From f08198bfb50f8991299eb8a531519ea8f83c29ad Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 24 Nov 2016 13:17:41 +0100 Subject: tests: added complex verification example using PKCS#7 That uses multiple intermediate certificates from the PKCS#7 structure. --- tests/cert-tests/Makefile.am | 5 +- tests/cert-tests/data/pkcs7-cat-ca.pem | 145 +++++++++++++++++++++++++++++++++ tests/cert-tests/data/pkcs7-cat.p7 | Bin 0 -> 329940 bytes tests/cert-tests/pkcs7-cat | 45 ++++++++++ 4 files changed, 193 insertions(+), 2 deletions(-) create mode 100644 tests/cert-tests/data/pkcs7-cat-ca.pem create mode 100644 tests/cert-tests/data/pkcs7-cat.p7 create mode 100755 tests/cert-tests/pkcs7-cat diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 5880db5c3e..9e0ff0d7e6 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -59,13 +59,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/srv-public-localhost-signed.gpg data/selfsigs/alice-mallory-badsig18.pub \ data/selfsigs/alice-mallory-irrelevantsig.pub data/selfsigs/alice-mallory-nosig18.pub \ data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 \ - data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem + data/code-signing-ca.pem data/code-signing-cert.pem data/multi-value-dn.pem \ + data/pkcs7-cat-ca.pem data/pkcs7-cat.p7 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \ provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \ - pkcs7-constraints2 certtool-long-oids + pkcs7-constraints2 certtool-long-oids pkcs7-cat if WANT_TEST_SUITE dist_check_SCRIPTS += provable-dh-default diff --git a/tests/cert-tests/data/pkcs7-cat-ca.pem b/tests/cert-tests/data/pkcs7-cat-ca.pem new file mode 100644 index 0000000000..742d80f1d4 --- /dev/null +++ b/tests/cert-tests/data/pkcs7-cat-ca.pem @@ -0,0 +1,145 @@ +X.509 Certificate Information: + Version: 3 + Serial Number (hex): 79ad16a14aa0a5ad4c7358f407132e65 + Issuer: DC=com,DC=microsoft,CN=Microsoft Root Certificate Authority + Validity: + Not Before: Wed May 09 23:19:22 UTC 2001 + Not After: Sun May 09 23:28:13 UTC 2021 + Subject: DC=com,DC=microsoft,CN=Microsoft Root Certificate Authority + Subject Public Key Algorithm: RSA + Algorithm Security Level: High (4096 bits) + Modulus (bits 4096): + 00:f3:5d:fa:80:67:d4:5a:a7:a9:0c:2c:90:20:d0:35 + 08:3c:75:84:cd:b7:07:89:9c:89:da:de:ce:c3:60:fa + 91:68:5a:9e:94:71:29:18:76:7c:c2:e0:c8:25:76:94 + 0e:58:fa:04:34:36:e6:df:af:f7:80:ba:e9:58:0b:2b + 93:e5:9d:05:e3:77:22:91:f7:34:64:3c:22:91:1d:5e + e1:09:90:bc:14:fe:fc:75:58:19:e1:79:b7:07:92:a3 + ae:88:59:08:d8:9f:07:ca:03:58:fc:68:29:6d:32:d7 + d2:a8:cb:4b:fc:e1:0b:48:32:4f:e6:eb:b8:ad:4f:e4 + 5c:6f:13:94:99:db:95:d5:75:db:a8:1a:b7:94:91:b4 + 77:5b:f5:48:0c:8f:6a:79:7d:14:70:04:7d:6d:af:90 + f5:da:70:d8:47:b7:bf:9b:2f:6c:e7:05:b7:e1:11:60 + ac:79:91:14:7c:c5:d6:a6:e4:e1:7e:d5:c3:7e:e5:92 + d2:3c:00:b5:36:82:de:79:e1:6d:f3:b5:6e:f8:9f:33 + c9:cb:52:7d:73:98:36:db:8b:a1:6b:a2:95:97:9b:a3 + de:c2:4d:26:ff:06:96:67:25:06:c8:e7:ac:e4:ee:12 + 33:95:31:99:c8:35:08:4e:34:ca:79:53:d5:b5:be:63 + 