From a7623bc56970ea26ef9b65750272ba9a38b364f2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 16 Sep 2018 15:54:41 +0200 Subject: tests: added CRL verification tests This tests CRL verification with certtool --verify-crl on correct and incorrect cases. Relates #564 Signed-off-by: Nikos Mavrogiannopoulos --- tests/cert-tests/Makefile.am | 3 ++- tests/cert-tests/crl | 20 ++++++++++++++++++++ tests/cert-tests/data/ca-crl-invalid.crl | 14 ++++++++++++++ tests/cert-tests/data/ca-crl-invalid.pem | 21 +++++++++++++++++++++ tests/cert-tests/data/ca-crl-valid.crl | 14 ++++++++++++++ tests/cert-tests/data/ca-crl-valid.pem | 21 +++++++++++++++++++++ 6 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 tests/cert-tests/data/ca-crl-invalid.crl create mode 100644 tests/cert-tests/data/ca-crl-invalid.pem create mode 100644 tests/cert-tests/data/ca-crl-valid.crl create mode 100644 tests/cert-tests/data/ca-crl-valid.pem diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 7da9e898f4..9e29079fc4 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -92,7 +92,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/key-invalid4.der data/key-invalid5.der data/key-invalid6.der \ data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \ data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \ - data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 + data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \ + data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index f82bb0196c..f1d1c9683c 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -265,6 +265,26 @@ if test "$?" != "0"; then exit 1 fi +# Check CRL verification + +## CRL validation is expected to succeed +${VALGRIND} "${CERTTOOL}" --verify-crl --infile "${srcdir}/data/ca-crl-valid.crl" --load-ca-certificate \ + "${srcdir}/data/ca-crl-valid.pem" >${OUTFILE} 2>${INFOFILE} +rc=$? +if test "${rc}" != "0"; then + echo "CRL verification failed" + exit ${rc} +fi + +## CRL validation is expected to fail because the CA doesn't have the CRLSign key usage flag +${VALGRIND} "${CERTTOOL}" --verify-crl --infile "${srcdir}/data/ca-crl-invalid.crl" --load-ca-certificate \ + "${srcdir}/data/ca-crl-invalid.pem" >${OUTFILE} 2>${INFOFILE} +rc=$? +if test "${rc}" = "0"; then + echo "CRL verification succeeded when shouldn't" + exit 1 +fi + rm -f "${OUTFILE}" rm -f "${INFOFILE}" rm -f "${OUTFILE2}" diff --git a/tests/cert-tests/data/ca-crl-invalid.crl b/tests/cert-tests/data/ca-crl-invalid.crl new file mode 100644 index 0000000000..68b7c1159d --- /dev/null +++ b/tests/cert-tests/data/ca-crl-invalid.crl @@ -0,0 +1,14 @@ +-----BEGIN X509 CRL----- +MIICJjCB3wIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgGiAwIBQDAPMQ0wCwYDVQQDEwRDQS0wFw0xODA5 +MTYxMzM1NDJaGA85OTk5MTIzMTIzNTk1OVowJzAlAhQocdck3Pu5MeIpUpjb4Fis ++aYhsRcNMTgwOTE2MTMzNTQyWqBBMD8wHwYDVR0jBBgwFoAUpNhDUvJwLqnKF+mm +w5aF/wgkSEowHAYDVR0UBBUCE1ueXC860KlshpgThgNNyWGQU8QwPQYJKoZIhvcN +AQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIB +ogMCAUADggEBAElYoCVyM5W5vTfMeC7tI8WUqC3lIEXG+85AmY949KLvcx65ZAlX +fLXxx+nj0fMmL/efQEHCbpK8MfZmdesuazELePLs+e94ESZbRD4IAg2S7jCqmQ6j +Pr5vB/5A8xAIkUg+SDoPVX5VTH5UsVYhJmEfWnvkZehMst38CUqeyLJ5gp83d9nz +IuaDaHL1EOh/F+Ul/PANnyot2tHh02WBRbLI0c0Sr7nsVvHwIMfNtB0kXFKg5fmJ +puwhtNJGinWXpEgoMls7KXf+HOhiOwrMyTLxjhkawVRpjpdlMDPFp4sB0NdcIfr1 +HocKGTK84068uzN8Sk1QSuXpccL4YCr/fNo= +-----END X509 CRL----- diff --git a/tests/cert-tests/data/ca-crl-invalid.pem b/tests/cert-tests/data/ca-crl-invalid.pem new file mode 100644 index 0000000000..24adf409bb --- /dev/null +++ b/tests/cert-tests/data/ca-crl-invalid.