summaryrefslogtreecommitdiff
path: root/tests/pkcs11/distrust-after.c
diff options
context:
space:
mode:
Diffstat (limited to 'tests/pkcs11/distrust-after.c')
-rw-r--r--tests/pkcs11/distrust-after.c274
1 files changed, 274 insertions, 0 deletions
diff --git a/tests/pkcs11/distrust-after.c b/tests/pkcs11/distrust-after.c
new file mode 100644
index 0000000000..05165baa5a
--- /dev/null
+++ b/tests/pkcs11/distrust-after.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (C) 2023 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main(void)
+{
+ exit(77);
+}
+
+#else
+
+# include <string.h>
+# include <unistd.h>
+# include <gnutls/gnutls.h>
+# include <assert.h>
+
+# include "cert-common.h"
+# include "pkcs11/softhsm.h"
+# include "utils.h"
+
+/* This program tests that CKA_NSS_SERVER_DISTRUST_AFTER is honored
+ * while validating certificate chain.
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+# define PIN "1234"
+
+# define CONFIG_NAME "softhsm-distrust-after"
+# define CONFIG CONFIG_NAME".config"
+
+static const unsigned char chain_pem[] =
+ "-----BEGIN CERTIFICATE-----"
+ "MIID5zCCAp+gAwIBAgIUIXzLE8ObVwBGHepbjMWRwW/NpDgwDQYJKoZIhvcNAQEL"
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjMwMzE0MTAwNDAzWhgP"
+ "OTk5OTEyMzEyMzU5NTlaMDcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjEY"
+ "MBYGA1UEAxMPdGVzdC5nbnV0bHMub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8A"
+ "MIIBOgKCATEAtGsnmCWvwf8eyrB+9Ni87UOGZ1Rd2rQewpBfgzwCEfwTcoWyiKRl"
+ "QQt2XyO+ip/+eUtzOy7HSzy/FsmXVTUX86FySzDC4CeUEvNWAObOgksRXaQem/r6"
+ "uRsqTRi1uqXmDMeoqKFtqoiE3JYOsmwcNarnx5Q9+dXHwqINS7NuevcIX8UJzRWT"
+ "GveY3ypMZokk7R/QFmOBZaVYO6HNJWKbmYFUCBcY7HwvCKI7KFcynRdHCob7YrFB"
+ "meb73qjqIH7zG+666pohZCmS8q1z5RkFnTdT4hGfGF8iuuKLDQCMni+nhz1Avkqi"
+ "pZIIDC5hwFh8mpnh1qyDOSXPPhvt66NtncvFON7Bx26bNBS+MD6CkB65Spp25O8z"
+ "DEaiMXL2w2EL+KpnifSl5XY3oSmfgHmqdQIDAQABo4GmMIGjMAwGA1UdEwEB/wQC"
+ "MAAwGgYDVR0RBBMwEYIPdGVzdC5nbnV0bHMub3JnMCcGA1UdJQQgMB4GCCsGAQUF"
+ "BwMBBggrBgEFBQcDAwYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQW"
+ "BBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s"
+ "/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAYbQLlr74D62lPEevV/HWLOMG8taY"
+ "gPld7Z5VApIhsJa913Jya7AOsW+lz48LX3QNTc8Xgj7FVwQeNP1GtBZXCe6U73KB"
+ "Z+qp1rIEwn2cQVmFG+ShxmUA/gxxmWql2BAORNd5ZCVOcZbMh9uwWjhIQN/SImtW"
+ "x3ebFgV5N7GPFbw+5NUITLXoLrD7Bixv3iQS8hWwmAmmPZbHAENRauL6jYSjniru"
+ "SSFYjzJ1trJB6VgpJ2yWfKdcGZmB3osnGshWbayVOaprbH0AWKwOZ/d7sAldjdVw"
+ "ZsaOhA+6NbvpKYZuw6Tdt0+VmUwGC1ATJGpc0dEXRBaFlt/e+gqQ43Mo+YwiMDYq"
+ "LDU5nLC6uTSZLtgQHTqb32xmQ/D/y6NkUTH3f4OcxPGxBRVBHjOTk6MhRA=="
+ "-----END CERTIFICATE-----"
+ "-----BEGIN CERTIFICATE-----"
+ "MIIDjTCCAkWgAwIBAgIUejTcfGbOAc9l4IBW+kpAN6A7Sj4wDQYJKoZIhvcNAQEL"
+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjMwMzE0MDk1NzU1WhgP"
+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"
+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"
+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"
+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"
+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"
+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"
+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"
+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"
+ "o2swaTAPBgNVHRMBAf8EBTADAQH/MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEF"
+ "BQcDAwYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQedyNtZzEf"
+ "kQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAa37UdOTvdUfRGwjrodhE"
+ "tEnRnfrwfQ61RMK5GY07UAks7CjdeWFDLoQfv9oP9kH122hEGAA683xg/CH5OeN0"
+ "8zrayQKqwcH40SJQDzc748lTgxUIDaf2rrkoF8butpaDaI0fageqjlEvCeZZSuIC"
+ "KCfZK9NPN47DknuerjOTwrWxvXYRepfSo8VVbjRj8R4qsgJsmJZYQfrAg0XrnKf/"
+ "UibNPXRCYABsxH4ZFtivg93LaQ05z4IrPSWGOTDQxNBoEC0DVGfSc8XElP0MkF/K"
+ "BIPsl3Rt2oFNhfViF9Gpzy9Dj1P1kMD6kE7nBDiRBUPNJZBiJSGVTMZTMc2tg42W"
+ "QcUYnUUzOpQWg1tcOZy4s+EuJ0bEWhSkFfSN3ENxsHXNCYYHgeadATcGbzTxD6ib"
