diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-07 09:11:06 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-09-08 09:42:06 +0200 |
commit | 45746a0ebe280ff2ff0c3ea2eb167e3de16b34ce (patch) | |
tree | 7a41b155610d6e5ea9e0d9d24b54cb6a38ce3f2d | |
parent | f6821a90f7ea803feb857790537c25d92ffcc340 (diff) | |
download | gnutls-45746a0ebe280ff2ff0c3ea2eb167e3de16b34ce.tar.gz |
tests: added verification checks into crl_apis
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | tests/crl_apis.c | 126 |
1 files changed, 80 insertions, 46 deletions
diff --git a/tests/crl_apis.c b/tests/crl_apis.c index 99708e389c..627d4f6c16 100644 --- a/tests/crl_apis.c +++ b/tests/crl_apis.c @@ -15,9 +15,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + * */ #ifdef HAVE_CONFIG_H @@ -34,10 +34,10 @@ #include "utils.h" #include "cert-common.h" +static time_t then = 1207000800; + static time_t mytime(time_t * t) { - time_t then = 1207000800; - if (t) *t = then; @@ -46,48 +46,49 @@ static time_t mytime(time_t * t) static unsigned char saved_crl_pem[] = "-----BEGIN X509 CRL-----\n" - "MIICXzCByAIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" - "MzEyMjAwMDBaFw0wODAzMzEyMjAxMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBa\n" + "MIICXzCByAIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" + "MzEyMjAwMDBaFw0wODAzMzEyMjAyMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBa\n" "MB0CDFejHTI2Wi75obBaUhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwX\n" "DTA4MDMzMTIyMDAwMFqgLzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n" - "8bSvMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4IBgQAcVsFF0HzAjAtD4Kwh\n" - "pJwVl6BEC4lybSIVB0+ls/b23cEOfU1wE8Ls+26EjUHLOTCdQgKMFgbEuhAgUOb6\n" - "kuatoWmi3R/42FJDvQxc+aYcEOX5ttbbB4KuS77zQ54Nv9RGyKcXqTDmax2MgqKg\n" - "moIbYhemiUl4zCshPZvv0NsHFiDtToSIHZIbIy3u63/Mb/tXCm2Eyrl8za8ELGaJ\n" - "5zjibO2wNRIwd7QbJJRkc6TrphfWxeU6tZi3rwOLoqf8x4EBWOcKXyUvIb+OxNVH\n" - "aMXFxVCTmDAqxe9HrEzZsQIGS7CDlWCghIUW8AQkPJ/IL4kUvZhmRxyqI8DF4mLI\n" - "XqCDF55CaQ5e2uMc3f5rvNTP1g1S7E/iZRTaATVhB6krha6X3MqEQ+VJnMklJPiI\n" - "aZY5JS5apO9ewXykxuK0/A3BeHSdK4fj3Q1mt1NzX4G9cU2T3VdPRbAgchoU2YV3\n" - "pBeFxTaJMEN+ajgixeXC69iE7aNBOFBLC38uPmMOpZ450q8=\n" + "8bSvMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBgQAFpyifa5AJclRpJfjh\n" + "QOcSoiCJz5QsrGaK5I/UYHcY958hhFjnE2c9g3wYEEt13M2gkgOTXapImPbLXHv+\n" + "cHWGoTqX6+crs7xcC6mFc6JfY7q9O2eP1x386dzCxhsXMti5ml0iOeBpNrMO46Pr\n" + "PuvNaY7OE1UgN0Ha3YjmhP8HtWJSQCMmqIo6vP1/HBSzaXP/cjS7f0WBZemj0eE7\n" + "wwA1GUoUx9wHipvNkCSKy/eQz4fpOJExrvHeb1/N3po9hfZaZJAqR+rsC0j9J+wd\n" + "ZGAdVFKCJUZs0IgsWQqagg0tXGJ8ejdt4yE8zvhhcpf4pcGoYUqtoUPT+Fjnsw7C\n" + "P1GCVZQ2ciGxixljTJFdifhqPshgC1Ytd75MkDYH2RRir/JwypQK9CcqIAOjBzTl\n" + "uk4SkKL2xAIduw6Dz5kAC7G2EM94uODoI/RO5b6eN6Kb/592JrKAfB96jh2wwqW+\n" + "swaA4JPFqNQaiMWW1IXM3VJwXBt8DRSRo46JV5OktvvFRwI=\n" "-----END X509 CRL-----\n"; static unsigned char saved_min_crl_pem[] = "-----BEGIN X509 