From: Nikos Mavrogiannopoulos Date: Mon, 11 Jul 2016 14:13:12 +0000 (+0200) Subject: tests: added checks on certificate and request generation with arbitrary extensions X-Git-Tag: gnutls_3_5_3~133 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f6309aabe48c89a167241ab73d33ff7cf4e289ca;p=thirdparty%2Fgnutls.git tests: added checks on certificate and request generation with arbitrary extensions This tests the add_extension and add_critical_extension options of certtool. --- diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 77519f8761..87d372b6cd 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -47,7 +47,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/name-constraints-ip2.pem data/chain-md5.pem data/gost-cert.pem \ templates/template-tlsfeature.tmpl \ data/template-tlsfeature.pem data/template-tlsfeature.csr \ - templates/template-tlsfeature-crq.tmpl + templates/template-tlsfeature-crq.tmpl templates/arb-extensions.tmpl data/arb-extensions.pem \ + data/arb-extensions.csr dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ @@ -63,7 +64,7 @@ endif if !WINDOWS dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \ - tlsfeature-test + tlsfeature-test template-exts-test endif if ENABLE_DANE diff --git a/tests/cert-tests/data/arb-extensions.csr b/tests/cert-tests/data/arb-extensions.csr new file mode 100644 index 0000000000..b9e2e0a3f8 --- /dev/null +++ b/tests/cert-tests/data/arb-extensions.csr @@ -0,0 +1,64 @@ +PKCS #10 Certificate Request Information: + Version: 1 + Subject: CN=Cindy Lauper,OU=sleeping dept.,O=Koko inc.,ST=Attiki,C=GR,UID=clauper + Subject Public Key Algorithm: RSA + Modulus (bits 1024): + 00:a5:c6:ce:75:43:84:bf:64:9e:02:27:13:f1:03:59 + f7:79:2d:92:ed:7c:2f:50:a4:03:f1:2d:79:b9:86:8b + 05:7e:3a:bb:44:aa:af:84:cf:13:98:1e:1c:4a:38:f7 + 33:2d:7a:9f:72:d4:6b:6d:26:b0:31:37:70:10:fb:42 + e9:d8:9d:18:65:7e:19:49:fc:05:96:04:68:83:1e:77 + 86:bf:ed:f5:e5:12:3b:13:fe:33:18:9c:1a:7a:1d:69 + af:47:02:60:7a:1f:b9:e8:cf:db:c8:34:30:51:96:3d + 8c:96:5c:00:bc:61:de:08:0f:b1:36:21:7f:a9:00:e3 + 05 + Exponent (bits 24): + 01:00:01 + Signature Algorithm: RSA-SHA256 + Attributes: + Extensions: + Unknown extension 1.2.3.4 (not critical): + ASCII: ........... + Hexdump: 0001020304050607aaabcd + Unknown extension 5.6.7.8 (not critical): + ASCII: ........... + Hexdump: 0001020304050607aaabcd + Unknown extension 1.2.3.4.5.6.7 (not critical): + ASCII: .4.Z.e.'.~.G.... + Hexdump: 1d34cd5ad065dc27c17e9447b0aaaca7 + Unknown extension 1.2.3.4294967295.7 (not critical): + ASCII: ...A?....J.K..l|...4..~.L..&.ap.E........}!'...s.....b=...K..6Sb.4.Z.e.'.~.G.... + Hexdump: 178f0e413f041cc9d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7 + Unknown extension 1.2.6710656.7 (not critical): + ASCII: .J.K..l|...4..~.L..&.ap.E........}!'...s.....b=...K..6Sb.4.Z.e.'.~.G.... + Hexdump: d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7 + Unknown extension 2.34.11.12.13.14.15.16.17.1.5 (critical): + ASCII: .. + Hexdump: cafe + Basic Constraints (critical): + Certificate Authority (CA): FALSE + Key Usage (critical): + Digital signature. +Other Information: + Public Key ID: + 5d40adf0ce9440958b7e99941d925422ca72365f + +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIC/jCCAmcCAQAwezEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYDVQQLEw5z +bGVlcGluZyBkZXB0LjESMBAGA1UEChMJS29rbyBpbmMuMQ8wDQYDVQQIEwZBdHRp +a2kxCzAJBgNVBAYTAkdSMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/Et +ebmGiwV+OrtEqq+EzxOYHhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYE +aIMed4a/7fXlEjsT/jMYnBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYh +f6kA4wUCAwEAAaCCAUEwggE9BgkqhkiG9w0BCQ4xggEuMIIBKjASBgMqAwQECwAB +AgMEBQYHqqvNMBIGA84HCAQLAAECAwQFBgeqq80wGgYGKgMEBQYHBBAdNM1a0GXc +J8F+lEewqqynMFwGCCoDj////38HBFAXjw5BPwQcydZK9kvztmx86sb6NKTXftZM +losmx2FwlEX0DZygoACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfB +fpRHsKqspzBSBgYqg5nLAAcESNZK9kvztmx86sb6NKTXftZMlosmx2FwlEX0DZyg +oACRr30hJ4nAC3OHsdDXq2I91AKdS4bbNlNiHTTNWtBl3CfBfpRHsKqspzATBgpy +CwwNDg8QEQEFAQH/BALK/jAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw +DQYJKoZIhvcNAQELBQADgYEAlL46Xhzomx9EkuBf2djeBEK8P3xx+5HSTcu2F/38 +D1F+VLNfvifFVcT9CgGz+xMGtXYzqyfeZ/FVGgZlIc4bZFML1A5DvdqpQUcqGFZZ +sJdulRiQ9fhMUz1qwgovX7/Zpm+Xgfup++wPwyEFI3yu1mt6Krd3CY5o7woxUC28 +u5U= +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/cert-tests/data/arb-extensions.pem b/tests/cert-tests/data/arb-extensions.pem new file mode 100644 index 0000000000..32372d6619 --- /dev/null +++ b/tests/cert-tests/data/arb-extensions.