diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-31 17:15:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-31 17:15:37 +0200 |
commit | f6c92f8a6d974066a6f66f5358ecf815b7747a5e (patch) | |
tree | 6f7d6981b57e09825fa1887fcaeca07b26605945 /tests | |
parent | 8ee8a53bef77be018c4eeb261309846f261a35c8 (diff) | |
download | gnutls-f6c92f8a6d974066a6f66f5358ecf815b7747a5e.tar.gz |
tests: added PKCS #7 signing/verification test with broken sigs (MD5)
This tests whether we can sign structures using broken algorithms (MD5),
and verify structures signed with broken algoritms if --verify-allow-broken
is given to certtool.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/cert-tests/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/cert-tests/pkcs7-broken-sigs | 63 |
2 files changed, 64 insertions, 1 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index f6da78369b..ef86a5c6d9 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -42,7 +42,7 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \ template-ecdsa-sha3-512.pem name-constraints-ip2.pem dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ - pkcs7 privkey-import name-constraints certtool-long-cn crl provable-privkey + pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey if !HAVE_BUGGY_LIBIDN dist_check_SCRIPTS += certtool-utf8 diff --git a/tests/cert-tests/pkcs7-broken-sigs b/tests/cert-tests/pkcs7-broken-sigs new file mode 100755 index 0000000000..159cb5cbd3 --- /dev/null +++ b/tests/cert-tests/pkcs7-broken-sigs @@ -0,0 +1,63 @@ +#!/bin/sh + +# Copyright (C) 2016 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi +OUTFILE=out-pkcs7.$$.tmp +OUTFILE2=out2-pkcs7.$$.tmp + +# Test signing with MD5 +FILE="signing" +${VALGRIND} "${CERTTOOL}" --p7-sign --hash md5 --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" --infile "${srcdir}/pkcs7-detached.txt" >"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing with MD5 failed" + exit ${rc} +fi + +FILE="signing-verify" +${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "1"; then + echo "${FILE}: PKCS7 struct signing succeeded verification with MD5" + exit ${rc} +fi + +FILE="signing-verify" +${VALGRIND} "${CERTTOOL}" --p7-verify --verify-allow-broken --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}" +rc=$? + +if test "${rc}" != "0"; then + echo "${FILE}: PKCS7 struct signing failed with MD5 and allow-broken" + exit ${rc} +fi + +rm -f "${OUTFILE}" +rm -f "${OUTFILE2}" + +exit 0 |