From 6d084b8cbadb9f748a323847b428ac688e069aa2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 10 May 2017 17:08:11 +0200 Subject: tests: added unit test for p11-kit trust store This verifies whether an Example Root CA can be read together with its stapled extensions. Signed-off-by: Nikos Mavrogiannopoulos --- tests/Makefile.am | 7 +- tests/p11-kit-trust-data/Example_Root_CA.p11-kit | 11 ++ tests/p11-kit-trust-data/Example_Root_CA.pem | 13 +++ tests/p11-kit-trust.sh | 137 +++++++++++++++++++++++ 4 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 tests/p11-kit-trust-data/Example_Root_CA.p11-kit create mode 100644 tests/p11-kit-trust-data/Example_Root_CA.pem create mode 100755 tests/p11-kit-trust.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 082da9bd31..929bd866a1 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -49,7 +49,9 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ ocsp-tests/certs/server_good.key ocsp-tests/certs/server_bad.key ocsp-tests/certs/server_good.template \ ocsp-tests/certs/server_bad.template ocsp-tests/certs/ocsp-staple-unrelated.der ocsp-tests/suppressions.valgrind \ data/listings-DTLS1.0 data/listings-SSL3.0 data/listings-TLS1.0 data/listings-TLS1.1 \ - data/listings-SSL3.0-TLS1.1 + data/listings-SSL3.0-TLS1.1 p11-kit-trust-data/Example_Root_CA.p11-kit \ + p11-kit-trust-data/Example_Root_CA.pem + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = \ @@ -317,7 +319,8 @@ name_constraints_merge_CPPFLAGS = $(CPPFLAGS) \ -I$(top_builddir)/gl check_PROGRAMS = $(ctests) -dist_check_SCRIPTS = rfc2253-escape-test rsa-md5-collision/rsa-md5-collision.sh systemkey.sh +dist_check_SCRIPTS = rfc2253-escape-test rsa-md5-collision/rsa-md5-collision.sh systemkey.sh \ + p11-kit-trust.sh if !WINDOWS dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh starttls-smtp.sh \ diff --git a/tests/p11-kit-trust-data/Example_Root_CA.p11-kit b/tests/p11-kit-trust-data/Example_Root_CA.p11-kit new file mode 100644 index 0000000000..3300d464b8 --- /dev/null +++ b/tests/p11-kit-trust-data/Example_Root_CA.p11-kit @@ -0,0 +1,11 @@ +[p11-kit-object-v1] +class: x-certificate-extension +label: "Example CA restriction for example.com and corp.example.com" +object-id: 2.5.29.30 +value: "%30%2e%06%03%55%1d%1e%04%27%30%25%a0%23%30%0d%82%0b%65%78%61%6d%70%6c%65%2e%63%6f%6d%30%12%82%10%63%6f%72%70%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d" +-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRtTajie6qgC9T/RJ1PvN6ntav ++rwcYBBLJoETGlnj/kVsOAQ5J0ZX/dW8jYoQtjvUCoFaRS/sPoHw2U5Pl99LMg8I +sSaivWlhXWY5Yy8QcDX7B4UK/1cSwfSDHfnG06S2cCuAoUB/SE7ZreuAzM+SwdGD +ZAEjR469MZgFa2t8NwIDAQAB +-----END PUBLIC KEY----- diff --git a/tests/p11-kit-trust-data/Example_Root_CA.pem b/tests/p11-kit-trust-data/Example_Root_CA.pem new file mode 100644 index 0000000000..836981577b --- /dev/null +++ b/tests/p11-kit-trust-data/Example_Root_CA.