data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \
templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \
data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem data/commonName.cer \
- templates/simple-policy.tmpl data/simple-policy.pem
+ templates/simple-policy.tmpl data/simple-policy.pem templates/template-negative-serial.tmpl
dist_check_SCRIPTS = pathlen.sh aki.sh invalid-sig.sh email.sh \
pkcs7.sh pkcs7-broken-sigs.sh privkey-import.sh name-constraints.sh certtool-long-cn.sh crl.sh provable-privkey.sh \
pkcs12.sh certtool-crl-decoding.sh pkcs12-encode.sh pkcs12-corner-cases.sh inhibit-anypolicy.sh \
smime.sh cert-time.sh alt-chain.sh pkcs7-list-sign.sh pkcs7-eddsa.sh certtool-ecdsa.sh \
key-id.sh pkcs8.sh pkcs8-decode.sh ecdsa.sh illegal-rsa.sh pkcs8-invalid.sh key-invalid.sh \
- pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh x25519-and-x448.sh
+ pkcs8-eddsa.sh certtool-subca.sh certtool-verify-profiles.sh x509-duplicate-ext.sh x25519-and-x448.sh \
+ reject-negative-serial.sh
dist_check_SCRIPTS += key-id.sh ecdsa.sh pkcs8-invalid.sh key-invalid.sh pkcs8-decode.sh pkcs8.sh pkcs8-eddsa.sh \
certtool-utf8.sh crq.sh
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2023 Elias Gustafsson
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+#set -e
+
+srcdir=.
+CERTTOOL=../../src/certtool${EXEEXT}
+OUTFILE=out.$$.tmp
+SERIAL_NUMBER=0xf12345
+TMPFILE=tmp-negative-serial.pem.$$.tmp
+
+if ! test -x "${CERTTOOL}"; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \
+ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+ --template "${srcdir}/templates/template-negative-serial.tmpl" \
+ --outfile ${TMPFILE}
+rc=$?
+
+rm ${TMPFILE}
+
+if test "${rc}" = "0";then
+ echo "negative serial number was accepted"
+ exit 1
+fi
--- /dev/null
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+dn_oid = 2.5.4.12 Dr.
+dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 0xf1234567890123456789
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 2590
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "www.none.org"
+dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl1/"
+crl_dist_points = "http://www.getcrl.crl/getcrl2/"
+crl_dist_points = "http://www.getcrl.crl/getcrl3/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
projects / thirdparty / gnutls.git / commitdiff
