diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-30 12:35:45 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-30 12:38:33 +0200 |
commit | 0767d02d7459ebad93e061b5b509dead59f68609 (patch) | |
tree | 64d407648ac211a2f24e584825f63a918c2499c1 | |
parent | 571e87e946b2312b3ec70171f2bc8c1cb429f59a (diff) | |
download | gnutls-0767d02d7459ebad93e061b5b509dead59f68609.tar.gz |
tests: check the generation and printing of TLS feature PKIX extension
-rw-r--r-- | tests/cert-tests/Makefile.am | 6 | ||||
-rw-r--r-- | tests/cert-tests/template-tlsfeature.csr | 58 | ||||
-rw-r--r-- | tests/cert-tests/template-tlsfeature.pem | 25 | ||||
-rw-r--r-- | tests/cert-tests/template-tlsfeature.tmpl | 102 | ||||
-rwxr-xr-x | tests/cert-tests/tlsfeature-test | 158 |
5 files changed, 347 insertions, 2 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 97b08874bf..1c54779baf 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -39,7 +39,8 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \ template-othername-xmpp.tmpl template-othername-xmpp.pem template-krb5name.tmpl \ template-krb5name.pem template-krb5name-full.pem template-test-ecc.key \ template-rsa-sha3-256.pem template-rsa-sha3-512.pem template-rsa-sha3-224.pem template-rsa-sha3-384.pem \ - name-constraints-ip2.pem chain-md5.pem gost-cert.pem + name-constraints-ip2.pem chain-md5.pem gost-cert.pem template-tlsfeature.tmpl \ + template-tlsfeature.pem template-tlsfeature.csr dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ @@ -54,7 +55,8 @@ dist_check_SCRIPTS += crq endif if !WINDOWS -dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test +dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \ + tlsfeature-test endif if ENABLE_DANE diff --git a/tests/cert-tests/template-tlsfeature.csr b/tests/cert-tests/template-tlsfeature.csr new file mode 100644 index 0000000000..b59b068465 --- /dev/null +++ b/tests/cert-tests/template-tlsfeature.csr @@ -0,0 +1,58 @@ +PKCS #10 Certificate Request Information: + Version: 1 + Subject: CN=Cindy Lauper,OU=sleeping dept.,O=Koko inc.,ST=Attiki,C=GR,UID=clauper,title=Dr.,pseudonym=jackal + Subject Public Key Algorithm: RSA + Algorithm Security Level: Low (1024 bits) + Modulus (bits 1024): + 00:a5:c6:ce:75:43:84:bf:64:9e:02:27:13:f1:03:59 + f7:79:2d:92:ed:7c:2f:50:a4:03:f1:2d:79:b9:86:8b + 05:7e:3a:bb:44:aa:af:84:cf:13:98:1e:1c:4a:38:f7 + 33:2d:7a:9f:72:d4:6b:6d:26:b0:31:37:70:10:fb:42 + e9:d8:9d:18:65:7e:19:49:fc:05:96:04:68:83:1e:77 + 86:bf:ed:f5:e5:12:3b:13:fe:33:18:9c:1a:7a:1d:69 + af:47:02:60:7a:1f:b9:e8:cf:db:c8:34:30:51:96:3d + 8c:96:5c:00:bc:61:de:08:0f:b1:36:21:7f:a9:00:e3 + 05 + Exponent (bits 24): + 01:00:01 + Signature Algorithm: RSA-SHA256 + Attributes: + Extensions: + Subject Alternative Name (not critical): + DNSname: www.none.org + DNSname: www.morethanone.org + DNSname: www.evenmorethanone.org + IPAddress: 192.168.1.1 + RFC822Name: none@none.org + RFC822Name: where@none.org + Basic Constraints (critical): + Certificate Authority (CA): TRUE + Key Purpose (critical): + OCSP signing. + Key Usage (critical): + Digital signature. + Certificate signing. + TLS Features (not critical): + Status Request(5) + 17 +Other Information: + Public Key ID: + 5d40adf0ce9440958b7e99941d925422ca72365f + +-----BEGIN NEW CERTIFICATE REQUEST----- +MIICrDCCAhUCAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO +c2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0 +aWtpMQswCQYDVQQGEwJHUjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNV +BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge +HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic +Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHQMIHN +BgkqhkiG9w0BCQ4xgb8wgbwwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu +bW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYEN +bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDwYDVR0TAQH/BAUwAwEB/zAW +BgNVHSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMBQGCCsGAQUF +BwEYBAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQBp5DB6ksTU78tli6cYkxB4 +DRPIGOhL87o4gpsOQNSS61ECYTf2wxGqPA1sM/8syNn0hU1hGVqZG2ydYmR6PxkO +/FfKNmxI5+cRA8oKk6zNhu42tll3NLFbYZV9cp8+JpBQMLBIXxU23UggnsxoVrks +C1I6oDxIq5kDixlWKnaMGA== +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/cert-tests/template-tlsfeature.pem b/tests/cert-tests/template-tlsfeature.pem new file mode 100644 index 0000000000..23ba2886a1 --- /dev/null +++ b/tests/cert-tests/template-tlsfeature.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENzCCA6CgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu +ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl +ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp +MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa +BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMDcwNDIyMDAwMDAwWhcNMTQw +NTI1MDAwMDAwWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy +LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT +CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE +DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED +Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7 +QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW +PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFNMIIBSTAUBggrBgEFBQcBGAQIMAYC +AQUCAREwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeC +E3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTA +qAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggr +BgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQd +klQiynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwv +Z2V0Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDov +L3d3dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAG4dVgPt +cB2JnNlNacL+MnggU4TyYTnpEvBWUnjiZxvsKMAk+XcqeW61hjl0u0wQGWBOsSeS +yLcnXHKApdI0LUkWhkKGqZaUSktd9v5sBzP1IXsXHMRsa1ZPazsSYbQ+EQggOnEP +s6Zw/bt1SYHBdqk8+yBXq54AYT4EK+6Me/pX +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-tlsfeature.tmpl b/tests/cert-tests/template-tlsfeature.tmpl new file mode 100644 index 0000000000..7a03b49afb --- /dev/null +++ b/tests/cert-tests/template-tlsfeature.tmpl @@ -0,0 +1,102 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Koko inc." + +# The organizational unit of the subject. +unit = "sleeping dept." + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +state = "Attiki" + +# The country of the subject. Two letter code. +country = GR + +# The common name of the certificate owner. +cn = "Cindy Lauper" + +# A user id of the certificate owner. +uid = "clauper" + +tls_feature = 5 +tls_feature = 17 + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +dn_oid = 2.5.4.12 Dr. +dn_oid = 2.5.4.65 jackal + +# This is deprecated and should not be used in new +# certificates. +pkcs9_email = "none@none.org" + +# The serial number of the certificate +serial = 7 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 2590 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "www.none.org" +dns_name = "www.morethanone.org" + +# An IP address in case of a server. +ip_address = "192.168.1.1" + +dns_name = "www.evenmorethanone.org" + +# An email in case of a person +email = "none@none.org" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +crl_dist_points = "http://www.getcrl.crl/getcrl1/" +crl_dist_points = "http://www.getcrl.crl/getcrl2/" +crl_dist_points = "http://www.getcrl.crl/getcrl3/" + +email = "where@none.org" + +# Whether this is a CA certificate or not +ca + +# Whether this certificate will be used for a TLS client +#tls_www_client + +# Whether this certificate will be used for a TLS server +#tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. +#encryption_key + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +ocsp_signing_key + +# Whether this key will be used for time stamping. +#time_stamping_key + +# Whether this key will be used for IPsec IKE operations. +#ipsec_ike_key diff --git a/tests/cert-tests/tlsfeature-test b/tests/cert-tests/tlsfeature-test new file mode 100755 index 0000000000..c36cbef619 --- /dev/null +++ b/tests/cert-tests/tlsfeature-test @@ -0,0 +1,158 @@ +#!/bin/sh + +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" +TMPFILE=tlsfeature.$$.tmp +TMPFILE2=tlsfeature-2.$$.tmp +export TZ="UTC" + +# Check for datefudge +TSTAMP=`datefudge "2006-09-23" date -u +%s || true` +if test "$TSTAMP" != "1158969600"; then + echo $TSTAMP + echo "You need datefudge to run this test" + exit 77 +fi + +# +# Test certificate generation +# +datefudge -s "2007-04-22" \ +"${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-tlsfeature.tmpl" \ + --outfile "${TMPFILE}" 2>/dev/null +rc=$? + +${DIFF} "${srcdir}/template-tlsfeature.pem" "${TMPFILE}" >/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "Cert generation test failed" + exit ${rc} +fi + +# +# Test certificate printing +# +rm -f "${TMPFILE}" +rm -f "${TMPFILE2}" +"${CERTTOOL}" -i \ + --infile "${srcdir}/template-tlsfeature.pem" --outfile "${TMPFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "Cert printing (0) failed" + exit ${rc} +fi + +grep -A 2 "TLS Features" "${TMPFILE}" >"${TMPFILE2}" 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "Cert printing (1) failed" + exit ${rc} +fi + +grep "17" "${TMPFILE2}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Cert printing (1) failed" + exit ${rc} +fi + +grep "Status Request(5)" "${TMPFILE2}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "Cert printing (2) failed" + exit ${rc} +fi + + +# +# Test certificate request generation +# + +datefudge -s "2007-04-22" \ +"${CERTTOOL}" --generate-request \ + --load-privkey "${srcdir}/template-test.key" \ + --template "${srcdir}/template-tlsfeature.tmpl" \ + --outfile "${TMPFILE}" 2>/dev/null +rc=$? + +${DIFF} "${srcdir}/template-tlsfeature.csr" "${TMPFILE}" >/dev/null 2>&1 +rc=$? + +# We're done. +if test "${rc}" != "0"; then + echo "CSR generation test failed" + exit ${rc} +fi + +# +# Test certificate request printing +# +rm -f "${TMPFILE}" +rm -f "${TMPFILE2}" +"${CERTTOOL}" --crq-info \ + --infile "${srcdir}/template-tlsfeature.csr" --outfile "${TMPFILE}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "CSR printing (0) failed" + exit ${rc} +fi + +grep -A 2 "TLS Features" "${TMPFILE}" >"${TMPFILE2}" 2>/dev/null +rc=$? + +if test "${rc}" != "0"; then + echo "CSR printing (1) failed" + exit ${rc} +fi + +grep "17" "${TMPFILE2}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "CSR printing (1) failed" + exit ${rc} +fi + +grep "Status Request(5)" "${TMPFILE2}" >/dev/null 2>&1 +rc=$? + +if test "${rc}" != "0"; then + echo "CSR printing (2) failed" + exit ${rc} +fi + + +rm -f "${TMPFILE}" +rm -f "${TMPFILE2}" + +exit 0 |