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgTCCAjmgAwIBAgIUYrdL5TzzAJamxI3rTXeNdP+1SrUwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +AUAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xODA5MTYxMzIzNTNaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg +hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC +AQoCggEBAK4RFQTNLU6aXid/ji3MU6W4iAYfFHGyxOgd/69wJ/yFu/gfBqJ3lNVy ++FvQvWtqq1N+mPixWjNIjPrHHsfEWhfNXEi3tSbcNwBFxMJ5Wc07BrYdrpQqfNb/ +Qb3cZbmWmmWp/A+BBFD09sI2imjVvJstjCUux6xxGG4jgXAdGkcAXH7ehi+D7nXQ +yuIlfAv0QH2gWtHJ1wc3tMHghxSpBhS+KU2QxuRlQPlQrFfTSzjjQSYJ8qqFvYDN +4emSFKEc5iJSRPrleTNDtSf5BQ7JVBmvBOCkUvlkVV6QjU+zMaJbwqaQuE7mOHbo +myUCujP/k6eKv+P3l6OI+zu7+zBaebkCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSk2ENS8nAuqcoX6abDloX/CCRI +SjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL +BglghkgBZQMEAgGiAwIBQAOCAQEAkGJ1suWS6LS7NcYk37KmfREcOMmh9lQdi4re +tycRwn2tDaaRvRaiHAGndxZAPTfF9yBJ5LOzcSvSGsCOa2GE5Y3WtIVInadSudli +o8pxSoWon0vF7dBzZGbC+/iSbKoF7bwF4WTE9dqEdMWOE/+eHT3RsJqtk0PdbBqD +nqjQyb6QdrKPveoDVyfxszLA2gdJoTA6J+DJ5s8j197Hp9zXoPoIWY5/JDKpQweD +mGAS9Efhx5UPbnluqlj/HzG0U43gLajYcSenG35uszF+muS9FrsYZb0qtl9vQ5zJ +zmSAnjFYa8/p/zmcZKmZf0GIrxUQzn1lddy0Ys42cF22gc3sSg== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/ca-crl-valid.crl b/tests/cert-tests/data/ca-crl-valid.crl new file mode 100644 index 0000000000..d8d8ba8df1 --- /dev/null +++ b/tests/cert-tests/data/ca-crl-valid.crl @@ -0,0 +1,14 @@ +-----BEGIN X509 CRL----- +MIICJjCB3wIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgGiAwIBQDAPMQ0wCwYDVQQDEwRDQS0wFw0xODA5 +MTYxMzQ4MjBaGA85OTk5MTIzMTIzNTk1OVowJzAlAhQYv9ruS7EaM2V7tn8kz3Rh +vQxmhxcNMTgwOTE2MTM0ODIwWqBBMD8wHwYDVR0jBBgwFoAUUPN34B1PsHCSBKfl +DvkuCvTuz+QwHAYDVR0UBBUCE1ueXyYRxCO5zh+eeQTS31LHIvMwPQYJKoZIhvcN +AQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIB +ogMCAUADggEBAH+J2DiyaZ+qKWKnrRluWQK/KSJ/a+Do7ox18swNg3VMtEP360TB +vh0/ctrbeb/H12YmwvrQdMPSIAcDiyBGannqG3L2mijDXZq3F2azL0WZiKAsDsBi +a3DW28F9KDPBQYuiUVYCn/C3r0CtDJuv1eARZtyc2BLujRgXUibVJej6U26mtPjs +DcDsXIWmBqRquMXhj0TY0MvkbNvT1XhDBBmSlQo+EC5zz5FZ4e9DvWiPcJqgkx4X +S58Xh+tpQR9IyyO8OLkNpMy5Zy1J6o3rTO5ZScEzjaO45YmN7BFoMljOdD1W2ID5 +MHVXfLRltra7qiZLXKhZ0aHfkzD3Xdu74JQ= +-----END X509 CRL----- diff --git a/tests/cert-tests/data/ca-crl-valid.pem b/tests/cert-tests/data/ca-crl-valid.pem new file mode 100644 index 0000000000..53dab807c3 --- /dev/null +++ b/tests/cert-tests/data/ca-crl-valid.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgTCCAjmgAwIBAgIUIhM6Lo4vY8WseBrZi5UmDsqK3AAwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +AUAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xODA5MTYxMzQ4MDVaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg +hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC +AQoCggEBANPX6SGS5KZmUtn1ZT5CtvcMv3hKLosvLEYzpvbjjprFdL3UmBlWSu9f +u/0az9kT6D0maWKmtiF0AT4dD5CL/8391l2ZhiG9wxopBXAnxBRkO2+YZcaNY+ty +4PqZauWc2InZ0rMYI8rfSbUREgWO+d8SBBbU2wACzh1AZwMbtjEc2aGP+PXiC4m0 +axxRk0lD4ZpklA8oVMIwUNS09NQcbn7YqlnxCVxd22Z40XspeCsihXkI2d1OXWmG +J3HtEi3Ors1jyeGF3B68TplPJ3I1buuVTVJv32mVj4elQr78kTRtxyWoxL+pDt3y +o95W+VOvuAfULQWNuk49w901t4mimEcCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRQ83fgHU+wcJIEp+UO+S4K9O7P +5DA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL +BglghkgBZQMEAgGiAwIBQAOCAQEAluZhfkQIDnSj+uQJpb0hTNW4cMqQXSM0khAe +LYunzXvksXFnRz5w/qLNcvQQ94s1ej8RAXJQXG63x51eAlpwqLffcXA1rGCpUBwM +9NsiNVkh/wMyZ0LcoyztvFRI/9JR40HzUWvp4k/SxLT25BQavlwborEO45HxHk1Q +hEeWyuxNt/V9QKQ/DKtPQbbObT4gfg+mwWNntRS8VKqd1PsFr4oxmFXgGkpu04uW +QV63kq7b54RzgYIPssm2Vr9JvLoZ+1q9VhZT08wx6NDxPIe70HydqTcfsOA8p84o +MvcleJjNs4+1RPmNVhnnZDPYtBNnudn8NtMaN5AzZWa3Y41boA== +-----END CERTIFICATE----- -- cgit v1.2.1