/*
* Copyright (C) 2008-2012 Free Software Foundation, Inc.
*
* Author: Simon Josefsson
*
* This file is part of GnuTLS.
*
* GnuTLS is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GnuTLS. If not, see .
*/
#ifdef HAVE_CONFIG_H
#include
#endif
#include
#include
#include
#include
#include
#include
#include "utils.h"
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "%s |<%d>| %s", "crq_key_id", level, str);
}
static unsigned char saved_crq_pem[] =
"-----BEGIN NEW CERTIFICATE REQUEST-----\n"
"MIICSDCCAbECAQAwKzEOMAwGA1UEAxMFbmlrb3MxGTAXBgNVBAoTEG5vbmUgdG8s\n"
"IG1lbnRpb24wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtmQ/Xyxde2jMzF\n"
"3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeLZIkiW8DdU3w77XwEu4C5\n"
"KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKNzj2AC41179gAgY8oBAOg\n"
"Io1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGggdwwEgYJKoZIhvcNAQkHMQUTA2Zv\n"
"bzCBxQYJKoZIhvcNAQkOMYG3MIG0MA8GA1UdEwEB/wQFMAMCAQAwDQYDVR0PAQH/\n"
"BAMDAQAwIwYDVR0RBBwwGoIDYXBhggNmb2+CDnhuLS1reGF3aGsuY29tMB0GA1Ud\n"
"JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgQqAwQFBAPK/v8wFAYILQOCiPS5\n"
"FwUBAf8EBcr+//r+MCsGA1UdEAQkMCKADzIwMTkwNzA5MDQyODI2WoEPMjAxOTA3\n"
"MDkwNzE1MDZaMA0GCSqGSIb3DQEBCwUAA4GBAD5WboLhAYvbStlK1UwvB4b2vmJP\n"
"mfl7S/VmaeBFX8w0lpZTCTCRuB0WJek6YPfXyRsUUJsjWElZeEE0N8V+eQ3oz4um\n"
"N2QCk4Zrc5FRyCkKUe+qaqQhB1ho01ZQDMgkj2B10tubhdrKf17QCzgKEp+5VR46\n"
"Bme4HDJqbHlH+O0y\n"
"-----END NEW CERTIFICATE REQUEST-----\n";
const gnutls_datum_t saved_crq = { saved_crq_pem, sizeof(saved_crq_pem) - 1 };
static unsigned char key_pem[] =
"-----BEGIN RSA PRIVATE KEY-----\n"
"MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n"
"9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n"
"aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n"
"AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n"
"PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n"
"RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n"
"7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n"
"ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n"
"TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n"
"ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n"
"YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n"
"/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n"
"sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n"
"-----END RSA PRIVATE KEY-----\n";
const gnutls_datum_t key = { key_pem, sizeof(key_pem) - 1 };
static time_t mytime(time_t *t)
{
time_t then = 1207000800;
if (t)
*t = then;
return then;
}
#define TIME1 1562646506
#define TIME2 1562656506
#define CPASS "foo"
#define CPASS_OID "1.2.840.113549.1.9.7"
static gnutls_x509_crq_t generate_crq(void)
{
gnutls_x509_crq_t crq;
gnutls_x509_privkey_t pkey;
const char *err;
int ret;
size_t s = 0;
char smallbuf[10];
gnutls_datum_t out;
unsigned crit;
ret = gnutls_x509_privkey_init(&pkey);
if (ret != 0)
fail("gnutls_x509_privkey_init\n");
ret = gnutls_x509_privkey_import(pkey, &key, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_privkey_import\n");
ret = gnutls_x509_crq_init(&crq);
if (ret != 0)
fail("gnutls_x509_crq_init\n");
ret = gnutls_x509_crq_set_version(crq, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_version\n");
ret = gnutls_x509_crq_set_key(crq, pkey);
if (ret != 0)
fail("gnutls_x509_crq_set_key\n");
s = 0;
ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crq_get_extension_info\n");
ret = gnutls_x509_crq_set_basic_constraints(crq, 0, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_basic_constraints %d\n", ret);
ret = gnutls_x509_crq_set_key_usage(crq, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_key_usage %d\n", ret);
ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("%d: gnutls_x509_crq_get_challenge_password %d: %s\n",
__LINE__, ret, gnutls_strerror(ret));
ret = gnutls_x509_crq_set_dn(crq, "o = none to\\, mention,cn = nikos",
&err);
if (ret < 0) {
fail("gnutls_x509_crq_set_dn: %s, %s\n", gnutls_strerror(ret),
err);
}
ret = gnutls_x509_crq_set_challenge_password(crq, CPASS);
if (ret != 0)
fail("gnutls_x509_crq_set_challenge_password %d\n", ret);
s = 0;
ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER || s != 4)
fail("%d: gnutls_x509_crq_get_challenge_password %d: %s (passlen: %d)\n",
__LINE__, ret, gnutls_strerror(ret), (int)s);
s = 10;
ret = gnutls_x509_crq_get_challenge_password(crq, smallbuf, &s);
if (ret != 0 || s != 3 || strcmp(smallbuf, "foo") != 0)
