zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c

Browse Source 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
This commit is contained in:
Dr. David von Oheimb 2020-12-19 19:49:25 +01:00 committed by Dr. David von Oheimb
parent 6ad957f127
commit f0a057dd53
3 changed files with 108 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
test/recipes/25-test_req.t
View File

@ -15,10 +15,12 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
plan tests => 16;
plan tests => 39;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my @certs = qw(test certs);
# What type of key to generate?
my @req_new;
if (disabled("rsa")) {
@ -190,7 +192,7 @@ subtest "generating SM2 certificate requests" => sub {
if disabled("sm2");
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
"-new", "-key", srctop_file(@certs, "sm2.key"),
"-sigopt", "distid:1234567812345678",
"-out", "testreq-sm2.pem", "-sm3"])),
"Generating SM2 certificate request");
@ -203,7 +205,7 @@ subtest "generating SM2 certificate requests" => sub {
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
"-new", "-key", srctop_file("test", "certs", "sm2.key"),
"-new", "-key", srctop_file(@certs, "sm2.key"),
"-sigopt", "hexdistid:DEADBEEF",
"-out", "testreq-sm2.pem", "-sm3"])),
"Generating SM2 certificate request with hex id");
@ -246,3 +248,81 @@ sub run_conversion {
done_testing();
};
}
# Test both generation and verification of certs w.r.t. RFC 5280 requirements
my $ca_cert; # will be set below
sub generate_cert {
my $cert = shift @_;
my $ss = $cert =~ m/self-signed/;
my $is_ca = $cert =~ m/CA/;
my $cn = $is_ca ? "CA" : "EE";
my $ca_key = srctop_file(@certs, "ca-key.pem");
my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem");
my @cmd = ("openssl", "req", "-config", "\"\"","-x509",
"-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert);
push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss;
ok(run(app([@cmd])), "generate $cert");
}
sub has_SKID {
my $cert = shift @_;
my $expect = shift @_;
cert_contains($cert, "Subject Key Identifier", $expect);
}
sub has_AKID {
my $cert = shift @_;
my $expect = shift @_;
cert_contains($cert, "Authority Key Identifier", $expect);
}
sub strict_verify {
my $cert = shift @_;
my $expect = shift @_;
my $trusted = shift @_;
$trusted = $cert unless $trusted;
ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
"-partial_chain", $cert])) == $expect,
"strict verify allow $cert");
}
my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
"-addext", "keyUsage = keyCertSign");
my $cert = "self-signed_v1_CA_no_KIDs.pem";
generate_cert($cert);
has_SKID($ca_cert, 0);
has_AKID($ca_cert, 0);
#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
$ca_cert = "self-signed_v3_CA_default_SKID.pem";
generate_cert($ca_cert, @v3_ca);
has_SKID($ca_cert, 1);
has_AKID($ca_cert, 0);
strict_verify($ca_cert, 1);
$cert = "self-signed_v3_CA_no_SKID.pem";
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
has_SKID($cert, 0);
has_AKID($cert, 0);
#TODO strict_verify($cert, 0);
$cert = "self-signed_v3_CA_both_KIDs.pem";
generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
"-addext", "authorityKeyIdentifier = keyid");
has_SKID($cert, 1);
has_AKID($cert, 1);
strict_verify($cert, 1);
$cert = "self-signed_v3_EE_wrong_keyUsage.pem";
generate_cert($cert, "-addext", "keyUsage = keyCertSign");
#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
$cert = "v3_EE_default_KIDs.pem";
generate_cert($cert, "-addext", "keyUsage = dataEncipherment");
has_SKID($cert, 1);
has_AKID($cert, 1);
strict_verify($cert, 1, $ca_cert);
$cert = "v3_EE_no_AKID.pem";
generate_cert($cert, "-addext", "authorityKeyIdentifier = none");
has_SKID($cert, 1);
has_AKID($cert, 0);
strict_verify($cert, 0, $ca_cert);

19
test/recipes/25-test_x509.t
View File

@ -20,6 +20,7 @@ plan tests => 15;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my @certs = qw(test certs);
my $pem = srctop_file("test/certs", "cyrillic.pem");
my $out_msb = "out-cyrillic.msb";
my $out_utf8 = "out-cyrillic.utf8";
@ -88,21 +89,9 @@ subtest 'x509 -- pathlen' => sub {
ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
};
subtest 'x500 -- subjectAltName' => sub {
my $fp = srctop_file("test/certs", "fake-gp.pem");
my $out = "ext.out";
ok(run(app(["openssl", "x509", "-text", "-in", $fp, "-out", $out])));
ok(has_doctor_id($out));
unlink $out;
};
sub has_doctor_id {
$_ = shift @_;
open(DATA,$_) or return 0;
$_= join('',<DATA>);
close(DATA);
return m/2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678/;
}
cert_contains(srctop_file(@certs, "fake-gp.pem"),
"2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678",
1, 'x500 -- subjectAltName');
sub test_errors { # actually tests diagnostics of OSSL_STORE
my ($expected, $cert, @opts) = @_;

21
test/recipes/tconversion.pl
View File

@ -108,4 +108,25 @@ sub cmp_text {
});
}
sub file_contains {
$_ = shift @_;
my $pattern = shift @_;
open(DATA,$_) or return 0;
$_= join('',<DATA>);
close(DATA);
return m/$pattern/ ? 1 : 0;
}
sub cert_contains {
my $cert = shift @_;
my $pattern = shift @_;
my $expected = shift @_;
my $name = shift @_;
my $out = "tmp.out";
run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out]));
is(file_contains($out, $pattern), $expected, ($name ? "$name: " : "").
"$cert should ".($expected ? "" : "not ")."contain $pattern");
# not unlinking $out
}
1;