CRL-----\n" - "MIICUDCBuQIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" - "MzEyMjAwMDBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMDBaMB0CDFejHTI2Wi75obBa\n" - "UhcNMDgwMzMxMjIwMDAwWjAdAgxXox0yNbNP0Ln15zwXDTA4MDMzMTIyMDAwMFqg\n" + "MIICUDCBuQIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0zFw0wODAz\n" + "MzEyMjAwMTBaMFQwFAIDAQIDFw0wODAzMzEyMjAwMTBaMB0CDFejHTI2Wi75obBa\n" + "UhcNMDgwMzMxMjIwMDEwWjAdAgxXox0yNbNP0Ln15zwXDTA4MDMzMTIyMDAxMFqg\n" "LzAtMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv8bSvMAoGA1UdFAQDAgEB\n" - "MA0GCSqGSIb3DQEBBQUAA4IBgQBwTFMCc5/y/rrVvv/rGD5BYF1rCk+Daln/aQvV\n" - "UgFwbaYsnSUoHdivEF6rrtSJGdZj5JWk7Y4oICL6NLeiLiM+AeBuaGbB9EjIQH8d\n" - "d4/QSR4VV/900xcWbSatycXq4k2nxnrFcC2TMD6ee0nQjs1YQcgBK5tEQBvtKa+w\n" - "qemp7/WPuY1YcDTIJ1myjyM0yJpBope/9uYWxcYgHCwK+o1QqpDlnq21539QtdbC\n" - "9isLxAohnvwmKJkRoYVUhi5jRjd4Yy/fiSAcQx+Gs+0kjRXqitAgofPUAyibMLZX\n" - "EvTZvGDCBF8OqlF6WdBLgcYDVzX7GnYEYFSccQtPYdanilf9IGO0ToF0MfPliawb\n" - "J/27rdbCDQXh3exSq4vGgdulmt+tmYsFwlivwvuCG/eV8KOLWv7q36jx4PzLJyiE\n" - "JJimFkzuwEEaFSmIM9UDEKfmDC10jVQ4c7Y7CPI5rLnPDtEOTNWsjlw/rC2/XLem\n" - "YdLVIwU0h1VJPvZsmbhU2baAhsM=\n" + "MA0GCSqGSIb3DQEBCwUAA4IBgQB/Y7MxKf7HpYBoi7N5lNCe7nSd0epQiNPOford\n" + "hGb1ZirZk9m67zg146Cwc0W4ipPzW/OjwgUoVQTm21I7oZj/GPItAABlILd6eRQe\n" + "jYJap0fxiXV7aMRfu2o3qCRGAITQf306H5zJmpdeNxbxzlr3t6IAHBDbLI1WYXiC\n" + "pTHo3wlpwFJEPw5NQ0j6rCAzSH81FHTrEiIOar17uRqeMjbGN6Eo4zjezEx2+ewg\n" + "unsdzx4OWx3KgzsQnyV9EoU6l9jREe519mICx7La6DZkhO4dSPJv6R5jEFitWDNB\n" + "lxZMA5ePrYXuE/3b+Li89R53O+xZxShLQYwBRSHDue44xUv6hh6YNIKDgt4ycIs8\n" + "9JAWsOYJDYUEbAUo+S4sWCU6LzloEvmg7EdJtvJWsScUKK4qbwkDfkBTKjbeBdFj\n" + "w6naZIjzbjMPEe8/T+hmu/txFj3fGj/GzOM1GaJNZ4vMWA4Y6LhB+H1Zf3xK+hV0\n" + "sc0eYw7RpIzEyc9PPz/uM+XabsI=\n" "-----END X509 CRL-----\n"; -const gnutls_datum_t saved_crl = { saved_crl_pem, sizeof(saved_crl_pem)-1 }; -const gnutls_datum_t saved_min_crl = { saved_min_crl_pem, sizeof(saved_min_crl_pem)-1 }; +const gnutls_datum_t saved_crl = { saved_crl_pem, sizeof(saved_crl_pem) - 1 }; +const gnutls_datum_t saved_min_crl = + { saved_min_crl_pem, sizeof(saved_min_crl_pem) - 1 }; -static void append_crt(gnutls_x509_crl_t crl, const gnutls_datum_t *pem) +static void append_crt(gnutls_x509_crl_t crl, const gnutls_datum_t * pem) { gnutls_x509_crt_t crt; int ret; - assert(gnutls_x509_crt_init(&crt)>=0); - assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0); + assert(gnutls_x509_crt_init(&crt) >= 0); + assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM) >= 0); ret = gnutls_x509_crl_set_crt(crl, crt, mytime(0)); if (ret != 0) fail("gnutls_x509_crl_set_crt: %s\n", gnutls_strerror(ret)); @@ -95,42 +96,72 @@ static void append_crt(gnutls_x509_crl_t crl, const gnutls_datum_t *pem) gnutls_x509_crt_deinit(crt); } -static void append_aki(gnutls_x509_crl_t crl, const gnutls_datum_t *pem) +static void append_aki(gnutls_x509_crl_t crl, const gnutls_datum_t * pem) { gnutls_x509_crt_t crt; int ret; unsigned char aki[128]; size_t aki_size; - assert(gnutls_x509_crt_init(&crt)>=0); - assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM)>=0); + assert(gnutls_x509_crt_init(&crt) >= 0); + assert(gnutls_x509_crt_import(crt, pem, GNUTLS_X509_FMT_PEM) >= 0); aki_size = sizeof(aki); - assert(gnutls_x509_crt_get_subject_key_id(crt, aki, &aki_size, NULL) >= 