fail("%d: gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n",
__LINE__, ret, (int)s, smallbuf);
s = 0;
ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
if (ret != 0)
fail("gnutls_x509_crq_get_extension_info2\n");
s = 0;
ret = gnutls_x509_crq_get_extension_data(crq, 0, NULL, &s);
if (ret != 0)
fail("gnutls_x509_crq_get_extension_data\n");
ret = gnutls_x509_crq_set_subject_alt_name(
crq, GNUTLS_SAN_DNSNAME, "foo", 3, GNUTLS_FSAN_APPEND);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(
crq, GNUTLS_SAN_DNSNAME, "bar", 3, GNUTLS_FSAN_APPEND);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"apa", 3, GNUTLS_FSAN_SET);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(
crq, GNUTLS_SAN_DNSNAME, "foo", 3, GNUTLS_FSAN_APPEND);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"νίκο.com",
strlen("νίκο.com"),
GNUTLS_FSAN_APPEND);
#if defined(HAVE_LIBIDN2)
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name: %s\n",
gnutls_strerror(ret));
#else
if (ret != GNUTLS_E_UNIMPLEMENTED_FEATURE)
fail("gnutls_x509_crt_set_subject_alt_name: %s\n",
gnutls_strerror(ret));
#endif
s = 0;
ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crq_set_key_purpose_oid(crq, GNUTLS_KP_TLS_WWW_SERVER,
0);
if (ret != 0)
fail("gnutls_x509_crq_set_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crq_set_key_purpose_oid(crq, GNUTLS_KP_TLS_WWW_CLIENT,
1);
if (ret != 0)
fail("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret);
#define EXT_ID1 "1.2.3.4.5"
#define EXT_ID2 "1.5.3.555555991.5"
#define EXT_DATA1 "\xCA\xFE\xFF"
#define EXT_DATA2 "\xCA\xFE\xFF\xFA\xFE"
/* test writing arbitrary extensions */
ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID1, EXT_DATA1,
sizeof(EXT_DATA1) - 1, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_extension_by_oid %s\n",
gnutls_strerror(ret));
ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID2, EXT_DATA2,
sizeof(EXT_DATA2) - 1, 1);
if (ret != 0)
fail("gnutls_x509_crq_set_extension_by_oid %s\n",
gnutls_strerror(ret));
ret = gnutls_x509_crq_set_private_key_usage_period(crq, TIME1, TIME2);
if (ret != 0)
fail("gnutls_x509_crq_set_private_key_usage_period\n");
ret = gnutls_x509_crq_print(crq, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crq_print\n");
if (debug)
printf("crq: %.*s\n", out.size, out.data);
gnutls_free(out.data);
ret = gnutls_x509_crq_sign2(crq, pkey, GNUTLS_DIG_SHA256, 0);
if (ret < 0)
fail("gnutls_x509_crq_sign2: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(pkey);
/* test reading the arb. extensions */
crit = -1;
ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID1, 0, &out,
&crit);
if (ret < 0)
fail("gnutls_x509_crq_get_extension_by_oid2: %s\n",
gnutls_strerror(ret));
if (out.size != sizeof(EXT_DATA1) - 1 ||
memcmp(out.data, EXT_DATA1, out.size) != 0) {
fail("ext1 doesn't match\n");
}
if (crit != 0) {
fail("ext1 crit flag doesn't match\n");
}
gnutls_free(out.data);
crit = -1;
ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID2, 0, &out,
&crit);
if (ret < 0)
fail("gnutls_x509_crq_get_extension_by_oid2: %s\n",
gnutls_strerror(ret));
if (out.size != sizeof(EXT_DATA2) - 1 ||
memcmp(out.data, EXT_DATA2, out.size) != 0) {
fail("ext2 doesn't match\n");
}
if (crit != 1) {
fail("ext2 crit flag doesn't match\n");
}
gnutls_free(out.data);
return crq;
}
/* Tests parameters from the generated CRQ */
static void test_crq(gnutls_x509_crq_t crq)
{
int ret, pathlen;
size_t s = 0;
char buf[64];
gnutls_datum_t out;
time_t t1, t2;
unsigned crit, ca, type;
ret = gnutls_x509_crq_get_dn2(crq, &out);
assert(ret == 0);
assert(out.size == 28);
assert(memcmp(out.data, "CN=nikos,O=none to\\, mention", out.size) ==
0);
gnutls_free(out.data);
ret = gnutls_x509_crq_get_dn3(crq, &out, GNUTLS_X509_DN_FLAG_COMPAT);
assert(ret == 0);
assert(out.size == 28);
assert(memcmp(out.data, "CN=nikos,O=none to\\, mention", out.size) ==
0);
gnutls_free(out.data);
ret = gnutls_x509_crq_get_dn3(crq, &out, 0);
assert(ret == 0);
assert(out.size == 28);
assert(memcmp(out.data, "O=none to\\, mention,CN=nikos", out.size) ==
0);
gnutls_free(out.data);
ret = gnutls_x509_crq_get_basic_constraints(crq, &crit, &ca, &pathlen);
assert(ret == 0);
assert(ca == 0);
assert(pathlen == 0);
s = sizeof(buf);
ret = gnutls_x509_crq_get_subject_alt_name(crq, 0, buf, &s, &type,
&crit);
assert(ret >= 0);
assert(s == 3);
assert(memcmp(buf, "apa", s) == 0);
assert(type == GNUTLS_SAN_DNSNAME);
assert(crit == 0);