+ "eA==" "-----END CERTIFICATE-----";
+
+static const gnutls_datum_t chain = {
+ (unsigned char *)chain_pem, sizeof(chain_pem) - 1
+};
+
+static
+int pin_func(void *userdata, int attempt, const char *url, const char *label,
+ unsigned flags, char *pin, size_t pin_max)
+{
+ if (attempt == 0) {
+ strcpy(pin, PIN);
+ return 0;
+ }
+ return -1;
+}
+
+static void test(const char *provider, const char *purpose, bool succeeds)
+{
+ int ret;
+ gnutls_x509_crt_t *certs;
+ unsigned int count;
+ gnutls_x509_trust_list_t tl;
+ gnutls_typed_vdata_st vdata;
+ unsigned int status;
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+
+ success("test with %s for %s\n", provider, purpose);
+
+ if (debug) {
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(4711);
+ }
+
+ /* point to SoftHSM token that libpkcs11mock3.so internally uses */
+ setenv(SOFTHSM_ENV, CONFIG, 1);
+
+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
+
+ ret = gnutls_pkcs11_add_provider(provider, "trusted");
+ if (ret != 0) {
+ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
+ }
+
+ /* initialize softhsm token */
+ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
+ if (ret < 0) {
+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
+ }
+
+ ret =
+ gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN,
+ GNUTLS_PIN_USER);
+ if (ret < 0) {
+ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret));
+ }
+
+ gnutls_x509_trust_list_init(&tl, 0);
+
+ ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL,
+ 0, 0, 0);
+ if (ret < 0) {
+ fail("gnutls_x509_trust_list_add_trust_file\n");
+ }
+
+ ret = gnutls_x509_crt_list_import2(&certs, &count,
+ &chain, GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0) {
+ fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret));
+ }
+
+ assert(count == 2);
+
+ /* Use the ICA (instead of the actual root CA) for simplicity. */
+ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[1], "ca",
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED |
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_CA |
+ GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
+ if (ret < 0) {
+ fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
+ }
+
+ vdata.type = GNUTLS_DT_KEY_PURPOSE_OID;
+ vdata.data = (void *)purpose;
+
+ ret = gnutls_x509_trust_list_verify_crt2(tl, certs, 1, &vdata, 1,
+ 0, &status, NULL);
+ if (ret < 0) {
+ fail("gnutls_x509_trust_list_verify_crt2: %s\n",
+ gnutls_strerror(ret));
+ }
+
+ if (succeeds) {
+ if (status != 0) {
+ fail("verify failed\n");
+ }
+ } else if (!(status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
+ fail("verify succeeded unexpectedly\n");
+ }
+
+ gnutls_x509_trust_list_deinit(tl, 0);
+ while (count--) {
+ gnutls_x509_crt_deinit(certs[count]);
+ }
+ gnutls_free(certs);
+
+ gnutls_pkcs11_deinit();
+}
+
+void doit(void)
+{
+ const char *bin;
+ const char *lib;
+ char buf[128];
+
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
+ /* this must be called once in the program */
+ global_init();
+
+ /* we call gnutls_pkcs11_init manually */
+ gnutls_pkcs11_deinit();
+
+ /* check if softhsm module is loadable */
+ lib = softhsm_lib();
+
+ /* initialize SoftHSM token that libpkcs11mock2.so internally uses */
+ bin = softhsm_bin();
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN " --pin "
+ PIN, bin);
+ system(buf);
+
+ test(lib, GNUTLS_KP_TLS_WWW_SERVER, true);
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN " --pin "
+ PIN, bin);
+ system(buf);
+
+ test(lib, GNUTLS_KP_EMAIL_PROTECTION, true);
+
+ lib = getenv("P11MOCKLIB3");
+ if (lib == NULL) {
+ fail("P11MOCKLIB3 is not set\n");
+ }
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN " --pin "
+ PIN, bin);
+ system(buf);
+
+ test(lib, GNUTLS_KP_TLS_WWW_SERVER, false);
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN " --pin "
+ PIN, bin);
+ system(buf);
+
+ test(lib, GNUTLS_KP_EMAIL_PROTECTION, true);
+}
+#endif /* _WIN32 */
View Lorry Controller Status