0); + assert(gnutls_x509_crt_get_subject_key_id(crt, aki, &aki_size, NULL) >= + 0); ret = gnutls_x509_crl_set_authority_key_id(crl, aki, aki_size); if (ret != 0) - fail("gnutls_x509_crl_set_authority_key_id: %s\n", gnutls_strerror(ret)); + fail("gnutls_x509_crl_set_authority_key_id: %s\n", + gnutls_strerror(ret)); gnutls_x509_crt_deinit(crt); } -static void sign_crl(gnutls_x509_crl_t crl, const gnutls_datum_t *cert, const gnutls_datum_t *key) +static void verify_crl(gnutls_x509_crl_t _crl, gnutls_x509_crt_t crt) +{ + int ret; + gnutls_x509_crl_t crl; + unsigned status; + gnutls_datum_t out; + + assert(gnutls_x509_crl_export2(_crl, GNUTLS_X509_FMT_DER, &out) >= 0); + + assert(gnutls_x509_crl_init(&crl) >= 0); + assert(gnutls_x509_crl_import(crl, &out, GNUTLS_X509_FMT_DER) >= 0); + + gnutls_free(out.data); + + ret = gnutls_x509_crl_verify(crl, &crt, 1, 0, &status); + if (ret < 0) + fail("gnutls_x509_crl_verify: %s\n", gnutls_strerror(ret)); + + if (status != 0) + fail("gnutls_x509_crl_verify status: %x\n", status); + gnutls_x509_crl_deinit(crl); +} + +static void sign_crl(gnutls_x509_crl_t crl, const gnutls_datum_t * cert, + const gnutls_datum_t * key) { gnutls_x509_crt_t crt; gnutls_x509_privkey_t pkey; int ret; - assert(gnutls_x509_crt_init(&crt)>=0); - assert(gnutls_x509_privkey_init(&pkey)>=0); + assert(gnutls_x509_crt_init(&crt) >= 0); + assert(gnutls_x509_privkey_init(&pkey) >= 0); - assert(gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_PEM)>=0); - assert(gnutls_x509_privkey_import(pkey, key, GNUTLS_X509_FMT_PEM)>=0); + assert(gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_PEM) >= 0); + assert(gnutls_x509_privkey_import(pkey, key, GNUTLS_X509_FMT_PEM) >= 0); ret = gnutls_x509_crl_sign(crl, crt, pkey); if (ret != 0) fail("gnutls_x509_crl_sign: %s\n", gnutls_strerror(ret)); + then+=10; + + verify_crl(crl, crt); + gnutls_x509_crt_deinit(crt); gnutls_x509_privkey_deinit(pkey); } @@ -140,6 +171,8 @@ static gnutls_x509_crl_t generate_crl(unsigned skip_optional) gnutls_x509_crl_t crl; int ret; + success("Generating CRL (%d)\n", skip_optional); + ret = gnutls_x509_crl_init(&crl); if (ret != 0) fail("gnutls_x509_crl_init\n"); @@ -153,7 +186,7 @@ static gnutls_x509_crl_t generate_crl(unsigned skip_optional) fail("gnutls_x509_crl_set_this_update\n"); if (!skip_optional) { - ret = gnutls_x509_crl_set_next_update(crl, mytime(0)+60); + ret = gnutls_x509_crl_set_next_update(crl, mytime(0) + 120); if (ret != 0) fail("gnutls_x509_crl_set_next_update\n"); } @@ -191,7 +224,7 @@ void doit(void) fprintf(stdout, "%s", out.data); assert(out.size == saved_crl.size); - assert(memcmp(out.data, saved_crl.data, out.size)==0); + assert(memcmp(out.data, saved_crl.data, out.size) == 0); gnutls_free(out.data); gnutls_x509_crl_deinit(crl); @@ -204,8 +237,9 @@ void doit(void) fprintf(stdout, "%s", out.data); assert(out.size == saved_min_crl.size); - assert(memcmp(out.data, saved_min_crl.data, out.size)==0); + assert(memcmp(out.data, saved_min_crl.data, out.size) == 0); gnutls_free(out.data); gnutls_x509_crl_deinit(crl); + } |