s = sizeof(buf);
ret = gnutls_x509_crq_get_subject_alt_name(crq, 1, buf, &s, &type,
&crit);
assert(ret >= 0);
assert(s == 3);
assert(memcmp(buf, "foo", s) == 0);
assert(type == GNUTLS_SAN_DNSNAME);
assert(crit == 0);
ret = gnutls_x509_crq_get_private_key_usage_period(crq, &t1, &t2,
&crit);
if (ret < 0)
fail("gnutls_x509_crq_get_private_key_usage_period: %s\n",
gnutls_strerror(ret));
assert(t1 == TIME1);
assert(t2 == TIME2);
assert(crit == 0);
/* check the challenge password using the attribute APIs */
s = sizeof(buf);
ret = gnutls_x509_crq_get_attribute_info(crq, 1, buf, &s);
assert(ret >= 0);
assert(s == sizeof(CPASS_OID));
assert(memcmp(buf, CPASS_OID, s) == 0);
/* check the contents */
s = sizeof(buf);
ret = gnutls_x509_crq_get_attribute_data(crq, 1, buf, &s);
assert(ret >= 0);
assert(s == sizeof(CPASS) - 1 + 2);
assert(memcmp(buf, "\x13\x03" CPASS, s) == 0);
}
static void run_set_extensions(gnutls_x509_crq_t crq)
{
gnutls_x509_crt_t crt;
const char *err = NULL;
gnutls_datum_t out;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_set_crq(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_issuer_dn(
crt, "o = big\\, and one, cn = my CA", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n",
gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_crq_extensions(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq_extensions\n");
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crt_print\n");
if (debug)
printf("crt: %.*s\n", out.size, out.data);
gnutls_free(out.data);
ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n",
gnutls_strerror(ret));
if (out.size != 41 ||
memcmp(out.data,
"\x30\x27\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6d\x79\x20\x43\x41\x31\x15\x30\x13\x06\x03\x55\x04\x0a\x13\x0c\x62\x69\x67\x2c\x20\x61\x6e\x64\x20\x6f\x6e\x65",
41) != 0) {
hexprint(out.data, out.size);
fail("issuer DN comparison failed\n");
}
gnutls_free(out.data);
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data,
"\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e",
45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
}
static void run_set_extension_by_oid(gnutls_x509_crq_t crq)
{
gnutls_x509_crt_t crt;
const char *err = NULL;
size_t oid_size;
gnutls_datum_t out, out2;
unsigned i;
int ret;
char oid[128];
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_set_crq(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_issuer_dn(
crt, "o = big\\, and one,cn = my CA", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n",
gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_crq_extension_by_oid(
crt, crq, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE, 0);
if (ret != 0)
fail("gnutls_x509_crt_set_crq_extension_by_oid\n");
oid_size = sizeof(oid);
ret = gnutls_x509_crt_get_extension_info(crt, 0, oid, &oid_size, NULL);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_info\n");
if (strcmp(oid, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE) != 0)
fail("strcmp\n");
ret = gnutls_x509_crt_get_extension_data2(crt, 0, &out);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data2\n");
for (i = 0;; i++) {
oid_size = sizeof(oid);
ret = gnutls_x509_crq_get_extension_info(crq, i, oid, &oid_size,
NULL);
if (ret < 0)
fail("loop: ext not found: %s\n", gnutls_strerror(ret));
if (strcmp(oid, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE) == 0) {
ret = gnutls_x509_crq_get_extension_data2(crq, 3,
&out2);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data2\n");
break;
}
}
if (out.size != out2.size ||
memcmp(out.data, out2.data, out.size) != 0) {
fail("memcmp %d, %d\n", out.size, out2.size);
}
gnutls_free(out.data);
gnutls_free(out2.data);
oid_size = sizeof(oid);
ret = gnutls_x509_crt_get_extension_info(crt, 1, oid, &oid_size, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crt_get_extension_info\n");
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data,
"\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e",
45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
}
void doit(void)
{
gnutls_datum_t out;
gnutls_x509_crq_t crq;
gnutls_global_set_time_function(mytime);
crq = generate_crq();
test_crq(crq);
run_set_extensions(crq);
run_set_extension_by_oid(crq);
assert(gnutls_x509_crq_export2(crq, GNUTLS_X509_FMT_PEM, &out) >= 0);
#if defined(HAVE_LIBIDN2)
assert(out.size == saved_crq.size);
assert(memcmp(out.data, saved_crq.data, out.size) == 0);
#endif
gnutls_free(out.data);
gnutls_x509_crq_deinit(crq);
}