From 1d69e9bf52815072460118d53800e81a65dc1f19 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 29 May 2017 09:22:44 +0200 Subject: tests: added unit test to verify that certificates with non-DER strict time fields are accepted Also removed the old strict compliance DER test. Signed-off-by: Nikos Mavrogiannopoulos --- tests/Makefile.am | 2 +- tests/cert-tests/Makefile.am | 2 +- .../data/openssl-invalid-time-format.pem | 20 ++++ tests/cert-tests/tolerate-invalid-time | 50 +++++++++ tests/strict-der.c | 115 --------------------- 5 files changed, 72 insertions(+), 117 deletions(-) create mode 100644 tests/cert-tests/data/openssl-invalid-time-format.pem create mode 100755 tests/cert-tests/tolerate-invalid-time delete mode 100644 tests/strict-der.c diff --git a/tests/Makefile.am b/tests/Makefile.am index 3239b278c7..547909d17c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -93,7 +93,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid \ mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \ mini-dtls-record-asym openpgp-callback key-import-export \ mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \ - strict-der tls-ext-register tls-supplemental mini-dtls0-9 \ + tls-ext-register tls-supplemental mini-dtls0-9 \ mini-record-retvals mini-server-name tls-etm x509-cert-callback \ sign-md5-rep keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify2 mini-alignment oids atfork prf psk-file \ diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 17cfdba0fc..ecac3bd576 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -68,7 +68,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/openpgp-invalid7.pub data/openpgp-invalid8.pub \ data/key-corpus-rc2-1.p12 data/key-corpus-rc2-2.p12 data/key-corpus-rc2-3.p12 data/pkcs7-chain.pem data/pkcs7-chain-root.pem \ - data/pkcs7-chain-endcert-key.pem + data/pkcs7-chain-endcert-key.pem data/openssl-invalid-time-format.pem dist_check_SCRIPTS = pathlen aki certtool invalid-sig email crq \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ diff --git a/tests/cert-tests/data/openssl-invalid-time-format.pem b/tests/cert-tests/data/openssl-invalid-time-format.pem new file mode 100644 index 0000000000..7a55b47d8a --- /dev/null +++ b/tests/cert-tests/data/openssl-invalid-time-format.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDyjCCArKgAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxFjAUBgNVBAoT +DWlpb3JkYW5vdi5jb20xIjAgBgNVBAMTGW92aXJ0Lmlpb3JkYW5vdi5jb20uNzE5NzUwIhcRMTQw +NjE2MjIxMTA1KzAwMDAXDTI0MDYxNDIyMTEwNVowSTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDWlp +b3JkYW5vdi5jb20xIjAgBgNVBAMTGW92aXJ0Lmlpb3JkYW5vdi5jb20uNzE5NzUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1gS9aSehHWenPdIAayB8eovfVe3h9vqwlTzfOZaiJK56f +P1shhwu/shML9g9xADBtJ2MyXhgY+V20mJ2oOivqotTeIcHc0vs5fJcBuwWXxFt8ISDkFXhnsX+9 +8MP1Fhc3PEIxlhMitFK7+7d6JxSd6lQsIgeruyf2A+aSLD02QUpNdnhxJ48FMncJUrFycTDZtnb2 +REJWgl1cRa8MMtiLKoMYdC+t3P9Am27vOpRmh0U6rB4qym1wYj9JbEES4mbS/u1JQgKv+AXgS1QD +5ZFpTXPDeOs2QPJtrwD2nu5Sd2aCMAv8MHqeR8nfaixkpKC4JxF6fnR+Ynn4wzKOdpOhAgMBAAGj +gbcwgbQwHQYDVR0OBBYEFEhIahZoIh8Wzfpi/nbPJ81SQwFkMHIGA1UdIwRrMGmAFEhIahZoIh8W +zfpi/nbPJ81SQwFkoU2kSzBJMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNaWlvcmRhbm92LmNvbTEi +MCAGA1UEAxMZb3ZpcnQuaWlvcmRhbm92LmNvbS43MTk3NYICEAAwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAAYMFGll2Ib7wpitipon6S9C25A8fnx7 +wLXKY3fUBJmtpLxTjSZfPbhmNkCvwGbmjG78AFbl+dY1+PDmEK1w2DgNWw2I9WcY4ULJoINo3YZv +p2s53iYW3U+Syz+WLrIW0om5bM1Y0fw8KbuAuWsJzJfbd1hMGeMV6axKx7FbECuN0a02sCo2kIxk +ckg/aGgshQ4EkqP79j7O25WaZdcBZDpYsqSDvcG6Oy4qM3dde/EBZiflPu4mvIwL15ilGXfO/zPk +p49fcKm5YE8LC9PvsS+NSnD9avxRQq8bY4an2FUxoh5mSh+UY2rpd9yX7WCBtZ9TwHkkaeNehgRz +7crbZrA= +-----END CERTIFICATE----- diff --git a/tests/cert-tests/tolerate-invalid-time b/tests/cert-tests/tolerate-invalid-time new file mode 100755 index 0000000000..f8707441d3 --- /dev/null +++ b/tests/cert-tests/tolerate-invalid-time @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" +DIFF="${DIFF:-diff -b -B}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +${PKGCONFIG} --version >/dev/null || exit 77 + +${PKGCONFIG} --atleast-version=4.12 libtasn1 || exit 77 + +# Check whether certificates with invalid time fields are accepted +for file in openssl-invalid-time-format.pem;do + ${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/$file" + rc=$? + + if test "${rc}" != "0";then + echo "file $file was not rejected" + exit 1 + fi +done + +exit 0 diff --git a/tests/strict-der.c b/tests/strict-der.c deleted file mode 100644 index 8854c744d9..0000000000 --- a/tests/strict-der.