tests: added complex verification example using PKCS#7

That uses multiple intermediate certificates from the PKCS#7 structure.

4 files changed, 193 insertions, 2 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 5880db5c3e..9e0ff0d7e6 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -59,13 +59,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/srv-public-localhost-signed.gpg data/selfsigs/alice-mallory-badsig18.pub \
 	data/selfsigs/alice-mallory-irrelevantsig.pub data/selfsigs/alice-mallory-nosig18.pub \
 	data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 \
-	data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem
+	data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem \
+	data/pkcs7-cat-ca.pem data/pkcs7-cat.p7
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
 	provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
 	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
-	pkcs7-constraints2 certtool-long-oids
+	pkcs7-constraints2 certtool-long-oids pkcs7-cat
 
 if WANT_TEST_SUITE
 dist_check_SCRIPTS += provable-dh-default
diff --git a/tests/cert-tests/data/pkcs7-cat-ca.pem b/tests/cert-tests/data/pkcs7-cat-ca.pem
new file mode 100644
index 0000000000..742d80f1d4
--- /dev/null
+++ b/tests/cert-tests/data/pkcs7-cat-ca.pem
@@ -0,0 +1,145 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 79ad16a14aa0a5ad4c7358f407132e65
+	Issuer: DC=com,DC=microsoft,CN=Microsoft Root Certificate Authority
+	Validity:
+		Not Before: Wed May 09 23:19:22 UTC 2001
+		Not After: Sun May 09 23:28:13 UTC 2021
+	Subject: DC=com,DC=microsoft,CN=Microsoft Root Certificate Authority
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: High (4096 bits)
+		Modulus (bits 4096):
+			00:f3:5d:fa:80:67:d4:5a:a7:a9:0c:2c:90:20:d0:35
+			08:3c:75:84:cd:b7:07:89:9c:89:da:de:ce:c3:60:fa
+			91:68:5a:9e:94:71:29:18:76:7c:c2:e0:c8:25:76:94
+			0e:58:fa:04:34:36:e6:df:af:f7:80:ba:e9:58:0b:2b
+			93:e5:9d:05:e3:77:22:91:f7:34:64:3c:22:91:1d:5e
+			e1:09:90:bc:14:fe:fc:75:58:19:e1:79:b7:07:92:a3
+			ae:88:59:08:d8:9f:07:ca:03:58:fc:68:29:6d:32:d7
+			d2:a8:cb:4b:fc:e1:0b:48:32:4f:e6:eb:b8:ad:4f:e4
+			5c:6f:13:94:99:db:95:d5:75:db:a8:1a:b7:94:91:b4
+			77:5b:f5:48:0c:8f:6a:79:7d:14:70:04:7d:6d:af:90
+			f5:da:70:d8:47:b7:bf:9b:2f:6c:e7:05:b7:e1:11:60
+			ac:79:91:14:7c:c5:d6:a6:e4:e1:7e:d5:c3:7e:e5:92
+			d2:3c:00:b5:36:82:de:79:e1:6d:f3:b5:6e:f8:9f:33
+			c9:cb:52:7d:73:98:36:db:8b:a1:6b:a2:95:97:9b:a3
+			de:c2:4d:26:ff:06:96:67:25:06:c8:e7:ac:e4:ee:12
+			33:95:31:99:c8:35:08:4e:34:ca:79:53:d5:b5:be:63
+			32:59:40:36:c0:a5:4e:04:4d:3d:db:5b:07:33:e4:58
+			bf:ef:3f:53:64:d8:42:59:35:57:fd:0f:45:7c:24:04
+			4d:9e:d6:38:74:11:97:22:90:ce:68:44:74:92:6f:d5
+			4b:6f:b0:86:e3:c7:36:42:a0:d0:fc:c1:c0:5a:f9:a3
+			61:b9:30:47:71:96:0a:16:b0:91:c0:42:95:ef:10:7f
+			28:6a:e3:2a:1f:b1:e4:cd:03:3f:77:71:04:c7:20:fc
+			49:0f:1d:45:88:a4:d7:cb:7e:88:ad:8e:2d:ec:45:db
+			c4:51:04:c9:2a:fc:ec:86:9e:9a:11:97:5b:de:ce:53
+			88:e6:e2:b7:fd:ac:95:c2:28:40:db:ef:04:90:df:81
+			33:39:d9:b2:45:a5:23:87:06:a5:55:89:31:bb:06:2d
+			60:0e:41:18:7d:1f:2e:b5:97:cb:11:eb:15:d5:24:a5
+			94:ef:15:14:89:fd:4b:73:fa:32:5b:fc:d1:33:00:f9
+			59:62:70:07:32:ea:2e:ab:40:2d:7b:ca:dd:21:67:1b
+			30:99:8f:16:aa:23:a8:41:d1:b0:6e:11:9b:36:c4:de
+			40:74:9c:e1:58:65:c1:60:1e:7a:5b:38:c8:8f:bb:04
+			26:7c:d4:16:40:e5:b6:6b:6c:aa:86:fd:00:bf:ce:c1
+			35
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Key Usage (not critical):
+			Digital signature.
