tests/cert-tests: test a policy without any policyQualifiers.

Ensure that a policy without policyQualifiers gets created with an
omitted sequence of qualifiers, rather than an empty sequence of
qualifiers.

We use NIST's test policy OID for this test.

This tests the fix for #1238.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 80f7a8611bfe1cd49e531ce45ceb56d4b1cc144b..58041a95677a97ac202e928c10a8315a54f15fa9 100644 (file)
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -101,7 +101,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
        data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \
        data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \
        templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \
-       data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem data/commonName.cer
+       data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem data/commonName.cer \
+       templates/simple-policy.tmpl data/simple-policy.pem
 
 dist_check_SCRIPTS = pathlen.sh aki.sh invalid-sig.sh email.sh \
        pkcs7.sh pkcs7-broken-sigs.sh privkey-import.sh name-constraints.sh certtool-long-cn.sh crl.sh provable-privkey.sh \
@@ -128,7 +129,8 @@ endif
 
 if !WINDOWS
 dist_check_SCRIPTS += template-test.sh pem-decoding.sh othername-test.sh krb5-test.sh sha3-test.sh md5-test.sh \
-       tlsfeature-test.sh template-exts-test.sh pkcs1-pad.sh pkcs12-utf8.sh rsa-pss-pad.sh dsa.sh certtool.sh
+       tlsfeature-test.sh template-exts-test.sh pkcs1-pad.sh pkcs12-utf8.sh rsa-pss-pad.sh dsa.sh certtool.sh \
+       template-policy-test.sh
 endif
 
 if ENABLE_DANE

diff --git a/tests/cert-tests/data/simple-policy.pem b/tests/cert-tests/data/simple-policy.pem
new file mode 100644 (file)
index 0000000..0f3a506
--- /dev/null
+++ b/tests/cert-tests/data/simple-policy.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAh2gAwIBAgIBCjANBgkqhkiG9w0BAQsFADB7MRUwEwYDVQQDEwxDaW5k
+eSBMYXVwZXIxFzAVBgoJkiaJk/IsZAEBEwdjbGF1cGVyMRcwFQYDVQQLEw5zbGVl
+cGluZyBkZXB0LjESMBAGA1UEChMJS29rbyBpbmMuMQ8wDQYDVQQIEwZBdHRpa2kx
+CzAJBgNVBAYTAkdSMB4XDTA3MDQyMjAwMDAwMFoXDTE0MDUyNTAwMDAwMFowezEV
+MBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEX
+MBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0G
+A1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/EtebmGiwV+OrtEqq+EzxOY
+HhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYEaIMed4a/7fXlEjsT/jMY
+nBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaNIMEYw
+DAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHQYDVR0OBBYE
+FF1ArfDOlECVi36ZlB2SVCLKcjZfMA0GCSqGSIb3DQEBCwUAA4GBAKXDOUHl7r4B
+sgG7ifAK2sbVOSG7vZwZPjpWOQ39Utc8UwGLm125j+2SbndCj0kRwOExQAscEJ2q
+/MSLKzYGGkoWE1ySA7oNUDXjwR+W3e/o1SFzjeyNb2hRWdT8ZTxgDI9e8uo5QzPl
+bWnVX40+KQBzN8UwkAG+bDbW2Hw0kn8K
+-----END CERTIFICATE-----

diff --git a/tests/cert-tests/template-policy-test.sh b/tests/cert-tests/template-policy-test.sh
new file mode 100755 (executable)
index 0000000..9954341
--- /dev/null
+++ b/tests/cert-tests/template-policy-test.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# Copyright (C) 2021 Free Software Foundation, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+: ${srcdir=.}
+: ${CERTTOOL=../../src/certtool${EXEEXT}}
+: ${DIFF=diff}
+OUTCERT="policy-cert.$$.tmp"
+
+if ! test -x "${CERTTOOL}"; then
+       exit 77
+fi
+
+export TZ="UTC"
+
+. ${srcdir}/../scripts/common.sh
+
+skip_if_no_datefudge
+
+datefudge -s "2007-04-22" \
+       "${CERTTOOL}" --generate-self-signed \
+               --load-privkey "${srcdir}/data/template-test.key" \
+               --template "${srcdir}/templates/simple-policy.tmpl" \
+               --outfile $OUTCERT #2>/dev/null
+
+${DIFF} "${srcdir}/data/simple-policy.pem" $OUTCERT #>/dev/null 2>&1
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+       echo "Test with simple policy failed"
+       exit ${rc}
+fi
+
+rm -f "$OUTCERT"
+
+exit 0

diff --git a/tests/cert-tests/templates/simple-policy.tmpl b/tests/cert-tests/templates/simple-policy.tmpl
new file mode 100644 (file)
index 0000000..2077186
--- /dev/null
+++ b/tests/cert-tests/templates/simple-policy.tmpl
@@ -0,0 +1,30 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+serial = 10
+expiration_days = 2590
+
+policy1 = 2.16.840.1.101.3.2.1.48.1
+# no policy1_txt or policy1_url to verify #1238