAnORCsX1unl//fy2d1054XduIg/3CqVBaT3Hca65SEoDwh0KiPtQoOgZL
+dKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJU95v4TQdC4OLMiE56eIGq252hZAb
+HoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08
+WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3
+F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vGVYHigXMEZC2FezlwIHaZzpEoFlY3
+a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSe
+oxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/
+MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFE1Wt2oAWPFnkvSmdVUbjlMBA+/P
+MA0GCSqGSIb3DQEBCwUAA4IBMQAesOgjGFi1zOYpA/N3gkUVRcBHDxmN7g2yOcqH
+VfhFc+e4zhOehR11WCt2RgzNlnYVmV5zBmQBdTAt8Po/MVhLCDW1BULHlLvL0DFc
+4sB1RlcGeQcCKQa4b+Q9VWf4f6TfuEWZQC5j5stiXjVgOqrOMrzKZ2eKWA4JsL9s
+V+7ANSZE+hOt1X1mA8moyqe95U2Ecih+nFJSWSBd1WFiEzVnXv4FVWPXbH9HERDK
+VbasjofWWmQO1YlQPishLgm1IbwqOkOk4sDgoLuUZ4GgP0DDeN6EmRDOzByrv+9u
+f45Bl9IQf4IJNPLU9lEqjyMOydqT6kBi7fjV5ICuQZ4EeVJsOGuX7PqNyoDzJHLv
+ferRfNLr6eQSHSxBhS0cVyDjb5gCawK6u7xTU+b7xikEie9k
+-----END CERTIFICATE-----