+			Non repudiation.
+			Certificate signing.
+			CRL signing.
+		Basic Constraints (critical):
+			Certificate Authority (CA): TRUE
+		Subject Key Identifier (not critical):
+			0eac826040562797e52513fc2ae10a539559e4a4
+		Unknown extension 1.3.6.1.4.1.311.21.1 (not critical):
+			ASCII: ...
+			Hexdump: 020100
+	Signature Algorithm: RSA-SHA1
+	Signature:
+		c5:11:4d:03:3a:60:dd:5d:52:11:77:8f:b2:bb:36:c8
+		b2:05:bf:b4:b7:a8:d8:20:9d:5c:13:03:b6:1c:22:fa
+		06:13:35:b6:c8:63:d4:9a:47:6f:26:57:d2:55:f1:04
+		b1:26:5f:d6:a9:50:68:a0:bc:d2:b8:6e:cc:c3:e9:ac
+		df:19:cd:78:ac:59:74:ac:66:34:36:c4:1b:3e:6c:38
+		4c:33:0e:30:12:0d:a3:26:fe:51:53:00:ff:af:5a:4e
+		84:0d:0f:1f:e4:6d:05:2e:4e:85:4b:8d:6c:33:6f:54
+		d2:64:ab:bf:50:af:7d:7a:39:a0:37:ed:63:03:0f:fc
+		13:06:ce:16:36:d4:54:3b:95:1b:51:62:3a:e5:4d:17
+		d4:05:39:92:9a:27:a8:5b:aa:bd:ec:bb:be:e3:20:89
+		60:71:6c:56:b3:a5:13:d0:6d:0e:23:7e:95:03:ed:68
+		3d:f2:d8:63:b8:6b:4d:b6:e8:30:b5:e1:ca:94:4b:f7
+		a2:aa:5d:99:30:b2:3d:a7:c2:51:6c:28:20:01:24:27
+		2b:4b:00:b7:9d:11:6b:70:be:b2:10:82:bc:0c:9b:68
+		d0:8d:3b:24:87:aa:99:28:72:9d:33:5f:59:90:bd:f5
+		de:93:9e:3a:62:5a:34:39:e2:88:55:1d:b9:06:b0:c1
+		89:6b:2d:d7:69:c3:19:12:36:84:d0:c9:a0:da:ff:2f
+		69:78:b2:e5:7a:da:eb:d7:0c:c0:f7:bd:63:17:b8:39
+		13:38:a2:36:5b:7b:f2:85:56:6a:1d:64:62:c1:38:e2
+		aa:bf:51:66:a2:94:f5:12:9c:66:22:10:6b:f2:b7:30
+		92:2d:f2:29:f0:3d:3b:14:43:68:a2:f1:9c:29:37:cb
+		ce:38:20:25:6d:7c:67:f3:7e:24:12:24:03:08:81:47
+		ec:a5:9e:97:f5:18:d7:cf:bb:d5:ef:76:96:ef:fd:ce
+		db:56:9d:95:a0:42:f9:97:58:e1:d7:31:22:d3:5f:59
+		e6:3e:6e:22:00:ea:43:84:b6:25:db:d9:f3:08:56:68
+		c0:64:6b:1d:7c:ec:b6:93:a2:62:57:6e:2e:d8:e7:58
+		8f:c4:31:49:26:dd:de:29:35:87:f5:30:71:70:5b:14
+		3c:69:bd:89:12:7d:eb:2e:a3:fe:d8:7f:9e:82:5a:52
+		0a:2b:c1:43:2b:d9:30:88:9f:c8:10:fb:89:8d:e6:a1
+		85:75:33:7e:6c:9e:db:73:13:64:62:69:a5:2f:7d:ca
+		96:6d:9f:f8:04:4d:30:92:3d:6e:21:14:21:c9:3d:e0
+		c3:fd:8a:6b:9d:4a:fd:d1:a1:9d:99:43:77:3f:b0:da
+Other Information:
+	SHA1 fingerprint:
+		cdd4eeae6000ac7f40c3802c171e30148030c072
+	SHA256 fingerprint:
+		885de64c340e3ea70658f01e1145f957fcda27aabeea1ab9faa9fdb0102d4077
+	Public Key ID:
+		0eac826040562797e52513fc2ae10a539559e4a4
+	Public key's random art:
+		+--[ RSA 4096]----+
+		| o.o oOO..       |
+		|o   +==.+        |
+		|.   .E o.        |
+		|.  . o   .       |
+		|... . + S        |
+		|o+   + +         |
+		|. + o . .        |
+		|   o             |
+		|                 |
+		+-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIFmTCCA4GgAwIBAgIQea0WoUqgpa1Mc1j0BxMuZTANBgkqhkiG9w0BAQUFADBf
+MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0
+MS0wKwYDVQQDEyRNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+HhcNMDEwNTA5MjMxOTIyWhcNMjEwNTA5MjMyODEzWjBfMRMwEQYKCZImiZPyLGQB
+GRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MS0wKwYDVQQDEyRNaWNy
+b3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDzXfqAZ9Rap6kMLJAg0DUIPHWEzbcHiZyJ2t7Ow2D6
+kWhanpRxKRh2fMLgyCV2lA5Y+gQ0Nubfr/eAuulYCyuT5Z0F43cikfc0ZDwikR1e
+4QmQvBT+/HVYGeF5tweSo66IWQjYnwfKA1j8aCltMtfSqMtL/OELSDJP5uu4rU/k
+XG8TlJnbldV126gat5SRtHdb9UgMj2p5fRRwBH1tr5D12nDYR7e/my9s5wW34RFg
+rHmRFHzF1qbk4X7Vw37lktI8ALU2gt554W3ztW74nzPJy1J9c5g224uha6KVl5uj
+3sJNJv8GlmclBsjnrOTuEjOVMZnINQhONMp5U9W1vmMyWUA2wKVOBE0921sHM+RY
+v+8/U2TYQlk1V/0PRXwkBE2e1jh0EZcikM5oRHSSb9VLb7CG48c2QqDQ/MHAWvmj
+YbkwR3GWChawkcBCle8Qfyhq4yofseTNAz93cQTHIPxJDx1FiKTXy36IrY4t7EXb
+xFEEySr87IaemhGXW97OU4jm4rf9rJXCKEDb7wSQ34EzOdmyRaUjhwalVYkxuwYt
+YA5BGH0fLrWXyxHrFdUkpZTvFRSJ/Utz+jJb/NEzAPlZYnAHMuouq0Ate8rdIWcb
+MJmPFqojqEHRsG4RmzbE3kB0nOFYZcFgHnpbOMiPuwQmfNQWQOW2a2yqhv0Av87B
+NQIDAQABo1EwTzALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQUDqyCYEBWJ5flJRP8KuEKU5VZ5KQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI
+hvcNAQEFBQADggIBAMURTQM6YN1dUhF3j7K7NsiyBb+0t6jYIJ1cEwO2HCL6BhM1
+tshj1JpHbyZX0lXxBLEmX9apUGigvNK4bszD6azfGc14rFl0rGY0NsQbPmw4TDMO
+MBINoyb+UVMA/69aToQNDx/kbQUuToVLjWwzb1TSZKu/UK99ejmgN+1jAw/8EwbO
+FjbUVDuVG1FiOuVNF9QFOZKaJ6hbqr3su77jIIlgcWxWs6UT0G0OI36VA+1oPfLY
+Y7hrTbboMLXhypRL96KqXZkwsj2nwlFsKCABJCcrSwC3nRFrcL6yEIK8DJto0I07
+JIeqmShynTNfWZC99d6TnjpiWjQ54ohVHbkGsMGJay3XacMZEjaE0Mmg2v8vaXiy
+5Xra69cMwPe9Yxe4ORM4ojZbe/KFVmodZGLBOOKqv1FmopT1EpxmIhBr8rcwki3y
+KfA9OxRDaKLxnCk3y844ICVtfGfzfiQSJAMIgUfspZ6X9RjXz7vV73aW7/3O21ad
+laBC+ZdY4dcxItNfWeY+biIA6kOEtiXb2fMIVmjAZGsdfOy2k6JiV24u2OdYj8Qx
+SSbd3ik1h/UwcXBbFDxpvYkSfesuo/7Yf56CWlIKK8FDK9kwiJ/IEPuJjeahhXUz
+fmye23MTZGJppS99ypZtn/gETTCSPW4hFCHJPeDD/YprnUr90aGdmUN3P7Da
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pkcs7-cat.p7 b/tests/cert-tests/data/pkcs7-cat.p7
new file mode 100644
index 0000000000..ec9139976b
--- /dev/null
+++ b/tests/cert-tests/data/pkcs7-cat.p7
diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat
new file mode 100755
index 0000000000..7a18dd3b47
--- /dev/null
+++ b/tests/cert-tests/pkcs7-cat
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+OUTFILE=out-pkcs7.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+datefudge -s "2016-10-1" \
+${VALGRIND} "${CERTTOOL}" --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" 
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "PKCS7 verification failed (1)"
+	exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0