32:59:40:36:c0:a5:4e:04:4d:3d:db:5b:07:33:e4:58 + bf:ef:3f:53:64:d8:42:59:35:57:fd:0f:45:7c:24:04 + 4d:9e:d6:38:74:11:97:22:90:ce:68:44:74:92:6f:d5 + 4b:6f:b0:86:e3:c7:36:42:a0:d0:fc:c1:c0:5a:f9:a3 + 61:b9:30:47:71:96:0a:16:b0:91:c0:42:95:ef:10:7f + 28:6a:e3:2a:1f:b1:e4:cd:03:3f:77:71:04:c7:20:fc + 49:0f:1d:45:88:a4:d7:cb:7e:88:ad:8e:2d:ec:45:db + c4:51:04:c9:2a:fc:ec:86:9e:9a:11:97:5b:de:ce:53 + 88:e6:e2:b7:fd:ac:95:c2:28:40:db:ef:04:90:df:81 + 33:39:d9:b2:45:a5:23:87:06:a5:55:89:31:bb:06:2d + 60:0e:41:18:7d:1f:2e:b5:97:cb:11:eb:15:d5:24:a5 + 94:ef:15:14:89:fd:4b:73:fa:32:5b:fc:d1:33:00:f9 + 59:62:70:07:32:ea:2e:ab:40:2d:7b:ca:dd:21:67:1b + 30:99:8f:16:aa:23:a8:41:d1:b0:6e:11:9b:36:c4:de + 40:74:9c:e1:58:65:c1:60:1e:7a:5b:38:c8:8f:bb:04 + 26:7c:d4:16:40:e5:b6:6b:6c:aa:86:fd:00:bf:ce:c1 + 35 + Exponent (bits 24): + 01:00:01 + Extensions: + Key Usage (not critical): + Digital signature. + Non repudiation. + Certificate signing. + CRL signing. + Basic Constraints (critical): + Certificate Authority (CA): TRUE + Subject Key Identifier (not critical): + 0eac826040562797e52513fc2ae10a539559e4a4 + Unknown extension 1.3.6.1.4.1.311.21.1 (not critical): + ASCII: ... + Hexdump: 020100 + Signature Algorithm: RSA-SHA1 + Signature: + c5:11:4d:03:3a:60:dd:5d:52:11:77:8f:b2:bb:36:c8 + b2:05:bf:b4:b7:a8:d8:20:9d:5c:13:03:b6:1c:22:fa + 06:13:35:b6:c8:63:d4:9a:47:6f:26:57:d2:55:f1:04 + b1:26:5f:d6:a9:50:68:a0:bc:d2:b8:6e:cc:c3:e9:ac + df:19:cd:78:ac:59:74:ac:66:34:36:c4:1b:3e:6c:38 + 4c:33:0e:30:12:0d:a3:26:fe:51:53:00:ff:af:5a:4e + 84:0d:0f:1f:e4:6d:05:2e:4e:85:4b:8d:6c:33:6f:54 + d2:64:ab:bf:50:af:7d:7a:39:a0:37:ed:63:03:0f:fc + 13:06:ce:16:36:d4:54:3b:95:1b:51:62:3a:e5:4d:17 + d4:05:39:92:9a:27:a8:5b:aa:bd:ec:bb:be:e3:20:89 + 60:71:6c:56:b3:a5:13:d0:6d:0e:23:7e:95:03:ed:68 + 3d:f2:d8:63:b8:6b:4d:b6:e8:30:b5:e1:ca:94:4b:f7 + a2:aa:5d:99:30:b2:3d:a7:c2:51:6c:28:20:01:24:27 + 2b:4b:00:b7:9d:11:6b:70:be:b2:10:82:bc:0c:9b:68 + d0:8d:3b:24:87:aa:99:28:72:9d:33:5f:59:90:bd:f5 + de:93:9e:3a:62:5a:34:39:e2:88:55:1d:b9:06:b0:c1 + 89:6b:2d:d7:69:c3:19:12:36:84:d0:c9:a0:da:ff:2f + 69:78:b2:e5:7a:da:eb:d7:0c:c0:f7:bd:63:17:b8:39 + 13:38:a2:36:5b:7b:f2:85:56:6a:1d:64:62:c1:38:e2 + aa:bf:51:66:a2:94:f5:12:9c:66:22:10:6b:f2:b7:30 + 92:2d:f2:29:f0:3d:3b:14:43:68:a2:f1:9c:29:37:cb + ce:38:20:25:6d:7c:67:f3:7e:24:12:24:03:08:81:47 + ec:a5:9e:97:f5:18:d7:cf:bb:d5:ef:76:96:ef:fd:ce + db:56:9d:95:a0:42:f9:97:58:e1:d7:31:22:d3:5f:59 + e6:3e:6e:22:00:ea:43:84:b6:25:db:d9:f3:08:56:68 + c0:64:6b:1d:7c:ec:b6:93:a2:62:57:6e:2e:d8:e7:58 + 8f:c4:31:49:26:dd:de:29:35:87:f5:30:71:70:5b:14 + 3c:69:bd:89:12:7d:eb:2e:a3:fe:d8:7f:9e:82:5a:52 + 0a:2b:c1:43:2b:d9:30:88:9f:c8:10:fb:89:8d:e6:a1 + 85:75:33:7e:6c:9e:db:73:13:64:62:69:a5:2f:7d:ca + 96:6d:9f:f8:04:4d:30:92:3d:6e:21:14:21:c9:3d:e0 + c3:fd:8a:6b:9d:4a:fd:d1:a1:9d:99:43:77:3f:b0:da +Other Information: + SHA1 fingerprint: + cdd4eeae6000ac7f40c3802c171e30148030c072 + SHA256 fingerprint: + 885de64c340e3ea70658f01e1145f957fcda27aabeea1ab9faa9fdb0102d4077 + Public Key ID: + 0eac826040562797e52513fc2ae10a539559e4a4 + Public key's random art: + +--[ RSA 4096]----+ + | o.o oOO.. | + |o +==.