tests: added check for the krb5_principal template optionkrb5

4 files changed, 201 insertions, 2 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index a6d1ac844a..497138e6f1 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -36,7 +36,8 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
 	name-constraints-ip.pem cert-invalid-utf8.der very-long-dn.pem \
 	provable3072.pem provable2048.pem provable-dsa2048.pem provable-dsa2048-fips.pem \
 	template-unique.tmpl template-unique.pem template-othername.tmpl template-othername.pem \
-	template-othername-xmpp.tmpl template-othername-xmpp.pem
+	template-othername-xmpp.tmpl template-othername-xmpp.pem template-krb5name.tmpl \
+	template-krb5name.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 privkey-import name-constraints certtool-long-cn crl provable-privkey
@@ -50,7 +51,7 @@ dist_check_SCRIPTS += crq
 endif
 
 if !WINDOWS
-dist_check_SCRIPTS += template-test pem-decoding othername-test
+dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test
 endif
 
 if ENABLE_DANE
diff --git a/tests/cert-tests/krb5-test b/tests/cert-tests/krb5-test
new file mode 100755
index 0000000000..4df9a4a01d
--- /dev/null
+++ b/tests/cert-tests/krb5-test
@@ -0,0 +1,107 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+OUTFILE=tmp-krb5name.pem
+TMPLFILE=tmp-krb5name.tmpl
+
+export TZ="UTC"
+
+# Check for datefudge
+TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
+if test "$TSTAMP" != "1158969600"; then
+	echo $TSTAMP
+	echo "You need datefudge to run this test"
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=3"
+fi
+
+# Note that in rare cases this test may fail because the
+# time set using datefudge could have changed since the generation
+# (if example the system was busy)
+
+rc=1
+counter=1
+
+while [ "${rc}" != "0" -a $counter -le 3 ]; do
+	datefudge "2007-04-22" \
+	"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/template-test.key" \
+		--template "${srcdir}/template-krb5name.tmpl" \
+		--outfile ${OUTFILE} 2>/dev/null
+
+	${DIFF} "${srcdir}/template-krb5name.pem" ${OUTFILE} >/dev/null 2>&1
+	rc=$?
+	test ${rc} != 0 && sleep 3
+	counter=`expr $counter + 1`
+done
+
+# We're done.
+if test "${rc}" != "0"; then
+	echo "Test 1 failed"
+	exit ${rc}
+fi
+
+# Negative tests. Check against values which may cause problems
+cp template-krb5name.tmpl ${TMPLFILE}
+echo "krb5_principal = 'xxxxxxxxxxxxxx'" >>${TMPLFILE}
+
+datefudge "2007-04-22" \
+${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/template-test.key" \
+		--template ${TMPLFILE} \
+		--outfile ${OUTFILE} 2>/dev/null
+
+rc=$?
+
+# We're done.
+if test "${rc}" != "1"; then
+	echo "Negative Test 1 failed"
+	exit ${rc}
+fi
+
+cp template-krb5name.tmpl ${TMPLFILE}
+echo "krb5_principal = 'comp1/comp2/comp3/comp4/comp5/comp6/comp7/comp8/comp9/comp10@REALM.COM'" >>${TMPLFILE}
+
+datefudge "2007-04-22" \
+${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/template-test.key" \
+		--template ${TMPLFILE} \
+		--outfile ${OUTFILE} 2>/dev/null
+
+rc=$?
+
+# We're done.
+if test "${rc}" != "1"; then
+	echo "Negative Test 2 failed"
+	exit ${rc}
+fi
+
+rm -f ${OUTFILE}
+rm -f ${TMPLFILE}
+
+exit 0
diff --git a/tests/cert-tests/template-krb5name.pem b/tests/cert-tests/template-krb5name.pem
new file mode 100644
index 0000000000..3ee569dd43
--- /dev/null
+++ b/tests/cert-tests/template-krb5name.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCA02gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx
+DzANBgNVBAgTBkF0dGlraTELMAkGA1UEBhMCR1IxGjAYBgNVBAQTEU1hdnJvZ2lh
+bm5vcG91bG9zMREwDwYDVQQJEwhBcmthZGlhczAeFw0wNzA0MjIwMDAwMDBaFw0x
+NDA1MjUwMDAwMDBaMFsxDDAKBgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQsw
+CQYDVQQGEwJHUjEaMBgGA1UEBBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkT
+CEFya2FkaWFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4C
+JxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAx
+N3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vI
+NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBtjCCAbIwDwYDVR0TAQH/BAUw
+AwEB/zCCASkGA1UdEQSCASAwggEcghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cE
+wKgBAaA+BgYrBgEFAgKgNDAyoBAbDktFUkJFUk9TLlJFQUxNoR4wHKADAgEKoRUw
+ExsRdXNlckBlbWFpbC5kb21haW6gLAYGKwYBBQICoCIwIKALGwlSRUFMTS5DT02h
+ETAPoAMCAQGhCDAGGwR1c2VyoDIGBisGAQUCAqAoMCagCxsJUkVBTE0uQ09NoRcw
+FaADAgEBoQ4wDBsESFRUUBsEdXNlcqA6BgYrBgEFAgKgMDAuoAsbCVJFQUxNLkNP
+TaEfMB2gAwIBAaEWMBQbBWNvbXAxGwVjb21wMhsEdXNlcoENbm9uZUBub25lLm9y
+Z4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDgYDVR0PAQH/
+BAQDAgYAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAl
+MCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0B
+AQsFAAOBgQBgS49vcMkfwOD3RKrIV65yf/tp8O9AYmZaC4iRrJsTIHcbQd3KDm72
+FptWb/dYVxBCBHKYeAPaSMMPm/6bPFScXPkfeDKQIwQP/aBNnv+ih1hcoNWAcOfW
+ov8hAz53V2jqpiH3Z46a32MS8X54faxt61Ofzv4YYRiKK2U1KG/Vew==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/template-krb5name.tmpl b/tests/cert-tests/template-krb5name.tmpl
new file mode 100644
index 0000000000..8fe1e14598
--- /dev/null
+++ b/tests/cert-tests/template-krb5name.tmpl
@@ -0,0 +1,68 @@
+# X.509 Certificate options
+#
+# DN options
+
+dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+serial = 7
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 2590
+
+# X.509 v3 extensions
+
+krb5_principal = user@email.domain@KERBEROS.REALM
+krb5_principal = user@REALM.COM
+krb5_principal = HTTP/user@REALM.COM
+krb5_principal = comp1/comp2/user@REALM.COM
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key