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqjCCAxOgAwIBAgIBCTANBgkqhkiG9w0BAQsFADB7MRUwEwYDVQQDEwxDaW5k +eSBMYXVwZXIxFzAVBgoJkiaJk/IsZAEBEwdjbGF1cGVyMRcwFQYDVQQLEw5zbGVl +cGluZyBkZXB0LjESMBAGA1UEChMJS29rbyBpbmMuMQ8wDQYDVQQIEwZBdHRpa2kx +CzAJBgNVBAYTAkdSMB4XDTA3MDQyMjAwMDAwMFoXDTE0MDUyNTAwMDAwMFowezEV +MBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEX +MBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0G +A1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/EtebmGiwV+OrtEqq+EzxOY +HhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYEaIMed4a/7fXlEjsT/jMY +nBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOCATww +ggE4MBIGAyoDBAQLAAECAwQFBgeqq80wEgYDzgcIBAsAAQIDBAUGB6qrzTAaBgYq +AwQFBgcEEB00zVrQZdwnwX6UR7CqrKcwXAYIKgOP////fwcEUBePDkE/BBzJ1kr2 +S/O2bHzqxvo0pNd+1kyWiybHYXCURfQNnKCgAJGvfSEnicALc4ex0NerYj3UAp1L +hts2U2IdNM1a0GXcJ8F+lEewqqynMFIGBiqDmcsABwRI1kr2S/O2bHzqxvo0pNd+ +1kyWiybHYXCURfQNnKCgAJGvfSEnicALc4ex0NerYj3UAp1Lhts2U2IdNM1a0GXc +J8F+lEewqqynMBMGCnILDA0ODxARAQUBAf8EAsr+MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMA0GCSqGSIb3DQEBCwUAA4GBAInQ +3geT53qgMB3Iix5rlpEAceXBkhmWND5eQhkAo9rEq/6rIubfvxrVM02XpFGFA7qU +Es+19M0Hwf7LXdQRtJtGW2LXaqSQoXp/PL7FXbZUC9J11oOno1wuJhw6/Z4nKm2U +5GgZbAlpJ7y0hwBunlZqF1viU9awFclhFbnVVRcG +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-exts-test b/tests/cert-tests/template-exts-test new file mode 100755 index 0000000000..219cfdbc8d --- /dev/null +++ b/tests/cert-tests/template-exts-test @@ -0,0 +1,68 @@ +#!/bin/sh + +# Copyright (C) 2006-2012 Free Software Foundation, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" +OUTFILE="exts.$$.tmp" + +export TZ="UTC" + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge + +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/data/template-test.key" \ + --template "${srcdir}/templates/arb-extensions.tmpl" \ + --outfile $OUTFILE #2>/dev/null + +${DIFF} "${srcdir}/data/arb-extensions.pem" $OUTFILE #>/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "Test with crt failed" + exit ${rc} +fi + +rm -f "$OUTFILE" + +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-request \ + --load-privkey "${srcdir}/data/template-test.key" \ + --template "${srcdir}/templates/arb-extensions.tmpl" \ + 2>/dev/null | grep -v "Algorithm Security Level" >$OUTFILE + +${DIFF} "${srcdir}/data/arb-extensions.csr" $OUTFILE #>/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "Test with crq failed" + exit ${rc} +fi + +rm -f "$OUTFILE" + +exit 0 diff --git a/tests/cert-tests/templates/arb-extensions.tmpl b/tests/cert-tests/templates/arb-extensions.tmpl new file mode 100644 index 0000000000..698c1114fe --- /dev/null +++ b/tests/cert-tests/templates/arb-extensions.tmpl @@ -0,0 +1,34 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Koko inc." + +# The organizational unit of the subject. +unit = "sleeping dept." + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +state = "Attiki" + +# The country of the subject. Two letter code. +country = GR + +# The common name of the certificate owner. +cn = "Cindy Lauper" + +# A user id of the certificate owner. +uid = "clauper" + +serial = 9 +expiration_days = 2590 + +add_extension = "1.2.3.4 0001020304050607AAABCD" +add_extension = "5.6.7.8 0x0001020304050607AAABCD" +add_extension = "1.2.3.4.5.6.7 1d34cd5ad065dc27c17e9447b0aaaca7" +add_extension = "1.2.3.4294967295.7 178f0e413f041cc9d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7" +add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 CAFE" +add_extension = "1.2.6710656.7 d64af64bf3b66c7ceac6fa34a4d77ed64c968b26c761709445f40d9ca0a00091af7d212789c00b7387b1d0d7ab623dd4029d4b86db3653621d34cd5ad065dc27c17e9447b0aaaca7"