+ | + |. .E o. | + |. . o . | + |... . + S | + |o+ + + | + |. + o . . | + | o | + | | + +-----------------+ + +-----BEGIN CERTIFICATE----- +MIIFmTCCA4GgAwIBAgIQea0WoUqgpa1Mc1j0BxMuZTANBgkqhkiG9w0BAQUFADBf +MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0 +MS0wKwYDVQQDEyRNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw +HhcNMDEwNTA5MjMxOTIyWhcNMjEwNTA5MjMyODEzWjBfMRMwEQYKCZImiZPyLGQB +GRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MS0wKwYDVQQDEyRNaWNy +b3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDzXfqAZ9Rap6kMLJAg0DUIPHWEzbcHiZyJ2t7Ow2D6 +kWhanpRxKRh2fMLgyCV2lA5Y+gQ0Nubfr/eAuulYCyuT5Z0F43cikfc0ZDwikR1e +4QmQvBT+/HVYGeF5tweSo66IWQjYnwfKA1j8aCltMtfSqMtL/OELSDJP5uu4rU/k +XG8TlJnbldV126gat5SRtHdb9UgMj2p5fRRwBH1tr5D12nDYR7e/my9s5wW34RFg +rHmRFHzF1qbk4X7Vw37lktI8ALU2gt554W3ztW74nzPJy1J9c5g224uha6KVl5uj +3sJNJv8GlmclBsjnrOTuEjOVMZnINQhONMp5U9W1vmMyWUA2wKVOBE0921sHM+RY +v+8/U2TYQlk1V/0PRXwkBE2e1jh0EZcikM5oRHSSb9VLb7CG48c2QqDQ/MHAWvmj +YbkwR3GWChawkcBCle8Qfyhq4yofseTNAz93cQTHIPxJDx1FiKTXy36IrY4t7EXb +xFEEySr87IaemhGXW97OU4jm4rf9rJXCKEDb7wSQ34EzOdmyRaUjhwalVYkxuwYt +YA5BGH0fLrWXyxHrFdUkpZTvFRSJ/Utz+jJb/NEzAPlZYnAHMuouq0Ate8rdIWcb +MJmPFqojqEHRsG4RmzbE3kB0nOFYZcFgHnpbOMiPuwQmfNQWQOW2a2yqhv0Av87B +NQIDAQABo1EwTzALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQUDqyCYEBWJ5flJRP8KuEKU5VZ5KQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI +hvcNAQEFBQADggIBAMURTQM6YN1dUhF3j7K7NsiyBb+0t6jYIJ1cEwO2HCL6BhM1 +tshj1JpHbyZX0lXxBLEmX9apUGigvNK4bszD6azfGc14rFl0rGY0NsQbPmw4TDMO +MBINoyb+UVMA/69aToQNDx/kbQUuToVLjWwzb1TSZKu/UK99ejmgN+1jAw/8EwbO +FjbUVDuVG1FiOuVNF9QFOZKaJ6hbqr3su77jIIlgcWxWs6UT0G0OI36VA+1oPfLY +Y7hrTbboMLXhypRL96KqXZkwsj2nwlFsKCABJCcrSwC3nRFrcL6yEIK8DJto0I07 +JIeqmShynTNfWZC99d6TnjpiWjQ54ohVHbkGsMGJay3XacMZEjaE0Mmg2v8vaXiy +5Xra69cMwPe9Yxe4ORM4ojZbe/KFVmodZGLBOOKqv1FmopT1EpxmIhBr8rcwki3y +KfA9OxRDaKLxnCk3y844ICVtfGfzfiQSJAMIgUfspZ6X9RjXz7vV73aW7/3O21ad +laBC+ZdY4dcxItNfWeY+biIA6kOEtiXb2fMIVmjAZGsdfOy2k6JiV24u2OdYj8Qx +SSbd3ik1h/UwcXBbFDxpvYkSfesuo/7Yf56CWlIKK8FDK9kwiJ/IEPuJjeahhXUz +fmye23MTZGJppS99ypZtn/gETTCSPW4hFCHJPeDD/YprnUr90aGdmUN3P7Da +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/pkcs7-cat.p7 b/tests/cert-tests/data/pkcs7-cat.p7 new file mode 100644 index 0000000000..ec9139976b Binary files /dev/null and b/tests/cert-tests/data/pkcs7-cat.p7 differ diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat new file mode 100755 index 0000000000..7a18dd3b47 --- /dev/null +++ b/tests/cert-tests/pkcs7-cat @@ -0,0 +1,45 @@ +#!/bin/sh + +# Copyright (C) 2015 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi +OUTFILE=out-pkcs7.$$.tmp + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge +datefudge -s "2016-10-1" \ +${VALGRIND} "${CERTTOOL}" --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" +rc=$? + +if test "${rc}" != "0"; then + echo "PKCS7 verification failed (1)" + exit 1 +fi + +rm -f "${OUTFILE}" + +exit 0 -- cgit v1.2.1