From f0a057dd5343ca81849dd140ee9c302cda914f41 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Sat, 19 Dec 2020 19:49:25 +0100
Subject: [PATCH] Add tests for (non-)default SKID and AKID inclusion by
 apps/{req,x509,ca}.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
---
 test/recipes/25-test_req.t  | 86 +++++++++++++++++++++++++++++++++++--
 test/recipes/25-test_x509.t | 19 ++------
 test/recipes/tconversion.pl | 21 +++++++++
 3 files changed, 108 insertions(+), 18 deletions(-)

diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index b5d63fe1da..cb9f8888a5 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,10 +15,12 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_req");
 
-plan tests => 16;
+plan tests => 39;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
+my @certs = qw(test certs);
+
 # What type of key to generate?
 my @req_new;
 if (disabled("rsa")) {
@@ -190,7 +192,7 @@ subtest "generating SM2 certificate requests" => sub {
         if disabled("sm2");
         ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
-                    "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+                    "-new", "-key", srctop_file(@certs, "sm2.key"),
                     "-sigopt", "distid:1234567812345678",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request");
@@ -203,7 +205,7 @@ subtest "generating SM2 certificate requests" => sub {
 
         ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
-                    "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+                    "-new", "-key", srctop_file(@certs, "sm2.key"),
                     "-sigopt", "hexdistid:DEADBEEF",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request with hex id");
@@ -246,3 +248,81 @@ sub run_conversion {
         done_testing();
     };
 }
+
+# Test both generation and verification of certs w.r.t. RFC 5280 requirements
+
+my $ca_cert; # will be set below
+sub generate_cert {
+    my $cert = shift @_;
+    my $ss = $cert =~ m/self-signed/;
+    my $is_ca = $cert =~ m/CA/;
+    my $cn = $is_ca ? "CA" : "EE";
+    my $ca_key = srctop_file(@certs, "ca-key.pem");
+    my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem");
+    my @cmd = ("openssl", "req", "-config", "\"\"","-x509",
+               "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert);
+    push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss;
+    ok(run(app([@cmd])), "generate $cert");
+}
+sub has_SKID {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    cert_contains($cert, "Subject Key Identifier", $expect);
+}
+sub has_AKID {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    cert_contains($cert, "Authority Key Identifier", $expect);
+}
+sub strict_verify {
+    my $cert = shift @_;
+    my $expect = shift @_;
+    my $trusted = shift @_;
+    $trusted = $cert unless $trusted;
+    ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
+                "-partial_chain", $cert])) == $expect,
+       "strict verify allow $cert");
+}
+
+my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
+             "-addext", "keyUsage = keyCertSign");
+my $cert = "self-signed_v1_CA_no_KIDs.pem";
+generate_cert($cert);
+has_SKID($ca_cert, 0);
+has_AKID($ca_cert, 0);
+#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
+
+$ca_cert = "self-signed_v3_CA_default_SKID.pem";
+generate_cert($ca_cert, @v3_ca);
+has_SKID($ca_cert, 1);
+has_AKID($ca_cert, 0);
+strict_verify($ca_cert, 1);
+
+$cert = "self-signed_v3_CA_no_SKID.pem";
+generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
+has_SKID($cert, 0);
+has_AKID($cert, 0);
+#TODO strict_verify($cert, 0);
+
+$cert = "self-signed_v3_CA_both_KIDs.pem";
+generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
+            "-addext", "authorityKeyIdentifier = keyid");
+has_SKID($cert, 1);
+has_AKID($cert, 1);
+strict_verify($cert, 1);
+
+$cert = "self-signed_v3_EE_wrong_keyUsage.pem";
+generate_cert($cert, "-addext", "keyUsage = keyCertSign");
+#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
+
+$cert = "v3_EE_default_KIDs.pem";
+generate_cert($cert, "-addext", "keyUsage = dataEncipherment");
+has_SKID($cert, 1);
+has_AKID($cert, 1);
+strict_verify($cert, 1, $ca_cert);
+
+$cert = "v3_EE_no_AKID.pem";
+generate_cert($cert, "-addext", "authorityKeyIdentifier = none");
+has_SKID($cert, 1);
+has_AKID($cert, 0);
+strict_verify($cert, 0, $ca_cert);
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 19ff335f82..e9550f1fe4 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -20,6 +20,7 @@ plan tests => 15;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
+my @certs = qw(test certs);
 my $pem = srctop_file("test/certs", "cyrillic.pem");
 my $out_msb = "out-cyrillic.msb";
 my $out_utf8 = "out-cyrillic.utf8";
@@ -88,21 +89,9 @@ subtest 'x509 -- pathlen' => sub {
     ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
 };
 
-subtest 'x500 -- subjectAltName' => sub {
-     my $fp = srctop_file("test/certs", "fake-gp.pem");
-     my $out = "ext.out";
-     ok(run(app(["openssl", "x509", "-text", "-in", $fp, "-out", $out])));
-     ok(has_doctor_id($out));
-     unlink $out;
-};
-
-sub has_doctor_id { 
-    $_ = shift @_;
-    open(DATA,$_) or return 0;
-    $_= join('',<DATA>); 
-    close(DATA);
-    return m/2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678/;
-}
+cert_contains(srctop_file(@certs, "fake-gp.pem"),
+              "2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678",
+              1, 'x500 -- subjectAltName');
 
 sub test_errors { # actually tests diagnostics of OSSL_STORE
     my ($expected, $cert, @opts) = @_;
diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl
index d3b64590da..bf096994e3 100644
--- a/test/recipes/tconversion.pl
+++ b/test/recipes/tconversion.pl
@@ -108,4 +108,25 @@ sub cmp_text {
     });
 }
 
+sub file_contains {
+    $_ = shift @_;
+    my $pattern = shift @_;
+    open(DATA,$_) or return 0;
+    $_= join('',<DATA>);
+    close(DATA);
+    return m/$pattern/ ? 1 : 0;
+}
+
+sub cert_contains {
+    my $cert = shift @_;
+    my $pattern = shift @_;
+    my $expected = shift @_;
+    my $name = shift @_;
+    my $out = "tmp.out";
+    run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out]));
+    is(file_contains($out, $pattern), $expected, ($name ? "$name: " : "").
+       "$cert should ".($expected ? "" : "not ")."contain $pattern");
+    # not unlinking $out
+}
+
 1;