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7DCCAVWgAwIBAgIIWRMNpygap1cwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE +AxMKRXhhbXBsZSBDQTAgFw0xNzA1MTAxMjU1MDVaGA85OTk5MTIzMTIzNTk1OVow +FTETMBEGA1UEAxMKRXhhbXBsZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEA0bU2o4nuqoAvU/0SdT7zep7Wr/q8HGAQSyaBExpZ4/5FbDgEOSdGV/3VvI2K +ELY71AqBWkUv7D6B8NlOT5ffSzIPCLEmor1pYV1mOWMvEHA1+weFCv9XEsH0gx35 +xtOktnArgKFAf0hO2a3rgMzPksHRg2QBI0eOvTGYBWtrfDcCAwEAAaNDMEEwDwYD +VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTAf2LZgNFX +6uQKWnFh05Br9JgOUjANBgkqhkiG9w0BAQsFAAOBgQA0xZVI3WmyWaa56nTSiuco +3u0Cye7N8bSzlfi2kmyh8efA7/OCyBuUzCtvmiftsfcG6fPz3A8fdk5sA2oy0gyY +kJXukhHmLP0FHLVpa3vw1Sva5AlAkLGeQ25aSeYVZCASalMAAS72WAhsKdaD5TRS +ifWyno0SswLLpXIJsLW2Lw== +-----END CERTIFICATE----- diff --git a/tests/p11-kit-trust.sh b/tests/p11-kit-trust.sh new file mode 100755 index 0000000000..075f9bc99f --- /dev/null +++ b/tests/p11-kit-trust.sh @@ -0,0 +1,137 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of p11-kit. +# +# p11-kit is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# p11-kit is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" +CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" + +EXPORTED_FILE=out.$$.tmp +DER_FILE=out-der.$$.tmp +TMPFILE=out-tmp.$$.tmp + +for lib in /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do + if test -f "${lib}/p11-kit-trust.so"; then + MODULE="${lib}/p11-kit-trust.so" + break + fi +done + +if ! test -x "${P11TOOL}"; then + echo "p11tool was not found" + exit 77 +fi + +if ! test -f "${MODULE}"; then + echo "p11-kit trust module was not found" + exit 77 +fi + +TRUST_PATH="${srcdir}/p11-kit-trust-data/" +CACERT=${TRUST_PATH}/Example_Root_CA.pem + +# Test whether a CA extracted from a trust store can retrieve stapled +# extensions. + +OPTS="--provider ${MODULE} --provider-opts trusted,p11-kit:paths=\"${TRUST_PATH}\"" + +# Informational +${P11TOOL} --list-all-certs ${OPTS} 'pkcs11:' + + +#### +# Test 1: Extract the CA certificate from store + +${P11TOOL} --export 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE} +if test "$?" != "0"; then + echo "Exporting failed (1)" + exit 1 +fi + +${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE} +if test "$?" != "0"; then + echo "Exporting failed (2)" + exit 1 +fi + +${DIFF} ${EXPORTED_FILE} ${DER_FILE} +if test "$?" != "0"; then + echo "Files ${EXPORTED_FILE} and ${DER_FILE} are not identical" + exit 1 +fi + +rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE} + +echo "Root CA retrieval test passed..." + +#### +# Test 2: Extract the certificate from store with the stapled data + +${P11TOOL} --export-stapled 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE} +if test "$?" != "0"; then + echo "Exporting failed (3)" + exit 1 +fi + +${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE} +if test "$?" != "0"; then + echo "Exporting failed (4)" + exit 1 +fi + +${DIFF} ${EXPORTED_FILE} ${DER_FILE} +if test "$?" = "0"; then + echo "Files are identical; no extensions were stapled" + exit 1 +fi + +${CERTTOOL} -i --inder --infile ${EXPORTED_FILE} --outfile ${TMPFILE} +if test "$?" != "0"; then + echo "PEM converting failed" + exit 1 +fi + +grep -i "Name Constraints" ${TMPFILE} +if test "$?" != "0"; then + cat ${TMPFILE} + echo "No name constraints found (1)" + exit 1 +fi + +grep -i "Permitted" ${TMPFILE} +if test "$?" != "0"; then + cat ${TMPFILE} + echo "No name constraints found (2)" + exit 1 +fi + +grep -i "DNSname: example.com" ${TMPFILE} +if test "$?" != "0"; then + cat ${TMPFILE} + echo "No name constraints found (3)" + exit 1 +fi + +echo "Root CA with stapled extensions retrieval test passed..." + +rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE} +exit 0 -- cgit v1.2.1