tests: check the generation and printing of TLS feature PKIX extension

5 files changed, 347 insertions, 2 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 97b08874bf..1c54779baf 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -39,7 +39,8 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
 	template-othername-xmpp.tmpl template-othername-xmpp.pem template-krb5name.tmpl \
 	template-krb5name.pem template-krb5name-full.pem template-test-ecc.key \
 	template-rsa-sha3-256.pem template-rsa-sha3-512.pem template-rsa-sha3-224.pem template-rsa-sha3-384.pem \
-	name-constraints-ip2.pem chain-md5.pem gost-cert.pem
+	name-constraints-ip2.pem chain-md5.pem gost-cert.pem template-tlsfeature.tmpl \
+	template-tlsfeature.pem template-tlsfeature.csr
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
@@ -54,7 +55,8 @@ dist_check_SCRIPTS += crq
 endif
 
 if !WINDOWS
-dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test
+dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \
+	tlsfeature-test
 endif
 
 if ENABLE_DANE
diff --git a/tests/cert-tests/template-tlsfeature.csr b/tests/cert-tests/template-tlsfeature.csr
new file mode 100644
index 0000000000..b59b068465
--- /dev/null
+++ b/tests/cert-tests/template-tlsfeature.csr
@@ -0,0 +1,58 @@
+PKCS #10 Certificate Request Information:
+	Version: 1
+	Subject: CN=Cindy Lauper,OU=sleeping dept.,O=Koko inc.,ST=Attiki,C=GR,UID=clauper,title=Dr.,pseudonym=jackal
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: Low (1024 bits)
+		Modulus (bits 1024):
+			00:a5:c6:ce:75:43:84:bf:64:9e:02:27:13:f1:03:59
+			f7:79:2d:92:ed:7c:2f:50:a4:03:f1:2d:79:b9:86:8b
+			05:7e:3a:bb:44:aa:af:84:cf:13:98:1e:1c:4a:38:f7
+			33:2d:7a:9f:72:d4:6b:6d:26:b0:31:37:70:10:fb:42
+			e9:d8:9d:18:65:7e:19:49:fc:05:96:04:68:83:1e:77
+			86:bf:ed:f5:e5:12:3b:13:fe:33:18:9c:1a:7a:1d:69
+			af:47:02:60:7a:1f:b9:e8:cf:db:c8:34:30:51:96:3d
+			8c:96:5c:00:bc:61:de:08:0f:b1:36:21:7f:a9:00:e3
+			05
+		Exponent (bits 24):
+			01:00:01
+	Signature Algorithm: RSA-SHA256
+	Attributes:
+		Extensions:
+			Subject Alternative Name (not critical):
+				DNSname: www.none.org
+				DNSname: www.morethanone.org
+				DNSname: www.evenmorethanone.org
+				IPAddress: 192.168.1.1
+				RFC822Name: none@none.org
+				RFC822Name: where@none.org
+			Basic Constraints (critical):
+				Certificate Authority (CA): TRUE
+			Key Purpose (critical):
+				OCSP signing.
+			Key Usage (critical):
+				Digital signature.
+				Certificate signing.
+			TLS Features (not critical):
+				Status Request(5)
+				17
+Other Information:
+	Public Key ID:
+		5d40adf0ce9440958b7e99941d925422ca72365f
+
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIICrDCCAhUCAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO
+c2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0
+aWtpMQswCQYDVQQGEwJHUjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNV
+BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge
+HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic
+Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHQMIHN
+BgkqhkiG9w0BCQ4xgb8wgbwwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu
+bW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYEN
+bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDwYDVR0TAQH/BAUwAwEB/zAW
+BgNVHSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMBQGCCsGAQUF
+BwEYBAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQBp5DB6ksTU78tli6cYkxB4
+DRPIGOhL87o4gpsOQNSS61ECYTf2wxGqPA1sM/8syNn0hU1hGVqZG2ydYmR6PxkO
+/FfKNmxI5+cRA8oKk6zNhu42tll3NLFbYZV9cp8+JpBQMLBIXxU23UggnsxoVrks
+C1I6oDxIq5kDixlWKnaMGA==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/tests/cert-tests/template-tlsfeature.pem b/tests/cert-tests/template-tlsfeature.pem
new file mode 100644
index 0000000000..23ba2886a1
--- /dev/null
+++ b/tests/cert-tests/template-tlsfeature.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENzCCA6CgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
+ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
+MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
+BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMDcwNDIyMDAwMDAwWhcNMTQw
+NTI1MDAwMDAwWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy
+LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT
+CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE
+DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED
+Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7
+QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
+PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFNMIIBSTAUBggrBgEFBQcBGAQIMAYC
+AQUCAREwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeC
+E3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTA
+qAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggr
+BgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQd
+klQiynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwv
+Z2V0Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDov
+L3d3dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAG4dVgPt
+cB2JnNlNacL+MnggU4TyYTnpEvBWUnjiZxvsKMAk+XcqeW61hjl0u0wQGWBOsSeS
+yLcnXHKApdI0LUkWhkKGqZaUSktd9v5sBzP1IXsXHMRsa1ZPazsSYbQ+EQggOnEP
+s6Zw/bt1SYHBdqk8+yBXq54AYT4EK+6Me/pX
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/template-tlsfeature.tmpl b/tests/cert-tests/template-tlsfeature.tmpl
new file mode 100644
index 0000000000..7a03b49afb
--- /dev/null
+++ b/tests/cert-tests/template-tlsfeature.tmpl
@@ -0,0 +1,102 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+tls_feature = 5
+tls_feature = 17
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+dn_oid = 2.5.4.12 Dr.
+dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 7
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 2590
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "www.none.org"
+dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl1/"
+crl_dist_points = "http://www.getcrl.crl/getcrl2/"
+crl_dist_points = "http://www.getcrl.crl/getcrl3/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
diff --git a/tests/cert-tests/tlsfeature-test b/tests/cert-tests/tlsfeature-test
new file mode 100755
index 0000000000..c36cbef619
--- /dev/null
+++ b/tests/cert-tests/tlsfeature-test
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+TMPFILE=tlsfeature.$$.tmp
+TMPFILE2=tlsfeature-2.$$.tmp
+export TZ="UTC"
+
+# Check for datefudge
+TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
+if test "$TSTAMP" != "1158969600"; then
+	echo $TSTAMP
+	echo "You need datefudge to run this test"
+	exit 77
+fi
+
+#
+# Test certificate generation
+#
+datefudge -s "2007-04-22" \
+"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/template-test.key" \
+		--template "${srcdir}/template-tlsfeature.tmpl" \
+		--outfile "${TMPFILE}" 2>/dev/null
+rc=$?
+
+${DIFF} "${srcdir}/template-tlsfeature.pem" "${TMPFILE}" >/dev/null 2>&1
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+	echo "Cert generation test failed"
+	exit ${rc}
+fi
+
+#
+# Test certificate printing
+#
+rm -f "${TMPFILE}"
+rm -f "${TMPFILE2}"
+"${CERTTOOL}" -i \
+		--infile "${srcdir}/template-tlsfeature.pem" --outfile "${TMPFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Cert printing (0) failed"
+	exit ${rc}
+fi
+
+grep -A 2 "TLS Features" "${TMPFILE}" >"${TMPFILE2}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Cert printing (1) failed"
+	exit ${rc}
+fi
+
+grep "17" "${TMPFILE2}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Cert printing (1) failed"
+	exit ${rc}
+fi
+
+grep "Status Request(5)" "${TMPFILE2}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Cert printing (2) failed"
+	exit ${rc}
+fi
+
+
+#
+# Test certificate request generation
+#
+
+datefudge -s "2007-04-22" \
+"${CERTTOOL}" --generate-request \
+		--load-privkey "${srcdir}/template-test.key" \
+		--template "${srcdir}/template-tlsfeature.tmpl" \
+		--outfile "${TMPFILE}" 2>/dev/null
+rc=$?
+
+${DIFF} "${srcdir}/template-tlsfeature.csr" "${TMPFILE}" >/dev/null 2>&1
+rc=$?
+
+# We're done.
+if test "${rc}" != "0"; then
+	echo "CSR generation test failed"
+	exit ${rc}
+fi
+
+#
+# Test certificate request printing
+#
+rm -f "${TMPFILE}"
+rm -f "${TMPFILE2}"
+"${CERTTOOL}" --crq-info \
+		--infile "${srcdir}/template-tlsfeature.csr" --outfile "${TMPFILE}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "CSR printing (0) failed"
+	exit ${rc}
+fi
+
+grep -A 2 "TLS Features" "${TMPFILE}" >"${TMPFILE2}" 2>/dev/null
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "CSR printing (1) failed"
+	exit ${rc}
+fi
+
+grep "17" "${TMPFILE2}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "CSR printing (1) failed"
+	exit ${rc}
+fi
+
+grep "Status Request(5)" "${TMPFILE2}" >/dev/null 2>&1
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "CSR printing (2) failed"
+	exit ${rc}
+fi
+
+
+rm -f "${TMPFILE}"
+rm -f "${TMPFILE2}"
+
+exit 0