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (C) 2011-2012 Free Software Foundation, Inc. - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * GnuTLS is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuTLS is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/* Parts copied from GnuTLS example programs. */ - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#if !defined(_WIN32) -#include -#include -#include -#include -#endif -#include -#include -#include - -#include "utils.h" - -/* Test for gnutls_certificate_get_issuer() and implicitly for - * gnutls_trust_list_get_issuer(). - */ - -static void tls_log_func(int level, const char *str) -{ - fprintf(stderr, "<%d>| %s", level, str); -} - -/* This certificate is modified to contain invalid DER. In older - * gnutls versions that would still be parsed and the wrong DER was - * "corrected" but now we should reject these */ -static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIFXzCCBEegAwIBAgIQHYWDpKNVUzEFx4Pq8yjxbTANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UE\n" - "BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO\n" - "ZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t\n" - "L3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0g\n" - "RzMwHxcOMTQwMjI3MDAwMDAwWgAXDTE1MDIyODIzNTk1OVowZzELMAkGA1UEBhMCVVMxEzARBgNV\n" - "BAgTCldhc2hpbmd0b24xEDAOBgNVBAcUB1NlYXR0bGUxGDAWBgNVBAoUD0FtYXpvbi5jb20gSW5j\n" - "LjEXMBUGA1UEAxQOd3d3LmFtYXpvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n" - "AQCXX4njj63+AK39SJXnf4ove+NO2Z46WgeccZuPUOD89/ucZg9C2K3uwo59QO1t2ZR5IucxVWaV\n" - "vSW/9z30hA2ObJco5Cw9o3ZdoFXn0rYUmbWMW+XmL+/bSBDdFPQGfP1WhsFKJJfJ9TIrXBAsTSzH\n" - "uC6qFZktvZ1yE0081+bdyOHVHjAQzSPsYFaSUqccMwPvy/sMaI+Um+GCf2PolJJwpI1+j6WmTEVg\n" - "RBNHarxtNqpcV3rAFdJ5imL427agMqFur4Iz/OYeoCRBEiKk02ctRzoBaTvF09OQqRg3I4T9bE71\n" - "xe1cdWo/sQ4nRiy1tfPBt+aBSiIRMh0Fdle780QFAgMBAAGjggG1MIIBsTBQBgNVHREESTBHghF1\n" - "ZWRhdGEuYW1hem9uLmNvbYIKYW1hem9uLmNvbYIIYW16bi5jb22CDHd3dy5hbXpuLmNvbYIOd3d3\n" - "LmFtYXpvbi5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH\n" - "AwEGCCsGAQUFBwMCMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRw\n" - "czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnml\n" - "MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9T\n" - "VlJTZWN1cmVHMy5jcmwwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52\n" - "ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtYWlhLnZlcmlzaWdu\n" - "LmNvbS9TVlJTZWN1cmVHMy5jZXIwDQYJKoZIhvcNAQEFBQADggEBADnmX45CNMkf57rQjB6ef7gf\n" - "3r5AfKiGMYdSim4TwU5qcpJicYiyqwQXAQbvZFuZTGzT0jXJROLAsjdHcQiR8D5u7mzVMbJg0kz0\n" - "yTsdDM5dFmVWme3l958NZI/I0qCtH+Z/O0cyivOTMARbBJ+92dqQ78U3He9gRNE9VCS3FNgObhwC\n" - "cr5tkKTlgSESpSRyBwnLucY4+ci5xjvYndHIzoxII/X9TKOIc2sC+b0H5KP8RcQLAO9G5Nra7+eJ\n" - "IC74ZgFvgejqTd2f8QeJljTsNxvG4P7vqQi73fCkTuVfCk5YDtTU2joGAujgBd1EjTIbjWYeoebV\n" - "gN5gPKxa/GbGsoQ=\n" - "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) - 1}; - -void doit(void) -{ - int ret; - gnutls_x509_crt_t crt; - - /* this must be called once in the program - */ - global_init(); - - gnutls_global_set_log_function(tls_log_func); - if (debug) - gnutls_global_set_log_level(6); - - gnutls_x509_crt_init(&crt); - - ret = - gnutls_x509_crt_import(crt, &cert, GNUTLS_X509_FMT_PEM); - if (ret >= 0) { - fail("gnutls_x509_crt_import allowed loading a cert with invalid DER\n"); - exit(1); - } - gnutls_x509_crt_deinit(crt); - - gnutls_global_deinit(); - - if (debug) - success("success"); -} -- cgit v1.2.1